- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files

- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
2011-09-14 16:11:08 +02:00 · 2011-09-14 16:11:08 +02:00 · b3edab31fb
commit b3edab31fb
parent e8563b3245
2 changed files with 259 additions and 94 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -32460,7 +32460,7 @@ index 9bd812b..2385a2c 100644
 ##	an dnsmasq environment
 ## </summary>
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..d707dde 100644
+index fdaeeba..06021d4 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@ -32487,7 +32487,7 @@ index fdaeeba..d707dde 100644
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +100,16 @@ optional_policy(`
+@@ -96,7 +100,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -32500,11 +32500,15 @@ index fdaeeba..d707dde 100644
 +')
 +
 +optional_policy(`
 +	networkmanager_read_pid_files(dnsmasq_t)
 +')
 +
 +optional_policy(`
 +	ppp_read_pid_files(dnsmasq_t)
 ')
 optional_policy(`
-@@ -114,4 +127,5 @@ optional_policy(`
+@@ -114,4 +131,5 @@ optional_policy(`
 optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
@ -53589,7 +53593,7 @@ index 078bcd7..2d60774 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..ba5d941 100644
+index 22adaca..d9c1d90 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@ -53811,18 +53815,36 @@ index 22adaca..ba5d941 100644
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +493,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
 -	allow $1 sshd_t:fifo_file { getattr read };
 +	allow $1 sshd_t:fifo_file read_fifo_file_perms;
 ')
 +
 +######################################
 +## <summary>
 +##      Read and write ssh server unix dgram sockets.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`ssh_rw_dgram_sockets',`
 +    gen_require(`
 +        type sshd_t;
 +    ')
 +
 +    allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
 +')
 +
 ########################################
 ## <summary>
 ##	Read and write a ssh server unnamed pipe.
-@@ -494,7 +511,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
@ -53831,7 +53853,7 @@ index 22adaca..ba5d941 100644
 ')
 ########################################
-@@ -586,6 +603,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +621,24 @@ interface(`ssh_domtrans',`
 ########################################
 ## <summary>
@ -53856,7 +53878,7 @@ index 22adaca..ba5d941 100644
 ##	Execute the ssh client in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -618,7 +653,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
@ -53865,7 +53887,7 @@ index 22adaca..ba5d941 100644
 	files_search_pids($1)
 ')
-@@ -680,6 +715,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',`
 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
 ')
@ -53898,7 +53920,7 @@ index 22adaca..ba5d941 100644
 ########################################
 ## <summary>
 ##	Read ssh server keys
-@@ -695,7 +756,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
@ -53907,7 +53929,7 @@ index 22adaca..ba5d941 100644
 ')
 ######################################
-@@ -735,3 +796,62 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
@ -53930,6 +53952,25 @@ index 22adaca..ba5d941 100644
 +	allow $1 sshd_t:process signull;
 +')
 +
 +#####################################
 +## <summary>
 +##  Allow domain dyntransition to chroot_user_t domain.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`ssh_dyntransition_chroot_user',`
 +    gen_require(`
 +        type chroot_user_t;
 +    ')
 +
 +    allow $1 chroot_user_t:process dyntransition;
 +    allow chroot_user_t $1:process sigchld;
 +')
 +
 +########################################
 +## <summary>
 +##	Create .ssh directory in the /root directory
@ -53971,10 +54012,10 @@ index 22adaca..ba5d941 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..24f8d90 100644
+index 2dad3c8..28ef6ae 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
+@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
 #
 ## <desc>
@ -53988,15 +54029,12 @@ index 2dad3c8..24f8d90 100644
 gen_tunable(allow_ssh_keysign, false)
