From 4931cbf03c53c29bb9647fc9e9dccc06fe9e6318 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Jun 09 2016 14:48:53 +0000
Subject: * Thu Jun 08 2016 Lukas Vrabec 3.13.1-191
- Add hwloc-dump-hwdata SELinux policy
- Add labels for mediawiki123
- Fix label for all fence_scsi_check scripts
- Allow setcap for fenced
- Allow glusterd domain read krb5_keytab_t files.
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Update refpolicy to handle hwloc
- Fix typo in files_setattr_non_security_dirs.
- Add interface files_setattr_non_security_dirs()
- Add support for onloadfs
- Additional access required for unconfined domains
---
diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index dbb46b8..59b1805 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 1a409ea..3bc8868 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -1935,7 +1935,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..5210ca5 100644
+index c44c359..ae484a0 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2051,7 +2051,11 @@ index c44c359..5210ca5 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ nagios_dontaudit_rw_log(ping_t)
+ nagios_dontaudit_rw_pipes(ping_t)
++ nagios_dontaudit_write_pipes_nrpe(ping_t)
')
')
@@ -2077,7 +2081,7 @@ index c44c359..5210ca5 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +182,15 @@ optional_policy(`
+@@ -161,6 +183,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -2093,7 +2097,7 @@ index c44c359..5210ca5 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -2101,7 +2105,7 @@ index c44c359..5210ca5 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -2109,7 +2113,7 @@ index c44c359..5210ca5 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -9717,7 +9721,7 @@ index 76f285e..5cd2702 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..8d4003a 100644
+index 0b1a871..4cef59b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -9873,7 +9877,7 @@ index 0b1a871..8d4003a 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +371,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +371,8 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -9882,6 +9886,8 @@ index 0b1a871..8d4003a 100644
+allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
++dev_getattr_all(devices_unconfined_type)
++
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..26e5558 100644
--- a/policy/modules/kernel/domain.if
@@ -10991,7 +10997,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..89768e5 100644
+index f962f76..d755ff2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11247,7 +11253,32 @@ index f962f76..89768e5 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',`
+@@ -545,6 +711,24 @@ interface(`files_write_non_security_dirs',`
+
+ ########################################
+ ##
++## Allow attempts to setattr any directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir { read setattr };
++')
++
++########################################
++##
+ ## Allow attempts to manage non-security directories
+ ##
+ ##
+@@ -582,6 +766,42 @@ interface(`files_getattr_all_files',`
########################################
##
@@ -11290,7 +11321,7 @@ index f962f76..89768e5 100644
## Do not audit attempts to get the attributes
## of all files.
##
-@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +840,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
##
@@ -11354,7 +11385,7 @@ index f962f76..89768e5 100644
## Read all files.
##
##
-@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',`
+@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -11472,7 +11503,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',`
+@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',`
##
##
#
@@ -11534,23 +11565,19 @@ index f962f76..89768e5 100644
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
- ##
- ##
- #
--interface(`files_dontaudit_read_all_symlinks',`
++##
++##
++#
+interface(`files_read_all_dirs_except',`
- gen_require(`
- attribute file_type;
- ')
-
-- dontaudit $1 file_type:lnk_file read;
++ gen_require(`
++ attribute file_type;
++ ')
++
+ allow $1 { file_type $2 }:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of non security symbolic links.
++')
++
++########################################
++##
+## Read all files on the filesystem, except
+## the listed exceptions.
+##
@@ -11643,25 +11670,10 @@ index f962f76..89768e5 100644
+##
+##
+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_all_symlinks',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:lnk_file read;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of non security symbolic links.
