##
-@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false)
+@@ -50,6 +73,27 @@ gen_tunable(httpd_can_network_connect, false)
##
##
@@ -3300,6 +3320,13 @@ index 0833afb..e8bbca3 100644
+
+##
+##
++## Allow HTTPD scripts and modules to server cobbler files.
++##
++##
++gen_tunable(httpd_serve_cobbler_files, false)
++
++##
++##
+## Allow HTTPD to connect to port 80 for graceful shutdown
+##
+##
@@ -3310,7 +3337,7 @@ index 0833afb..e8bbca3 100644
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
-@@ -57,12 +94,33 @@ gen_tunable(httpd_can_network_connect_db, false)
+@@ -57,12 +101,33 @@ gen_tunable(httpd_can_network_connect_db, false)
##
##
@@ -3344,7 +3371,7 @@ index 0833afb..e8bbca3 100644
##
## Allow http daemon to send mail
##
-@@ -93,6 +151,21 @@ gen_tunable(httpd_enable_ftp_server, false)
+@@ -93,6 +158,21 @@ gen_tunable(httpd_enable_ftp_server, false)
##
##
@@ -3366,7 +3393,7 @@ index 0833afb..e8bbca3 100644
## Allow httpd to read home directories
##
##
-@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +180,27 @@ gen_tunable(httpd_enable_homedirs, false)
##
##
@@ -3394,7 +3421,7 @@ index 0833afb..e8bbca3 100644
## Allow httpd daemon to change its resource limits
##
##
-@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -114,6 +215,13 @@ gen_tunable(httpd_ssi_exec, false)
##
##
@@ -3408,7 +3435,7 @@ index 0833afb..e8bbca3 100644
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
+@@ -130,12 +238,26 @@ gen_tunable(httpd_unified, false)
##
##
@@ -3435,7 +3462,7 @@ index 0833afb..e8bbca3 100644
##
## Allow httpd to run gpg
##
-@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
+@@ -149,12 +271,28 @@ gen_tunable(httpd_use_gpg, false)
##
gen_tunable(httpd_use_nfs, false)
@@ -3464,7 +3491,7 @@ index 0833afb..e8bbca3 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -163,6 +294,10 @@ attribute httpd_script_domains;
+@@ -163,6 +301,10 @@ attribute httpd_script_domains;
type httpd_t;
type httpd_exec_t;
@@ -3475,7 +3502,7 @@ index 0833afb..e8bbca3 100644
init_daemon_domain(httpd_t, httpd_exec_t)
role system_r types httpd_t;
-@@ -173,7 +308,7 @@ files_type(httpd_cache_t)
+@@ -173,7 +315,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -3484,7 +3511,7 @@ index 0833afb..e8bbca3 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -184,10 +319,19 @@ role system_r types httpd_helper_t;
+@@ -184,10 +326,19 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -3504,7 +3531,7 @@ index 0833afb..e8bbca3 100644
logging_log_file(httpd_log_t)
# httpd_modules_t is the type given to module files (libraries)
-@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -223,7 +374,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -3527,7 +3554,7 @@ index 0833afb..e8bbca3 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -233,6 +398,11 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -3539,7 +3566,7 @@ index 0833afb..e8bbca3 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -240,6 +410,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -3547,7 +3574,7 @@ index 0833afb..e8bbca3 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -259,16 +423,28 @@ type httpd_var_lib_t;
+@@ -259,16 +430,28 @@ type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
@@ -3576,7 +3603,7 @@ index 0833afb..e8bbca3 100644
########################################
#
# Apache server local policy
-@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -288,11 +471,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -3590,7 +3617,7 @@ index 0833afb..e8bbca3 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
+@@ -305,6 +490,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
allow httpd_t httpd_log_t:dir setattr;
@@ -3598,7 +3625,7 @@ index 0833afb..e8bbca3 100644
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +522,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -3610,7 +3637,7 @@ index 0833afb..e8bbca3 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +534,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -3621,7 +3648,7 @@ index 0833afb..e8bbca3 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,8 +551,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3632,7 +3659,7 @@ index 0833afb..e8bbca3 100644