 ## <desc>
 -## <p>
 -## Allow ssh logins as sysadm_r:sysadm_t
 -## </p>
 +##	<p>
 +##	Allow ssh logins as sysadm_r:sysadm_t
 +##	</p>
- ## </desc>
+## </desc>
- gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_sysadm_login, false)
- 
+
 +## <desc>
 +##	<p>
 +##	allow sshd to forward port connections
@ -54004,9 +54042,23 @@ index 2dad3c8..24f8d90 100644
 +## </desc>
 +gen_tunable(sshd_forward_ports, false)
 +
 +## <desc>
 ## <p>
 -## Allow ssh logins as sysadm_r:sysadm_t
 +## Allow ssh with chroot env to read and write files 
 +## in the user home directories
 ## </p>
 ## </desc>
 -gen_tunable(ssh_sysadm_login, false)
 +gen_tunable(ssh_chroot_rw_homedirs, false)
 attribute ssh_server;
 attribute ssh_agent_type;
 +type chroot_user_t;
 +domain_type(chroot_user_t)
 +role system_r types chroot_user_t;
 +
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
@ -54014,7 +54066,7 @@ index 2dad3c8..24f8d90 100644
 type sshd_exec_t;
 corecmd_executable_file(sshd_exec_t)
-@@ -33,17 +39,12 @@ corecmd_executable_file(sshd_exec_t)
+@@ -33,17 +51,12 @@ corecmd_executable_file(sshd_exec_t)
 ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
@ -54035,7 +54087,7 @@ index 2dad3c8..24f8d90 100644
 type ssh_t;
 type ssh_exec_t;
 typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -76,8 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
+@@ -76,8 +89,12 @@ ubac_constrained(ssh_tmpfs_t)
 type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
@ -54049,7 +54101,7 @@ index 2dad3c8..24f8d90 100644
 ##############################
 #
-@@ -95,15 +100,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -95,15 +112,11 @@ allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
 allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -54066,7 +54118,7 @@ index 2dad3c8..24f8d90 100644
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,20 +114,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,20 +126,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@ -54095,7 +54147,7 @@ index 2dad3c8..24f8d90 100644
 kernel_read_kernel_sysctls(ssh_t)
 kernel_read_system_state(ssh_t)
-@@ -138,7 +144,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,7 +156,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
@ -54107,7 +54159,7 @@ index 2dad3c8..24f8d90 100644
 dev_read_urand(ssh_t)
 fs_getattr_all_fs(ssh_t)
-@@ -162,21 +172,28 @@ logging_read_generic_logs(ssh_t)
+@@ -162,21 +184,28 @@ logging_read_generic_logs(ssh_t)
 auth_use_nsswitch(ssh_t)
 miscfiles_read_localization(ssh_t)
@ -54142,7 +54194,7 @@ index 2dad3c8..24f8d90 100644
 ')
 tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +225,15 @@ tunable_policy(`user_tcp_server',`
 ')
 optional_policy(`
@ -54158,7 +54210,7 @@ index 2dad3c8..24f8d90 100644
 ##############################
 #
 # ssh_keysign_t local policy
-@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +243,14 @@ tunable_policy(`allow_ssh_keysign',`
 	allow ssh_keysign_t self:capability { setgid setuid };
 	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@ -54180,7 +54232,7 @@ index 2dad3c8..24f8d90 100644
 #################################
 #
 # sshd local policy
-@@ -232,33 +249,43 @@ optional_policy(`
+@@ -232,33 +261,44 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -54209,6 +54261,7 @@ index 2dad3c8..24f8d90 100644
 +userdom_manage_tmp_role(system_r, sshd_t)
 +userdom_spec_domtrans_unpriv_users(sshd_t)
 +userdom_signal_unpriv_users(sshd_t)
 +userdom_dyntransition_unpriv_users(sshd_t)
 +
 +tunable_policy(`sshd_forward_ports',`
 +	corenet_tcp_bind_all_unreserved_ports(sshd_t)
@ -54233,7 +54286,7 @@ index 2dad3c8..24f8d90 100644
 ')
 optional_policy(`
-@@ -266,11 +293,24 @@ optional_policy(`
+@@ -266,11 +306,24 @@ optional_policy(`
 ')
 optional_policy(`
@ -54259,10 +54312,14 @@ index 2dad3c8..24f8d90 100644
 ')
 optional_policy(`
-@@ -284,6 +324,15 @@ optional_policy(`
+@@ -284,6 +337,19 @@ optional_policy(`
 ')
 optional_policy(`
 +    ssh_dyntransition_chroot_user(sshd_t)
 +')
 +
 +optional_policy(`
 +	systemd_exec_systemctl(sshd_t)