- ##
- ##
- ##
-@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+ ##
+ ##
+ #
+@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
##
@@ -11687,7 +11699,7 @@ index f962f76..89768e5 100644
## Get the attributes of all named sockets.
##
##
-@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
##
@@ -11732,7 +11744,7 @@ index f962f76..89768e5 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
##
-@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -11749,7 +11761,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',`
+@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',`
# satisfy the assertions:
seutil_create_bin_policy($1)
files_manage_kernel_modules($1)
@@ -11758,7 +11770,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -1182,24 +1612,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1630,6 @@ interface(`files_list_all',`
########################################
##
@@ -11783,7 +11795,7 @@ index f962f76..89768e5 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',`
+@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',`
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -11794,7 +11806,7 @@ index f962f76..89768e5 100644
')
#############################################
-@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
##
@@ -11819,7 +11831,7 @@ index f962f76..89768e5 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1691,44 +2121,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,44 +2139,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -11878,7 +11890,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -1736,94 +2166,223 @@ interface(`files_list_root',`
+@@ -1736,79 +2184,208 @@ interface(`files_list_root',`
##
##
#
@@ -11972,24 +11984,19 @@ index f962f76..89768e5 100644
#
-interface(`files_dontaudit_read_root_files',`
+interface(`files_write_all_dirs',`
- gen_require(`
-- type root_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 root_t:file { getattr read };
++ ')
++
+ allow $1 file_type:dir write;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read or write
--## files in the root directory.
++')
++
++########################################
++##
+## List the contents of the root directory.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
+##
+##
@@ -12123,25 +12130,10 @@ index f962f76..89768e5 100644
+##
+#
+interface(`files_dontaudit_read_root_files',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:file { getattr read };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## files in the root directory.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1892,25 +2451,25 @@ interface(`files_delete_root_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+@@ -1892,25 +2469,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -12173,7 +12165,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -1923,7 +2482,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2500,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -12182,7 +12174,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -1946,6 +2505,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2523,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -12225,7 +12217,7 @@ index f962f76..89768e5 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2776,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2794,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -12250,7 +12242,7 @@ index f962f76..89768e5 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3258,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -12275,7 +12267,7 @@ index f962f76..89768e5 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3347,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -12283,7 +12275,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -2724,7 +3356,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -12292,7 +12284,7 @@ index f962f76..89768e5 100644
##
##
#
-@@ -2780,6 +3412,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -12318,7 +12310,7 @@ index f962f76..89768e5 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3449,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -12343,7 +12335,7 @@ index f962f76..89768e5 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3632,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -12368,7 +12360,7 @@ index f962f76..89768e5 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3021,9 +3672,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -12379,7 +12371,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -3031,18 +3680,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -12401,7 +12393,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -3060,6 +3708,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -12428,7 +12420,7 @@ index f962f76..89768e5 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3745,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -12436,7 +12428,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3098,6 +3767,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -12444,7 +12436,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3142,10 +3812,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -12495,7 +12487,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3161,10 +3869,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -12508,7 +12500,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3180,10 +3888,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -12521,7 +12513,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3199,10 +3907,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -12534,7 +12526,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3218,10 +3926,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -12603,7 +12595,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3237,10 +4001,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -12616,7 +12608,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3256,10 +4020,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -12648,7 +12640,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3275,10 +4058,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -12661,7 +12653,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3294,10 +4077,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -12674,7 +12666,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3313,10 +4096,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -12687,7 +12679,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3332,10 +4115,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -12700,7 +12692,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3351,10 +4134,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -12713,7 +12705,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3370,10 +4153,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -12726,7 +12718,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3389,10 +4172,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -12739,7 +12731,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3408,10 +4191,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -12752,7 +12744,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3427,10 +4210,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -12765,7 +12757,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3446,10 +4229,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -12778,7 +12770,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3465,10 +4248,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -12810,7 +12802,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3484,10 +4286,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -12823,7 +12815,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3503,10 +4305,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -12836,7 +12828,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -3552,6 +4354,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -12864,7 +12856,7 @@ index f962f76..89768e5 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4637,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -12908,7 +12900,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -4012,6 +4853,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -12921,7 +12913,7 @@ index f962f76..89768e5 100644
')
########################################
-@@ -4217,192 +5064,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13181,12 +13173,11 @@ index f962f76..89768e5 100644
########################################
##
-## Read files in the tmp directory (/tmp).
--##
--##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
-+##
+ ##
+-##
+##
##
-## Domain allowed access.
@@ -13237,7 +13228,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -4410,53 +5283,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',`
##
##
#
@@ -13306,7 +13297,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -4464,77 +5340,93 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',`
##
##
#
@@ -13424,7 +13415,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -4542,110 +5434,116 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
##
##
#
@@ -13541,40 +13532,25 @@ index f962f76..89768e5 100644
-##
-##
-##
-+#
-+interface(`files_manage_generic_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+##
-+## Read symbolic links in the tmp directory (/tmp).