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +562,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -3653,7 +3680,7 @@ index 0833afb..e8bbca3 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +583,14 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -3668,7 +3695,7 @@ index 0833afb..e8bbca3 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t)
+@@ -396,61 +599,112 @@ domain_use_interactive_fds(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
@@ -3789,7 +3816,7 @@ index 0833afb..e8bbca3 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +715,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3853,7 +3880,7 @@ index 0833afb..e8bbca3 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +779,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3876,7 +3903,7 @@ index 0833afb..e8bbca3 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,23 +814,43 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3888,7 +3915,21 @@ index 0833afb..e8bbca3 100644
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+')
+
++
+optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
++
++ tunable_policy(`httpd_serve_cobbler_files',`
++ cobbler_manage_lib_files(httpd_t)
++',`
++ cobbler_read_lib_files(httpd_t)
++ cobbler_search_lib(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+- calamaris_read_www_files(httpd_t)
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
@@ -3897,17 +3938,20 @@ index 0833afb..e8bbca3 100644
')
optional_policy(`
-@@ -525,6 +831,9 @@ optional_policy(`
+- ccs_read_config(httpd_t)
++ calamaris_read_www_files(httpd_t)
')
optional_policy(`
-+ cobbler_list_config(httpd_t)
-+ cobbler_read_config(httpd_t)
-+ cobbler_read_lib_files(httpd_t)
- cobbler_search_lib(httpd_t)
+- cobbler_search_lib(httpd_t)
++ ccs_read_config(httpd_t)
')
-@@ -540,6 +849,24 @@ optional_policy(`
++
+ optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+@@ -540,6 +863,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3932,7 +3976,7 @@ index 0833afb..e8bbca3 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +876,24 @@ optional_policy(`
+@@ -549,13 +890,24 @@ optional_policy(`
')
optional_policy(`
@@ -3958,7 +4002,7 @@ index 0833afb..e8bbca3 100644
')
optional_policy(`
-@@ -573,7 +911,25 @@ optional_policy(`
+@@ -573,7 +925,25 @@ optional_policy(`
')
optional_policy(`
@@ -3984,7 +4028,7 @@ index 0833afb..e8bbca3 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +940,7 @@ optional_policy(`
+@@ -584,6 +954,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3992,7 +4036,7 @@ index 0833afb..e8bbca3 100644
')
optional_policy(`
-@@ -594,6 +951,46 @@ optional_policy(`
+@@ -594,6 +965,46 @@ optional_policy(`
')
optional_policy(`
@@ -4039,7 +4083,7 @@ index 0833afb..e8bbca3 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +1005,11 @@ optional_policy(`
+@@ -608,6 +1019,11 @@ optional_policy(`
')
optional_policy(`
@@ -4051,7 +4095,7 @@ index 0833afb..e8bbca3 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1022,12 @@ optional_policy(`
+@@ -620,6 +1036,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -4064,7 +4108,7 @@ index 0833afb..e8bbca3 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1041,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1055,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -4109,7 +4153,7 @@ index 0833afb..e8bbca3 100644
########################################
#
-@@ -671,28 +1115,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1129,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -4153,7 +4197,7 @@ index 0833afb..e8bbca3 100644
')
########################################
-@@ -702,6 +1148,7 @@ optional_policy(`
+@@ -702,6 +1162,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -4161,7 +4205,7 @@ index 0833afb..e8bbca3 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1163,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1177,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4190,7 +4234,7 @@ index 0833afb..e8bbca3 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1193,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1207,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -4208,7 +4252,7 @@ index 0833afb..e8bbca3 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1211,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1225,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -4241,7 +4285,7 @@ index 0833afb..e8bbca3 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1258,25 @@ optional_policy(`