 +')
 +
@ -54275,7 +54332,7 @@ index 2dad3c8..24f8d90 100644
 	unconfined_shell_domtrans(sshd_t)
 ')
-@@ -292,26 +341,26 @@ optional_policy(`
+@@ -292,26 +358,26 @@ optional_policy(`
 ')
 ifdef(`TODO',`
@ -54321,7 +54378,7 @@ index 2dad3c8..24f8d90 100644
 ') dnl endif TODO
 ########################################
-@@ -322,19 +371,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
@ -54349,18 +54406,73 @@ index 2dad3c8..24f8d90 100644
 dev_read_urand(ssh_keygen_t)
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,10 +407,7 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t)
 logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 -
 -optional_policy(`
 -	nscd_socket_use(ssh_keygen_t)
 -')
 +userdom_use_user_terminals(ssh_keygen_t)
 optional_policy(`
- 	seutil_sigchld_newrole(ssh_keygen_t)
+-	nscd_socket_use(ssh_keygen_t)
 +	seutil_sigchld_newrole(ssh_keygen_t)
 ')
 optional_policy(`
 -	seutil_sigchld_newrole(ssh_keygen_t)
 +	udev_read_db(ssh_keygen_t)
 +')
 +
 +######################################
 +#
 +# chroot_user_t local policy
 +#
 +
 +allow chroot_user_t self:capability { setuid sys_chroot setgid };
 +
 +allow chroot_user_t self:fifo_file rw_fifo_file_perms;
 +
 +userdom_read_user_home_content_files(chroot_user_t)
 +userdom_read_inherited_user_home_content_files(chroot_user_t)
 +userdom_read_user_home_content_symlinks(chroot_user_t)
 +userdom_exec_user_home_content_files(chroot_user_t)
 +
 +tunable_policy(`ssh_chroot_rw_homedirs',`
 +        files_list_home(chroot_user_t)
 +        userdom_read_user_home_content_files(chroot_user_t)
 +        userdom_manage_user_home_content(chroot_user_t)
 +', `
 +
 +        userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
 +')
 +
 +tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
 +    fs_manage_nfs_dirs(chroot_user_t)
 +    fs_manage_nfs_files(chroot_user_t)
 +    fs_manage_nfs_symlinks(chroot_user_t)
 +')
 +
 +tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
 +    fs_manage_cifs_dirs(chroot_user_t)
 +    fs_manage_cifs_files(chroot_user_t)
 +    fs_manage_cifs_symlinks(chroot_user_t)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +    fs_read_cifs_files(chroot_user_t)
 +    fs_read_cifs_symlinks(chroot_user_t)
 +')
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +    fs_read_nfs_files(chroot_user_t)
 +    fs_read_nfs_symlinks(chroot_user_t)
 ')
 optional_policy(`
 -	udev_read_db(ssh_keygen_t)
 +    ssh_rw_stream_sockets(chroot_user_t)
 +    ssh_rw_tcp_sockets(chroot_user_t)
 +    ssh_rw_dgram_sockets(chroot_user_t)
 ')
 diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
 index 941380a..6dbfc01 100644
 --- a/policy/modules/services/sssd.if
@ -61212,7 +61324,7 @@ index 354ce93..b8b14b9 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..3e8f08e 100644
+index 94fd8dd..f4a1020 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@ -61587,7 +61699,7 @@ index 94fd8dd..3e8f08e 100644
 	')
 ')
-@@ -800,23 +933,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -61610,11 +61722,11 @@ index 94fd8dd..3e8f08e 100644
 	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- 	')
+	')
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@ -61627,16 +61739,12 @@ index 94fd8dd..3e8f08e 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
 +## <summary>
 ##	Execute a init script in a specified domain.
 ## </summary>
 ## <desc>
@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
@ -61933,7 +62041,7 @@ index 94fd8dd..3e8f08e 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2120,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -62049,6 +62157,25 @@ index 94fd8dd..3e8f08e 100644
 +
 +########################################
 +## <summary>
 +##	Send a message to init over a unix domain
 +##	stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`init_stream_send',`
 +	gen_require(`
 +		type init_t;
 +	')
 +
 +	allow $1 init_t:unix_stream_socket sendto;
 +')
 +
 +########################################
 +## <summary>
 +##	Create a file type used for init socket files.