-+##
-+##
- ##
+-##
-## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
+-##
+-##
#
-interface(`files_tmp_filetrans',`
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
gen_require(`
type tmp_t;
')
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ manage_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Delete the contents of /tmp.
-+## Read and write generic named sockets in the tmp directory (/tmp).
++## Read symbolic links in the tmp directory (/tmp).
##
##
##
@@ -13583,7 +13559,7 @@ index f962f76..89768e5 100644
##
#
-interface(`files_purge_tmp',`
-+interface(`files_rw_generic_tmp_sockets',`
++interface(`files_read_generic_tmp_symlinks',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
@@ -13595,13 +13571,13 @@ index f962f76..89768e5 100644
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Set the attributes of the /usr directory.
-+## Relabel a dir from the type used in /tmp.
++## Read and write generic named sockets in the tmp directory (/tmp).
##
##
##
@@ -13610,20 +13586,20 @@ index f962f76..89768e5 100644
##
#
-interface(`files_setattr_usr_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
gen_require(`
- type usr_t;
+ type tmp_t;
')
- allow $1 usr_t:dir setattr;
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Search the content of /usr.
-+## Relabel a file from the type used in /tmp.
++## Relabel a dir from the type used in /tmp.
##
##
##
@@ -13632,21 +13608,21 @@ index f962f76..89768e5 100644
##
#
-interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
gen_require(`
- type usr_t;
+ type tmp_t;
')
- allow $1 usr_t:dir search_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## List the contents of generic
-## directories in /usr.
-+## Set the attributes of all tmp directories.
++## Relabel a file from the type used in /tmp.
##
##
##
@@ -13655,20 +13631,20 @@ index f962f76..89768e5 100644
##
#
-interface(`files_list_usr',`
-+interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_files',`
gen_require(`
- type usr_t;
-+ attribute tmpfile;
++ type tmp_t;
')
- allow $1 usr_t:dir list_dir_perms;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
')
########################################
##
-## Do not audit write of /usr dirs
-+## Allow caller to read inherited tmp files.
++## Set the attributes of all tmp directories.
##
##
##
@@ -13678,20 +13654,20 @@ index f962f76..89768e5 100644
##
#
-interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_setattr_all_tmp_dirs',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ allow $1 tmpfile:dir { search_dir_perms setattr };
')
########################################
##
-## Add and remove entries from /usr directories.
-+## Allow caller to append inherited tmp files.
++## Allow caller to read inherited tmp files.
##
##
##
@@ -13700,21 +13676,21 @@ index f962f76..89768e5 100644
##
#
-interface(`files_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
')
########################################
##
-## Do not audit attempts to add and remove
-## entries from /usr directories.
-+## Allow caller to read and write inherited tmp files.
++## Allow caller to append inherited tmp files.
##
##
##
@@ -13724,92 +13700,90 @@ index f962f76..89768e5 100644
##
#
-interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_append_inherited_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
')
########################################
##
-## Delete generic directories in /usr in the caller domain.
-+## List all tmp directories.
++## Allow caller to read and write inherited tmp files.
##
##
##
-@@ -4786,111 +5677,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
##
##
#
-interface(`files_delete_usr_dirs',`
-+interface(`files_list_all_tmp',`
++interface(`files_rw_inherited_tmp_file',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file rw_inherited_file_perms;
')
########################################
##
-## Delete generic files in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## directory types.
++## List all tmp directories.
##
##
##
- ## Domain allowed access.
+@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',`
##
##
-+##
#
-interface(`files_delete_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_all_tmp',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
-+ type var_t;
')
- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:dir list_dir_perms;
')
########################################
##
-## Get the attributes of files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## Relabel to and from all temporary
++## directory types.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
++##
#
-interface(`files_getattr_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
++ type var_t;
')
- getattr_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
##
-## Read generic files in /usr.
-+## Allow attempts to get the attributes
++## Do not audit attempts to get the attributes
+## of all tmp files.