+@@ -786,6 +1272,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4267,7 +4311,7 @@ index 0833afb..e8bbca3 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1297,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1311,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -4285,7 +4329,7 @@ index 0833afb..e8bbca3 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1316,51 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1330,51 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4345,7 +4389,7 @@ index 0833afb..e8bbca3 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1368,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1382,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4386,7 +4430,7 @@ index 0833afb..e8bbca3 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1408,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+@@ -854,15 +1422,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
@@ -4413,7 +4457,7 @@ index 0833afb..e8bbca3 100644
')
########################################
-@@ -878,11 +1443,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1457,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4425,7 +4469,7 @@ index 0833afb..e8bbca3 100644
########################################
#
-@@ -908,11 +1471,143 @@ optional_policy(`
+@@ -908,11 +1485,143 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -8472,7 +8516,7 @@ index c3e3f79..54c74eb 100644
+ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/certwatch.te b/certwatch.te
-index e07cef5..20cb64f 100644
+index e07cef5..ebadfa9 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -17,6 +17,11 @@ role system_r types certwatch_t;
@@ -8487,7 +8531,7 @@ index e07cef5..20cb64f 100644
dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
-@@ -27,17 +32,18 @@ files_list_tmp(certwatch_t)
+@@ -27,22 +32,27 @@ files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
@@ -8509,6 +8553,15 @@ index e07cef5..20cb64f 100644
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
+
+ optional_policy(`
++ mta_send_mail(certwatch_t)
++')
++
++optional_policy(`
+ cron_system_entry(certwatch_t, certwatch_exec_t)
+ ')
+
diff --git a/cfengine.fc b/cfengine.fc
new file mode 100644
index 0000000..4c52fa3
@@ -10408,10 +10461,10 @@ index 28fdd8a..5605ed7 100644
corosync_stream_connect(cmirrord_t)
')
diff --git a/cobbler.fc b/cobbler.fc
-index 1cf6c4e..0858f92 100644
+index 1cf6c4e..a5882d4 100644
--- a/cobbler.fc
+++ b/cobbler.fc
-@@ -1,7 +1,35 @@
+@@ -1,7 +1,38 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -10422,8 +10475,11 @@ index 1cf6c4e..0858f92 100644
+
+/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
+
++
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -10666,7 +10722,7 @@ index 116d60f..49f30af 100644
+ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/cobbler.te b/cobbler.te
-index 0258b48..c68160d 100644
+index 0258b48..fd0cb06 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -10709,7 +10765,7 @@ index 0258b48..c68160d 100644
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
-@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t)
+@@ -26,25 +48,41 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
@@ -10749,14 +10805,12 @@ index 0258b48..c68160d 100644
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
-+
-+# Something really needs to write to cobbler.log. Ideally this should not be happening.
-+allow cobblerd_t cobbler_var_log_t:file write;
++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
++files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,57 +92,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -52,57 +90,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@@ -10892,7 +10946,7 @@ index 0258b48..c68160d 100644
')
optional_policy(`
-@@ -110,12 +224,21 @@ optional_policy(`
+@@ -110,12 +222,21 @@ optional_policy(`
')
optional_policy(`
@@ -10917,7 +10971,7 @@ index 0258b48..c68160d 100644
')