 +## </summary>
 +## <desc>
@ -62091,7 +62218,7 @@ index 94fd8dd..3e8f08e 100644
 +	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..7902fbb 100644
+index 29a9565..cd829ed 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -62899,7 +63026,7 @@ index 29a9565..7902fbb 100644
 	udev_manage_pid_files(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
-@@ -815,11 +1163,24 @@ optional_policy(`
+@@ -815,11 +1163,26 @@ optional_policy(`
 ')
 optional_policy(`
@ -62922,10 +63049,12 @@ index 29a9565..7902fbb 100644
 +	mcs_socket_write_all_levels(initrc_t)
 +	mcs_killall(initrc_t)
 +	mcs_ptrace_all(initrc_t)
 +
 +	files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1190,25 @@ optional_policy(`
+@@ -829,6 +1192,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -62951,7 +63080,7 @@ index 29a9565..7902fbb 100644
 ')
 optional_policy(`
-@@ -844,6 +1224,10 @@ optional_policy(`
+@@ -844,6 +1226,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -62962,7 +63091,7 @@ index 29a9565..7902fbb 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1238,149 @@ optional_policy(`
+@@ -854,3 +1240,149 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -67130,7 +67259,7 @@ index 694fd94..334e80e 100644
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..b1395dc 100644
+index ff80d0a..be800df 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@ -67317,7 +67446,7 @@ index ff80d0a..b1395dc 100644
 ')
 ########################################
-@@ -731,3 +850,72 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +850,73 @@ interface(`sysnet_use_portmap',`
 	sysnet_read_config($1)
 ')
@ -67384,6 +67513,7 @@ index ff80d0a..b1395dc 100644
 +	')
 +
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "denyhosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
@ -67391,7 +67521,7 @@ index ff80d0a..b1395dc 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..2c1578e 100644
+index 34d0ec5..7e4782d 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@ -67485,11 +67615,12 @@ index 34d0ec5..2c1578e 100644
 domain_use_interactive_fds(dhcpc_t)
 domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -130,13 +148,13 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+@@ -130,13 +148,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
 term_dontaudit_use_generic_ptys(dhcpc_t)
 init_rw_utmp(dhcpc_t)
 +init_stream_connect(dhcpc_t)
 +init_stream_send(dhcpc_t)
 logging_send_syslog_msg(dhcpc_t)
@ -67501,7 +67632,7 @@ index 34d0ec5..2c1578e 100644
 userdom_use_user_terminals(dhcpc_t)
 userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -155,6 +173,16 @@ optional_policy(`
+@@ -155,6 +174,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -67518,7 +67649,7 @@ index 34d0ec5..2c1578e 100644
 	init_dbus_chat_script(dhcpc_t)
 	dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +199,8 @@ optional_policy(`
+@@ -171,6 +200,8 @@ optional_policy(`
 optional_policy(`
 	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@ -67527,7 +67658,7 @@ index 34d0ec5..2c1578e 100644
 ')
 optional_policy(`
-@@ -192,7 +222,19 @@ optional_policy(`
+@@ -192,7 +223,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -67547,7 +67678,7 @@ index 34d0ec5..2c1578e 100644
 ')
 optional_policy(`
-@@ -213,6 +255,11 @@ optional_policy(`
+@@ -213,6 +256,11 @@ optional_policy(`
 optional_policy(`
 	seutil_sigchld_newrole(dhcpc_t)
 	seutil_dontaudit_search_config(dhcpc_t)
@ -67559,7 +67690,7 @@ index 34d0ec5..2c1578e 100644
 ')
 optional_policy(`
-@@ -255,6 +302,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +303,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
 allow ifconfig_t self:msg { send receive };
 # Create UDP sockets, necessary when called from dhcpc
 allow ifconfig_t self:udp_socket create_socket_perms;
@ -67567,7 +67698,7 @@ index 34d0ec5..2c1578e 100644
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +324,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +325,11 @@ dev_read_urand(ifconfig_t)
 domain_use_interactive_fds(ifconfig_t)
@ -67579,7 +67710,7 @@ index 34d0ec5..2c1578e 100644
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +352,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +353,12 @@ logging_send_syslog_msg(ifconfig_t)
 miscfiles_read_localization(ifconfig_t)
@ -67594,7 +67725,7 @@ index 34d0ec5..2c1578e 100644
 userdom_use_all_users_fds(ifconfig_t)
 ifdef(`distro_ubuntu',`
-@@ -314,7 +366,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +367,18 @@ ifdef(`distro_ubuntu',`
 	')
 ')
@ -67613,7 +67744,7 @@ index 34d0ec5..2c1578e 100644
 	optional_policy(`
 		dev_dontaudit_rw_cardmgr(ifconfig_t)
 	')
-@@ -325,8 +388,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +389,14 @@ ifdef(`hide_broken_symptoms',`
 ')
 optional_policy(`
@ -67628,7 +67759,7 @@ index 34d0ec5..2c1578e 100644
 ')
 optional_policy(`
-@@ -335,6 +404,18 @@ optional_policy(`
+@@ -335,6 +405,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -67647,7 +67778,7 @@ index 34d0ec5..2c1578e 100644
 	nis_use_ypbind(ifconfig_t)
 ')
-@@ -356,3 +437,9 @@ optional_policy(`
+@@ -356,3 +438,9 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
@ -68125,10 +68256,10 @@ index 0000000..fc8cac1