##
-##
@@ -13831,13 +13805,14 @@ index f962f76..89768e5 100644
-##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-##
#
-interface(`files_read_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
@@ -13846,67 +13821,74 @@ index f962f76..89768e5 100644
- allow $1 usr_t:dir list_dir_perms;
- read_files_pattern($1, usr_t, usr_t)
- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
++ dontaudit $1 tmpfile:file getattr;
')
########################################
##
-## Execute generic programs in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## file types.
++## Allow attempts to get the attributes
++## of all tmp files.
##
##
##
- ## Domain allowed access.
+@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',`
##
##
-+##
#
-interface(`files_exec_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
-+ type var_t;
')
- allow $1 usr_t:dir list_dir_perms;
- exec_files_pattern($1, usr_t, usr_t)
- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file getattr;
')
########################################
##
-## dontaudit write of /usr files
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
++## Relabel to and from all temporary
++## file types.
##
##
##
-@@ -4898,35 +5778,17 @@ interface(`files_exec_usr_files',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
++##
#
-interface(`files_dontaudit_write_usr_files',`
-- gen_require(`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
- type usr_t;
-- ')
--
++ attribute tmpfile;
++ type var_t;
+ ')
+
- dontaudit $1 usr_t:file write;
--')
--
--########################################
--##
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ##
-## Create, read, write, and delete files in the /usr directory.
--##
--##
--##
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+ ##
+ ##
+ ##
-## Domain allowed access.
--##
--##
--#
++## Domain to not audit.
+ ##
+ ##
+ #
-interface(`files_manage_usr_files',`
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
gen_require(`
@@ -13925,7 +13907,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -4934,67 +5796,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',`
##
##
#
@@ -14014,7 +13996,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5003,35 +5868,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',`
##
##
#
@@ -14074,7 +14056,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5039,20 +5919,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',`
##
##
#
@@ -14099,7 +14081,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5060,20 +5937,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',`
##
##
#
@@ -14124,7 +14106,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5081,38 +5956,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',`
##
##
#
@@ -14172,7 +14154,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5120,37 +5992,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',`
##
##
#
@@ -14220,7 +14202,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5158,35 +6029,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',`
##
##
#
@@ -14265,7 +14247,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5194,36 +6065,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',`
##
##
#
@@ -14331,7 +14313,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5231,36 +6121,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',`
##
##
#
@@ -14379,7 +14361,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5268,17 +6159,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',`
##
##
#
@@ -14401,7 +14383,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5286,17 +6177,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',`
##
##
#
@@ -14423,7 +14405,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5304,73 +6195,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',`
##
##
#
@@ -14530,7 +14512,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5378,50 +6282,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',`
##
##
#
@@ -14595,7 +14577,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5429,69 +6324,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',`
##
##
#
@@ -14680,7 +14662,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5499,17 +6381,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
@@ -14704,7 +14686,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5517,70 +6400,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',`
##
##
#
@@ -14788,7 +14770,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5588,41 +6455,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',`
##
##
#
@@ -14840,7 +14822,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5630,36 +6492,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',`
##
##
#
@@ -14887,7 +14869,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5667,38 +6529,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',`
##
##
#
@@ -14935,7 +14917,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5706,19 +6565,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14959,7 +14941,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5726,60 +6583,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6601,54 @@ interface(`files_list_locks',`
##
##
#
@@ -15035,7 +15017,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5787,20 +6638,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -15061,7 +15043,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5808,165 +6657,156 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -15289,7 +15271,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -5974,59 +6814,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
@@ -15380,7 +15362,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6034,18 +6886,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',`
##
##
#
@@ -15404,47 +15386,58 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6053,19 +6905,1228 @@ interface(`files_list_pids',`
+@@ -6053,19 +6923,21 @@ interface(`files_list_pids',`
##
##
#
-interface(`files_read_generic_pids',`
+interface(`files_manage_var_lib_symlinks',`
gen_require(`
+- type var_t, var_run_t;
+ type var_lib_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
+ ')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way. They really neeed their own types.
+
-+########################################
-+##
+ ########################################
+ ##
+-## Write named generic process ID pipes
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',`
+ ##
+ ##
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_manage_urandom_seed',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_lib_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in the process ID directory, with a private type.
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
-+##
+ ##
+-##
+##
+##
+## Domain allowed access.
@@ -16457,12 +16450,9 @@ index f962f76..89768e5 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@@ -16474,21 +16464,29 @@ index f962f76..89768e5 100644
+## used for spool files.