########################################
-@@ -123,6 +246,10 @@ optional_policy(`
+@@ -123,6 +244,10 @@ optional_policy(`
# Cobbler web local policy.
#
@@ -19050,10 +19104,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..7f0b4f6
+index 0000000..796bfca
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,197 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -19202,6 +19256,10 @@ index 0000000..7f0b4f6
+ rpcbind_stream_connect(dirsrv_t)
+')
+
++optional_policy(`
++ uuidd_stream_connect_manager(dirsrv_t)
++')
++
+########################################
+#
+# dirsrv-snmp local policy
@@ -24579,10 +24637,10 @@ index 00a19e3..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..7c84b94 100644
+index f5afe78..4a90668 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,44 +1,1067 @@
+@@ -1,44 +1,1086 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -25001,6 +25059,25 @@ index f5afe78..7c84b94 100644
+
+########################################
+##
++## Create generic cache home dir (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_create_generic_cache_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ allow $1 cache_home_t:dir create_dir_perms;
++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++')
++
++########################################
++##
+## Set attributes of cache home dir (.cache)
+##
+##
@@ -25668,7 +25745,7 @@ index f5afe78..7c84b94 100644
##
##
##
-@@ -46,37 +1069,91 @@ interface(`gnome_role',`
+@@ -46,37 +1088,91 @@ interface(`gnome_role',`
##
##
#
@@ -25771,7 +25848,7 @@ index f5afe78..7c84b94 100644
##
##
##
-@@ -84,37 +1161,107 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1180,107 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -25890,7 +25967,7 @@ index f5afe78..7c84b94 100644
##
##
##
-@@ -122,17 +1269,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1288,36 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -25931,7 +26008,7 @@ index f5afe78..7c84b94 100644
##
##
##
-@@ -140,51 +1306,281 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1325,281 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -30318,14 +30395,15 @@ index 3525d24..8c702c9 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index 604f67b..138e1e2 100644
+index 604f67b..11e6268 100644
--- a/kerberos.if
+++ b/kerberos.if
-@@ -82,14 +82,11 @@ interface(`kerberos_use',`
+@@ -82,14 +82,12 @@ interface(`kerberos_use',`
#kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
++ seutil_read_file_contexts($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
@@ -30337,7 +30415,7 @@ index 604f67b..138e1e2 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -103,11 +100,12 @@ interface(`kerberos_use',`
+@@ -103,11 +101,12 @@ interface(`kerberos_use',`
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
@@ -30352,7 +30430,7 @@ index 604f67b..138e1e2 100644
pcscd_stream_connect($1)
')
')
-@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',`
+@@ -218,6 +217,30 @@ interface(`kerberos_rw_keytab',`
########################################
##
@@ -30383,7 +30461,7 @@ index 604f67b..138e1e2 100644
## Create a derived type for kerberos keytab
##
##
-@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',`
+@@ -235,8 +258,13 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
@@ -30397,7 +30475,7 @@ index 604f67b..138e1e2 100644
kerberos_read_keytab($2)
kerberos_use($2)
')
-@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',`
+@@ -282,42 +310,21 @@ interface(`kerberos_manage_host_rcache',`
# does not work in conditionals
domain_obj_id_change_exemption($1)
@@ -30443,7 +30521,7 @@ index 604f67b..138e1e2 100644
## All of the rules required to administrate
## an kerberos environment
##
-@@ -338,18 +344,22 @@ interface(`kerberos_admin',`
+@@ -338,18 +345,22 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -30471,7 +30549,7 @@ index 604f67b..138e1e2 100644
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +388,121 @@ interface(`kerberos_admin',`
+@@ -378,3 +389,121 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -32366,7 +32444,7 @@ index ae29d9f..fb7869e 100644
########################################
diff --git a/livecd.te b/livecd.te
-index 008f718..2a9d6c0 100644
+index 008f718..d125a61 100644
--- a/livecd.te
+++ b/livecd.te
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
@@ -32396,17 +32474,18 @@ index 008f718..2a9d6c0 100644
domain_ptrace_all_domains(livecd_t)
-@@ -30,14 +31,5 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+@@ -30,14 +31,9 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
optional_policy(`