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..3b03294
+index 0000000..ce732b0
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,353 @@
+@@ -0,0 +1,358 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -68313,6 +68444,7 @@ index 0000000..3b03294
 +#
 +
 +allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
 +
@ -68350,7 +68482,12 @@ index 0000000..3b03294
 +files_relabel_all_tmp_files(systemd_tmpfiles_t)
 +files_list_lost_found(systemd_tmpfiles_t)
 +
-+init_dgram_send(systemd_tmpfiles_t)
+mcs_file_read_all(systemd_tmpfiles_t)
 +mcs_file_write_all(systemd_tmpfiles_t)
 +mls_file_read_all_levels(systemd_tmpfiles_t)
 +mls_file_write_all_levels(systemd_tmpfiles_t)
 +
 +selinux_get_enforce_mode(systemd_tmpfiles_t)
 +
 +auth_manage_faillog(systemd_tmpfiles_t)
 +auth_relabel_faillog(systemd_tmpfiles_t)
@ -68360,12 +68497,8 @@ index 0000000..3b03294
 +auth_setattr_login_records(systemd_tmpfiles_t)
 +auth_use_nsswitch(systemd_tmpfiles_t)
 +
-+seutil_read_file_contexts(systemd_tmpfiles_t)
+init_dgram_send(systemd_tmpfiles_t)
-+
+init_rw_stream_sockets(systemd_tmpfiles_t)
 +mcs_file_read_all(systemd_tmpfiles_t)
 +mcs_file_write_all(systemd_tmpfiles_t)
 +mls_file_read_all_levels(systemd_tmpfiles_t)
 +mls_file_write_all_levels(systemd_tmpfiles_t)
 +
 +logging_create_devlog_dev(systemd_tmpfiles_t)
 +logging_send_syslog_msg(systemd_tmpfiles_t)
@ -68374,6 +68507,9 @@ index 0000000..3b03294
 +miscfiles_relabel_man_pages(systemd_tmpfiles_t)
 +miscfiles_read_localization(systemd_tmpfiles_t)
 +
 +seutil_read_config(systemd_tmpfiles_t)
 +seutil_read_file_contexts(systemd_tmpfiles_t)
 +
 +ifdef(`distro_redhat',`
 +	userdom_list_user_home_content(systemd_tmpfiles_t)
 +	userdom_delete_user_home_content_dirs(systemd_tmpfiles_t)
@ -69674,7 +69810,7 @@ index db75976..cca4cd1 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..022f6e7 100644
+index 4b2878a..efc9525 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -71795,7 +71931,32 @@ index 4b2878a..022f6e7 100644
 ########################################
 ## <summary>
 ##	Execute a shell in all user domains.  This
-@@ -2736,24 +3373,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3350,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 +#####################################
 +## <summary>
 +##  Allow domain dyntrans to unpriv userdomain.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`userdom_dyntransition_unpriv_users',`
 +    gen_require(`
 +        attribute unpriv_userdomain;
 +    ')
 +
 +    allow $1 unpriv_userdomain:process dyntransition;
 +')
 +
 ########################################
 ## <summary>
 ##	Execute an Xserver session in all unprivileged user domains.  This
@@ -2736,24 +3391,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
@ -71820,7 +71981,7 @@ index 4b2878a..022f6e7 100644
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3391,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3409,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
@ -71846,7 +72007,7 @@ index 4b2878a..022f6e7 100644
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV shared
-@@ -2852,7 +3452,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3470,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -71855,7 +72016,7 @@ index 4b2878a..022f6e7 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
-@@ -2868,29 +3468,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3486,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -71889,7 +72050,7 @@ index 4b2878a..022f6e7 100644
 ')
 ########################################
-@@ -2972,7 +3556,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3574,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
@ -71898,7 +72059,7 @@ index 4b2878a..022f6e7 100644
 ')
 ########################################
-@@ -3027,7 +3611,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3629,45 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -71945,7 +72106,7 @@ index 4b2878a..022f6e7 100644
 ')
 ########################################
-@@ -3064,6 +3686,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3704,7 @@ interface(`userdom_read_all_users_state',`
 	')
 	read_files_pattern($1, userdomain, userdomain)
@ -71953,7 +72114,7 @@ index 4b2878a..022f6e7 100644
 	kernel_search_proc($1)
 ')
-@@ -3142,6 +3765,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3783,24 @@ interface(`userdom_signal_all_users',`
 ########################################
 ## <summary>
@ -71978,7 +72139,7 @@ index 4b2878a..022f6e7 100644
 ##	Send a SIGCHLD signal to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3194,3 +3835,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3853,1076 @@ interface(`userdom_dbus_send_all_users',`
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -466,6 +466,10 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Sep 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-28
 - Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
 - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
 * Tue Sep 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-27
 -  Allow collectd to read hardware state information
 - Add loop_control_device_t