+##
+##
-+##
+ ##
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+## Make the specified type usable for spool files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a spool file may result in problems with
+## purging spool files.
-+##
-+##
-+## Related interfaces:
-+##
-+##
+ ##
+ ## Related interfaces:
+ ##
+ ##
+-## - files_pid_file()
+## - files_spool_filetrans()
-+##
-+##
-+## Example usage with a domain that can create and
+ ##
+ ##
+ ## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+## write its spool file in the system spool file
+## directories (/var/spool):
+##
@@ -16497,7 +16495,7 @@ index f962f76..89768e5 100644
+## files_spool_file(myfile_spool_t)
+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##
+ ##
+##
+##
+##
@@ -16628,36 +16626,30 @@ index f962f76..89768e5 100644
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
++')
++
++########################################
++##
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
- ##
- ##
- ##
-@@ -6073,43 +8134,170 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_generic_spool_dirs',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
++')
++
++########################################
++##
+## Read generic spool files.
+##
+##
@@ -16807,27 +16799,9 @@ index f962f76..89768e5 100644
+########################################
+##
+## Create a core files in /
- ##
- ##
++##
++##
##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
-## type mypidfile_t;
-## files_pid_file(mypidfile_t)
-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
@@ -16836,7 +16810,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6117,80 +8305,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -17023,7 +16997,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6198,19 +8463,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -17047,7 +17021,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6218,18 +8481,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -17070,7 +17044,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6237,129 +8499,118 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8517,118 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -17239,7 +17213,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6367,18 +8618,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8636,19 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -17264,7 +17238,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6386,132 +8638,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8656,227 @@ interface(`files_search_spool',`
##
##
#
@@ -17538,7 +17512,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6519,53 +8866,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8884,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -17596,7 +17570,7 @@ index f962f76..89768e5 100644
##
##
##
-@@ -6573,10 +8884,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8902,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -17855,7 +17829,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..531dfef 100644
+index 8416beb..761fbab 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19627,16 +19601,11 @@ index 8416beb..531dfef 100644
########################################
##
## Mount a NFS filesystem.
-@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',`
- type nfs_t;
- ')
+@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',`
-- allow $1 nfs_t:filesystem remount;
-+ allow $1 nfs_t:filesystem remount;
-+')
-+
-+########################################
-+##
+ ########################################
+ ##
+-## Unmount a NFS filesystem.
+## Unmount a NFS filesystem.
+##
+##
@@ -19651,11 +19620,10 @@ index 8416beb..531dfef 100644
+ ')
+
+ allow $1 nfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Unmount a NFS filesystem.
++')
++
++########################################
++##
+## Get the attributes of a NFS filesystem.
##
##
@@ -20126,82 +20094,48 @@ index 8416beb..531dfef 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',`
- ##
- ##
- ##
--## The type of the object to be associated.
-+## The type of the object to be associated.
-+##
-+##
-+#
-+interface(`fs_associate_tmpfs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:filesystem associate;
+@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:filesystem relabelfrom;
++ allow $1 tmpfs_t:filesystem relabelfrom;
+')
+
+########################################
+##
-+## Relabel from tmpfs filesystem.
++## Get the attributes of tmpfs directories.
+##
-+##
++##
+##
+## Domain allowed access.
+##
+##
+#
-+interface(`fs_relabelfrom_tmpfs',`
++interface(`fs_getattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:filesystem relabelfrom;
++ allow $1 tmpfs_t:dir getattr;
+')
+
+########################################
+##
-+## Get the attributes of tmpfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_associate_tmpfs',`
-+interface(`fs_getattr_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:filesystem associate;
-+ allow $1 tmpfs_t:dir getattr;
- ')
-
- ########################################
- ##
--## Relabel from tmpfs filesystem.
+## Do not audit attempts to get the attributes
+## of tmpfs directories.
- ##
--##
++##
+##
- ##
--## Domain allowed access.