- mount_run(livecd_t, livecd_roles)
-+ unconfined_domain_noaudit(livecd_t)
++ rpm_transition_script(livecd_t)
')
--
--optional_policy(`
+
+ optional_policy(`
- hal_dbus_chat(livecd_t)
--')
++ unconfined_domain_noaudit(livecd_t)
+ ')
-
-optional_policy(`
- unconfined_domain(livecd_t)
@@ -35986,7 +36065,7 @@ index b397fde..aaf4cdf 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..0216e3f 100644
+index d4fcb75..af07b52 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -36159,7 +36238,7 @@ index d4fcb75..0216e3f 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +318,105 @@ optional_policy(`
+@@ -297,65 +318,106 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -36258,6 +36337,7 @@ index d4fcb75..0216e3f 100644
+corenet_tcp_connect_commplex_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
++corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -36280,7 +36360,7 @@ index d4fcb75..0216e3f 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +424,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +425,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -36364,7 +36444,7 @@ index d4fcb75..0216e3f 100644
')
optional_policy(`
-@@ -420,26 +488,45 @@ optional_policy(`
+@@ -420,26 +489,45 @@ optional_policy(`
')
optional_policy(`
@@ -36414,7 +36494,7 @@ index d4fcb75..0216e3f 100644
')
optional_policy(`
-@@ -447,10 +534,122 @@ optional_policy(`
+@@ -447,10 +535,122 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -39319,7 +39399,7 @@ index 1cf05a3..8855ea2 100644
userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/nagios.fc b/nagios.fc
-index 1238f2e..d80b4db 100644
+index 1238f2e..9590368 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -6,7 +6,7 @@
@@ -39427,9 +39507,10 @@ index 1238f2e..d80b4db 100644
/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- # unconfined plugins
+-# unconfined plugins
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++# label all nagios plugin as unconfined by default
++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
@@ -41114,10 +41195,10 @@ index 0000000..7d11148
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..c961e48
+index 0000000..84b2cc6
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,333 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -41173,6 +41254,7 @@ index 0000000..c961e48
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+
+corenet_tcp_connect_amqp_port(nova_domain)
++corenet_tcp_connect_mysqld_port(nova_domain)
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
@@ -41299,6 +41381,10 @@ index 0000000..c961e48
+
+auth_use_nsswitch(nova_console_t)
+
++optional_policy(`
++ mysql_stream_connect(nova_console_t)
++')
++
+#######################################
+#
+# nova direct local policy
@@ -46672,7 +46758,7 @@ index 1c2a091..2f1ff6a 100644
##
## Connect to pcscd over an unix stream socket.
diff --git a/pcscd.te b/pcscd.te
-index ceafba6..47b690d 100644
+index ceafba6..e438490 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms;
@@ -46700,7 +46786,7 @@ index ceafba6..47b690d 100644
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
-@@ -77,3 +75,7 @@ optional_policy(`
+@@ -77,3 +75,11 @@ optional_policy(`
optional_policy(`
rpm_use_script_fds(pcscd_t)
')
@@ -46708,6 +46794,10 @@ index ceafba6..47b690d 100644
+optional_policy(`
+ udev_read_db(pcscd_t)
+')
++
++optional_policy(`
++ virt_rw_svirt_dev(pcscd_t)
++')
diff --git a/pegasus.if b/pegasus.if
index 920b13f..22b745a 100644
--- a/pegasus.if
@@ -55287,10 +55377,10 @@ index 0000000..010b2be
+')
diff --git a/quantum.te b/quantum.te
new file mode 100644
-index 0000000..2b0a6a0
+index 0000000..f66e288
--- /dev/null
+++ b/quantum.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,101 @@
+policy_module(quantum, 1.0.0)
+
+########################################
@@ -55346,6 +55436,7 @@ index 0000000..2b0a6a0
+
+corenet_tcp_bind_generic_node(quantum_t)
+corenet_tcp_bind_quantum_port(quantum_t)
++corenet_tcp_connect_keystone_port(quantum_t)
+corenet_tcp_connect_mysqld_port(quantum_t)
+corenet_tcp_connect_amqp_port(quantum_t)
+
@@ -56040,16 +56131,18 @@ index b1a85b5..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
diff --git a/raid.te b/raid.te
-index a8a12b7..83609a4 100644
+index a8a12b7..8b27779 100644
--- a/raid.te
+++ b/raid.te
-@@ -10,11 +10,9 @@ type mdadm_exec_t;
+@@ -10,11 +10,12 @@ type mdadm_exec_t;
init_daemon_domain(mdadm_t, mdadm_exec_t)
role system_r types mdadm_t;
-type mdadm_map_t;
-files_type(mdadm_map_t)
--
++type mdadm_tmp_t;
++files_tmpfs_file(mdadm_tmp_t)
+
-type mdadm_var_run_t;
+type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
@@ -56057,7 +56150,7 @@ index a8a12b7..83609a4 100644
########################################
#
-@@ -22,21 +20,24 @@ files_pid_file(mdadm_var_run_t)
+@@ -22,21 +23,28 @@ files_pid_file(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -56071,7 +56164,10 @@ index a8a12b7..83609a4 100644
-# create .mdadm files in /dev
-allow mdadm_t mdadm_map_t:file manage_file_perms;
-dev_filetrans(mdadm_t, mdadm_map_t, file)
--
++manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
++manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
++files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
+
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
@@ -56089,7 +56185,7 @@ index a8a12b7..83609a4 100644
# Helper program access
corecmd_exec_bin(mdadm_t)
-@@ -52,15 +53,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+@@ -52,15 +60,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -56111,11 +56207,12 @@ index a8a12b7..83609a4 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -69,16 +73,17 @@ mls_file_write_all_levels(mdadm_t)
+@@ -69,16 +80,18 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
+storage_write_scsi_generic(mdadm_t)
++storage_raw_read_removable_device(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -56131,7 +56228,7 @@ index a8a12b7..83609a4 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -86,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -86,6 +99,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -56684,13 +56781,15 @@ index b4ac57e..7b76aa2 100644
diff --git a/realmd.fc b/realmd.fc
new file mode 100644
-index 0000000..02a1f34
+index 0000000..3b92679
--- /dev/null
+++ b/realmd.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
++
++/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
new file mode 100644
index 0000000..e38693b
@@ -56741,10 +56840,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..7e4d536
+index 0000000..372da97
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,168 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -56765,13 +56864,18 @@ index 0000000..7e4d536
+files_tmp_file(realmd_tmp_t)
+
+
++type realmd_var_lib_t;
++files_type(realmd_var_lib_t)
++
+########################################
+#
+# realmd local policy
+#
+
-+allow realmd_t self:capability sys_nice;
++allow realmd_t self:capability { sys_nice };
++allow realmd_t self:capability2 block_suspend;
+allow realmd_t self:process setsched;
++allow realmd_t self:key manage_key_perms;
+
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
@@ -56780,7 +56884,12 @@ index 0000000..7e4d536
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
++manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
++manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
++files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
++
+kernel_read_system_state(realmd_t)
++kernel_read_network_state(realmd_t)
+
+corecmd_exec_bin(realmd_t)
+corecmd_exec_shell(realmd_t)
@@ -56794,12 +56903,20 @@ index 0000000..7e4d536
+dev_read_rand(realmd_t)
+dev_read_urand(realmd_t)
+
++files_manage_etc_files(realmd_t)
++
+fs_getattr_all_fs(realmd_t)
+
+auth_use_nsswitch(realmd_t)
+
++logging_manage_generic_logs(realmd_t)
+logging_send_syslog_msg(realmd_t)
+
++miscfiles_manage_generic_cert_files(realmd_t)
++
++seutil_domtrans_setfiles(realmd_t)
++seutil_read_file_contexts(realmd_t)
++
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
@@ -56829,6 +56946,17 @@ index 0000000..7e4d536
+optional_policy(`
+ kerberos_use(realmd_t)
+ kerberos_rw_keytab(realmd_t)
++ kerberos_rw_config(realmd_t)
++ kerberos_filetrans_named_content(realmd_t)
++')
++
++optional_policy(`
++ ntp_domtrans_ntpdate(realmd_t)
++')
++
++optional_policy(`
++ ssh_domtrans(realmd_t)
++ ssh_systemctl(realmd_t)
+')
+
+optional_policy(`
@@ -56867,12 +56995,15 @@ index 0000000..7e4d536
+ xserver_read_state_xdm(realmd_t)
+')
+
++optional_policy(`
++ unconfined_domain(realmd_t)
++')
++
+#####################################
+#
+# realmd consolehelper local policy
+#
+
-+
+optional_policy(`
+ userhelper_console_role_template(realmd, system_r, realmd_t)
+ authconfig_manage_lib_files(realmd_consolehelper_t)
@@ -56881,8 +57012,6 @@ index 0000000..7e4d536
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
+')
-+
-+
diff --git a/remotelogin.te b/remotelogin.te
index 0a76027..18f59a7 100644
--- a/remotelogin.te
@@ -62389,10 +62518,10 @@ index 0000000..7addd77
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
-index 0000000..db440d4
+index 0000000..d611be9