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_relabelfrom_tmpfs',`
++##
++##
++#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:filesystem relabelfrom;
++ gen_require(`
++ type tmpfs_t;
++ ')
++
+ dontaudit $1 tmpfs_t:dir getattr;
')
@@ -20631,7 +20565,7 @@ index 8416beb..531dfef 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -20695,8 +20629,27 @@ index 8416beb..531dfef 100644
+
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
+')
++
++########################################
++##
++## Read and write sockets of ONLOAD file system pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_onload_sockets',`
++ gen_require(`
++ type onload_fs_t;
++ ')
++
++ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
++')
++
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..fc52817 100644
+index e7d1738..59c1cb8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -20790,7 +20743,7 @@ index e7d1738..fc52817 100644
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
-@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -20801,6 +20754,11 @@ index e7d1738..fc52817 100644
+fs_type(nsfs_t)
+genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
+
++type onload_fs_t;
++fs_type(onload_fs_t)
++files_mountpoint(onload_fs_t)
++genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
++
type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@@ -20810,7 +20768,7 @@ index e7d1738..fc52817 100644
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
-@@ -150,17 +185,16 @@ fs_type(spufs_t)
+@@ -150,17 +190,16 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -20832,7 +20790,7 @@ index e7d1738..fc52817 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -172,6 +206,8 @@ type vxfs_t;
+@@ -172,6 +211,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -20841,7 +20799,7 @@ index e7d1738..fc52817 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +218,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +223,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -20850,7 +20808,7 @@ index e7d1738..fc52817 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -20859,7 +20817,7 @@ index e7d1738..fc52817 100644
files_mountpoint(removable_t)
#
-@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -20867,7 +20825,7 @@ index e7d1738..fc52817 100644
########################################
#
-@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs)
# Unconfined access to this module
#
@@ -22184,7 +22142,7 @@ index e100d88..1428581 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..092e065 100644
+index 8dbab4c..5b93205 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -22489,7 +22447,7 @@ index 8dbab4c..092e065 100644
-allow kern_unconfined sysctl_type:{ dir file } *;
+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
-+allow kern_unconfined sysctl_type:{ dir } *;
++allow kern_unconfined sysctl_type:{ dir lnk_file } *;
allow kern_unconfined kernel_t:system *;
@@ -25207,7 +25165,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..a73a163 100644
+index 2522ca6..f7ff2c7 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25371,14 +25329,14 @@ index 2522ca6..a73a163 100644
+
+optional_policy(`
+ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
++ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
-+ daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
+ dontaudit sysadm_dbusd_t self:capability net_admin;
@@ -25413,7 +25371,19 @@ index 2522ca6..a73a163 100644
fstools_run(sysadm_t, sysadm_r)
')
-@@ -172,13 +246,31 @@ optional_policy(`
+@@ -164,6 +238,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ hwloc_admin(sysadm_t)
++ hwloc_run_dhwd(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ hadoop_role(sysadm_r, sysadm_t)
+ ')
+
+@@ -172,13 +251,31 @@ optional_policy(`
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
ipsec_exec_mgmt(sysadm_t)
@@ -25445,7 +25415,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -190,11 +282,12 @@ optional_policy(`
+@@ -190,11 +287,12 @@ optional_policy(`
')
optional_policy(`
@@ -25460,7 +25430,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -210,22 +303,20 @@ optional_policy(`
+@@ -210,22 +308,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -25489,7 +25459,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -237,14 +328,28 @@ optional_policy(`
+@@ -237,14 +333,28 @@ optional_policy(`
')
optional_policy(`
@@ -25518,7 +25488,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -252,10 +357,20 @@ optional_policy(`
+@@ -252,10 +362,20 @@ optional_policy(`
')
optional_policy(`
@@ -25539,7 +25509,7 @@ index 2522ca6..a73a163 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +381,41 @@ optional_policy(`
+@@ -266,35 +386,41 @@ optional_policy(`
')
optional_policy(`
@@ -25588,7 +25558,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -308,6 +429,7 @@ optional_policy(`
+@@ -308,6 +434,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25596,7 +25566,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -315,12 +437,20 @@ optional_policy(`
+@@ -315,12 +442,20 @@ optional_policy(`
')
optional_policy(`
@@ -25618,7 +25588,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -345,30 +475,37 @@ optional_policy(`
+@@ -345,30 +480,37 @@ optional_policy(`
')
optional_policy(`
@@ -25665,7 +25635,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -380,10 +517,6 @@ optional_policy(`
+@@ -380,10 +522,6 @@ optional_policy(`
')
optional_policy(`
@@ -25676,7 +25646,7 @@ index 2522ca6..a73a163 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +524,9 @@ optional_policy(`