--- /dev/null
+++ b/sandbox.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,63 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
@@ -62453,12 +62582,9 @@ index 0000000..db440d4
+
+fs_dontaudit_getattr_all_fs(sandbox_domain)
+
-+
-+userdom_dontaudit_use_user_terminals(sandbox_domain)
++userdom_use_inherited_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
-+
-+
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 0000000..6caef63
@@ -62866,7 +62992,7 @@ index 0000000..f00e5c5
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..479ece4
+index 0000000..97dca29
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,463 @@
@@ -63117,7 +63243,7 @@ index 0000000..479ece4
+ udev_read_db(sandbox_x_domain)
+')
+
-+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
++userdom_use_inherited_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
@@ -70221,10 +70347,10 @@ index 0000000..c5e890b
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..641b262
+index 0000000..9a09574
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,142 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -70350,6 +70476,7 @@ index 0000000..641b262
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
++ gnome_create_generic_cache_dir(thumb_t)
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
@@ -72306,10 +72433,24 @@ index a7c9381..d810232 100644
/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
diff --git a/uuidd.if b/uuidd.if
-index 5d43bd5..879a5cb 100644
+index 5d43bd5..fd90722 100644
--- a/uuidd.if
+++ b/uuidd.if
-@@ -176,6 +176,9 @@ interface(`uuidd_admin',`
+@@ -144,11 +144,12 @@ interface(`uuidd_read_pid_files',`
+ #
+ interface(`uuidd_stream_connect_manager',`
+ gen_require(`
+- type uuidd_t, uuidd_var_run_t;
++ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
++ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
+ ')
+
+ ########################################
+@@ -176,6 +177,9 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
@@ -72824,7 +72965,7 @@ index 2124b6a..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..2f6a344 100644
+index 6f0736b..820fbb7 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -73331,11 +73472,11 @@ index 6f0736b..2f6a344 100644
+interface(`virt_ptrace',`
+ gen_require(`
+ attribute virt_domain;
-+ ')
+ ')
+
+ allow $1 virt_domain:process ptrace;
-+')
-+
+ ')
+
+#######################################
+##
+## Connect to virt over a unix domain stream socket.
@@ -73350,13 +73491,13 @@ index 6f0736b..2f6a344 100644
+ gen_require(`
+ attribute svirt_lxc_domain;
+ type svirt_lxc_file_t;
- ')
++ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
+ ps_process_pattern(svirt_lxc_domain, $1)
- ')
-
++')
++
+
########################################
##
@@ -73383,7 +73524,7 @@ index 6f0736b..2f6a344 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +769,324 @@ interface(`virt_admin',`
+@@ -517,4 +769,342 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -73707,9 +73848,27 @@ index 6f0736b..2f6a344 100644
+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
+
+ allow svirt_lxc_domain $1:process sigchld;
++')
++
++########################################
++##
++## Read and write to svirt_image devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_rw_svirt_dev',`
++ gen_require(`
++ type svirt_image_t;
++ ')
++
++ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..99ac9c3 100644
+index 947bbc6..8ec8313 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -73948,7 +74107,7 @@ index 947bbc6..99ac9c3 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +216,74 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,45 +216,27 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
@@ -73967,14 +74126,12 @@ index 947bbc6..99ac9c3 100644
- fs_read_fusefs_files(svirt_t)
- fs_read_fusefs_symlinks(svirt_t)
-')
-+miscfiles_read_generic_certs(svirt_t)
-
+-
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(svirt_t)
- fs_manage_nfs_files(svirt_t)
-+optional_policy(`
-+ xen_rw_image_files(svirt_t)
- ')
+-')
++miscfiles_read_generic_certs(svirt_t)
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(svirt_t)
@@ -74012,17 +74169,16 @@ index 947bbc6..99ac9c3 100644
########################################
#
- # virtd local policy
+@@ -177,21 +244,42 @@ optional_policy(`
#
--allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+ allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
-+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability2 compromise_kernel;
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