+@@ -391,6 +529,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -25686,7 +25656,7 @@ index 2522ca6..a73a163 100644
')
optional_policy(`
-@@ -398,31 +534,34 @@ optional_policy(`
+@@ -398,31 +539,34 @@ optional_policy(`
')
optional_policy(`
@@ -25727,7 +25697,7 @@ index 2522ca6..a73a163 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +574,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +579,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25738,7 +25708,7 @@ index 2522ca6..a73a163 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +594,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +599,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -45938,7 +45908,7 @@ index 2cea692..bf86a31 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..78fa512 100644
+index a392fc4..155d5ce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -46172,7 +46142,7 @@ index a392fc4..78fa512 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -46194,11 +46164,12 @@ index a392fc4..78fa512 100644
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
+allow ifconfig_t ifconfig_var_run_t:file mounton;
++allow ifconfig_t ifconfig_var_run_t:dir mounton;
+
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -46231,7 +46202,7 @@ index a392fc4..78fa512 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -46289,7 +46260,7 @@ index a392fc4..78fa512 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -46302,7 +46273,7 @@ index a392fc4..78fa512 100644
')
optional_policy(`
-@@ -350,7 +452,16 @@ optional_policy(`
+@@ -350,7 +453,16 @@ optional_policy(`
')
optional_policy(`
@@ -46320,7 +46291,7 @@ index a392fc4..78fa512 100644
')
optional_policy(`
-@@ -371,3 +482,13 @@ optional_policy(`
+@@ -371,3 +483,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -50480,7 +50451,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..e6556aa 100644
+index 9dc60c6..595ad40 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -51175,7 +51146,7 @@ index 9dc60c6..e6556aa 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +737,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +737,137 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -51286,18 +51257,23 @@ index 9dc60c6..e6556aa 100644
optional_policy(`
- consolekit_dbus_chat($1_t)
+ hal_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat_config($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
+ ')
+
++ optional_policy(`
++ hwloc_exec_dhwd($1_t)
++ hwloc_read_runtime_files($1_t)
++ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
+ ')
+
+ optional_policy(`
+ memcached_stream_connect($1_usertype)
+ ')
+
-+ optional_policy(`
+ optional_policy(`
+- cups_dbus_chat_config($1_t)
+ modemmanager_dbus_chat($1_usertype)
')
@@ -51322,31 +51298,31 @@ index 9dc60c6..e6556aa 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
-@@ -642,23 +872,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +877,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -51375,7 +51351,7 @@ index 9dc60c6..e6556aa 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +899,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +904,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -51384,7 +51360,7 @@ index 9dc60c6..e6556aa 100644
')
optional_policy(`
-@@ -680,9 +908,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +913,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51397,7 +51373,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -693,32 +921,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +926,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51444,7 +51420,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -743,17 +974,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +979,32 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -51463,9 +51439,7 @@ index 9dc60c6..e6556aa 100644
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -51473,7 +51447,9 @@ index 9dc60c6..e6556aa 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -51481,7 +51457,7 @@ index 9dc60c6..e6556aa 100644
userdom_change_password_template($1)
-@@ -761,82 +1007,112 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -51557,14 +51533,14 @@ index 9dc60c6..e6556aa 100644
- init_dontaudit_use_script_fds($1_t)
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
-
-- libs_exec_lib_files($1_t)
++
+ # Needed by pam_selinux.so calling in systemd-users
+ init_entrypoint_exec(login_userdomain)
-- logging_dontaudit_getattr_all_logs($1_t)
+- libs_exec_lib_files($1_t)
+ libs_exec_lib_files($1_usertype)
-+
+
+- logging_dontaudit_getattr_all_logs($1_t)
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
@@ -51630,7 +51606,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -868,6 +1144,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -51643,7 +51619,7 @@ index 9dc60c6..e6556aa 100644
##############################
#
# Local policy
-@@ -907,53 +1189,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -51663,14 +51639,10 @@ index 9dc60c6..e6556aa 100644
+ dev_read_rand($1_usertype)
- logging_send_syslog_msg($1_t)
-- logging_dontaudit_send_audit_msgs($1_t)
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
-
-- # Need to to this just so screensaver will work. Should be moved to screensaver domain
-- logging_send_audit_msgs($1_t)
-- selinux_get_enforce_mode($1_t)
++
+ libs_dontaudit_setattr_lib_files($1_usertype)
+
+ init_read_state($1_usertype)
@@ -51688,10 +51660,11 @@ index 9dc60c6..e6556aa 100644
+ ')
+
+ logging_send_syslog_msg($1_t)
-+ logging_dontaudit_send_audit_msgs($1_t)
-+
-+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