-+ dontaudit virtd_t self:capability { sys_module sys_ptrace };
++ dontaudit virtd_t self:capability { sys_module };
+')
-allow virtd_t self:fifo_file rw_fifo_file_perms;
@@ -74062,7 +74218,7 @@ index 947bbc6..99ac9c3 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +294,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +290,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -74098,7 +74254,7 @@ index 947bbc6..99ac9c3 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +327,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +323,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -74123,7 +74279,7 @@ index 947bbc6..99ac9c3 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -74157,7 +74313,7 @@ index 947bbc6..99ac9c3 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -74176,7 +74332,7 @@ index 947bbc6..99ac9c3 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -74186,7 +74342,7 @@ index 947bbc6..99ac9c3 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +420,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -74223,7 +74379,7 @@ index 947bbc6..99ac9c3 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +472,10 @@ optional_policy(`
+@@ -322,6 +468,10 @@ optional_policy(`
')
optional_policy(`
@@ -74234,7 +74390,7 @@ index 947bbc6..99ac9c3 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +489,34 @@ optional_policy(`
+@@ -335,19 +485,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -74270,7 +74426,7 @@ index 947bbc6..99ac9c3 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +531,12 @@ optional_policy(`
+@@ -362,6 +527,12 @@ optional_policy(`
')
optional_policy(`
@@ -74283,7 +74439,7 @@ index 947bbc6..99ac9c3 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +544,11 @@ optional_policy(`
+@@ -369,11 +540,11 @@ optional_policy(`
')
optional_policy(`
@@ -74300,7 +74456,7 @@ index 947bbc6..99ac9c3 100644
')
optional_policy(`
-@@ -384,6 +559,7 @@ optional_policy(`
+@@ -384,6 +555,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -74308,7 +74464,7 @@ index 947bbc6..99ac9c3 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +578,87 @@ optional_policy(`
+@@ -402,35 +574,87 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -74405,7 +74561,7 @@ index 947bbc6..99ac9c3 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +666,648 @@ dev_write_sound(virt_domain)
+@@ -438,34 +662,648 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -74422,7 +74578,8 @@ index 947bbc6..99ac9c3 100644
+fs_getattr_xattr_fs(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
- fs_rw_tmpfs_files(virt_domain)
+-fs_rw_tmpfs_files(virt_domain)
++fs_rw_inherited_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
@@ -74464,7 +74621,7 @@ index 947bbc6..99ac9c3 100644
virt_read_content(virt_domain)
virt_stream_connect(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
- ')
++')
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
@@ -74650,7 +74807,7 @@ index 947bbc6..99ac9c3 100644
+ optional_policy(`
+ hal_dbus_chat(virsh_t)
+ ')
-+')
+ ')
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0d8b4ee..fa8630e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 90%{?dist}
+Release: 91%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,31 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Thu Apr 18 2013 Miroslav Grepl 3.11.1-91
+- Allow domains to use kerberos to read file_context file
+- Allow mozilla_plugin to connect to port 8081
+- Tighten security on virtual machines
+- block_suspend is caps2
+- Allow realmd to run ipa, really needs to be an unconfined_domain
+- Allow sandbox domains to use inherted terminals
+- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.
+- Add label for new alsa pid
+- Alsa now uses a pid file and needs to setsched
+- Allow nova domains to connect to mysql port
+- Allow quantum to connect to keystone port
+- Allow nova-console to talk with mysql over unix stream socket
+- Allow dirsrv to stream connect to uuidd
+- Fix transition for cobbler lib files
+- Label all nagios plugin as unconfined by default
+- Add httpd_serve_cobbler_files()
+- Allow mdadm to read /dev/sr0 and create tmp files
+- Allow certwatch to send mails
+- Allow livecd to transition to rpm_script_t
+- Add cache dir support for cobbler
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+- Fix labeling for nagios plugins
+- Disable support for .xsession-errors-:[digit] file name transition for now until policycoreutils fix
+
* Mon Apr 15 2013 Miroslav Grepl 3.11.1-90
- Allow git_system_t to read network state
- Allow pegasas to execute mount command