-+ selinux_get_enforce_mode($1_t)
+ logging_dontaudit_send_audit_msgs($1_t)
+
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
+- logging_send_audit_msgs($1_t)
+ selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
@@ -51798,7 +51771,7 @@ index 9dc60c6..e6556aa 100644
')
#######################################
-@@ -987,27 +1353,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -51836,7 +51809,7 @@ index 9dc60c6..e6556aa 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1390,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -51896,21 +51869,21 @@ index 9dc60c6..e6556aa 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1455,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -51921,7 +51894,7 @@ index 9dc60c6..e6556aa 100644
')
')
-@@ -1079,7 +1493,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -51932,7 +51905,7 @@ index 9dc60c6..e6556aa 100644
')
##############################
-@@ -1095,6 +1511,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -51940,7 +51913,7 @@ index 9dc60c6..e6556aa 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1522,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -51957,7 +51930,7 @@ index 9dc60c6..e6556aa 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -51966,7 +51939,7 @@ index 9dc60c6..e6556aa 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1558,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -51982,7 +51955,7 @@ index 9dc60c6..e6556aa 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1577,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52027,7 +52000,7 @@ index 9dc60c6..e6556aa 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1620,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -52036,7 +52009,7 @@ index 9dc60c6..e6556aa 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1629,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -52059,7 +52032,7 @@ index 9dc60c6..e6556aa 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1679,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -52068,7 +52041,7 @@ index 9dc60c6..e6556aa 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1689,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52077,7 +52050,7 @@ index 9dc60c6..e6556aa 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1703,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52089,7 +52062,7 @@ index 9dc60c6..e6556aa 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1717,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -52132,7 +52105,7 @@ index 9dc60c6..e6556aa 100644
')
optional_policy(`
-@@ -1357,14 +1802,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -52151,7 +52124,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1397,12 +1845,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -52205,7 +52178,7 @@ index 9dc60c6..e6556aa 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52237,7 +52210,7 @@ index 9dc60c6..e6556aa 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52252,7 +52225,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52264,7 +52237,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1613,6 +2131,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -52289,7 +52262,7 @@ index 9dc60c6..e6556aa 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2167,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -52349,7 +52322,7 @@ index 9dc60c6..e6556aa 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2293,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -52364,7 +52337,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1741,10 +2332,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52379,7 +52352,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1769,7 +2362,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -52388,7 +52361,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1777,19 +2370,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -52412,7 +52385,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1797,55 +2388,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -52483,7 +52456,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1853,18 +2444,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -52511,7 +52484,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1872,17 +2464,167 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -52519,13 +52492,17 @@ index 9dc60c6..e6556aa 100644
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
+-
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
+ userdom_getattr_user_tmp_files($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read user home files.
+## Dontaudit getattr on user tmp sockets.
+##
+##
@@ -52584,22 +52561,24 @@ index 9dc60c6..e6556aa 100644
+##
+## Do not audit attempts to set the
+## attributes of user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_read_user_home_content_files',`
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_t:file setattr_file_perms;
+')
-
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++
+########################################
+##
+## Set the attributes of all user home directories.
@@ -52635,11 +52614,11 @@ index 9dc60c6..e6556aa 100644
+ ')
+
+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- files_search_home($1)
- ')
-
- ########################################
- ##
++ files_search_home($1)
++')
++
++########################################
++##
+## Read user home files.
+##
+##
@@ -52681,20 +52660,20 @@ index 9dc60c6..e6556aa 100644
+
+########################################
+##
- ## Do not audit attempts to read user home files.
- ##
- ##
-@@ -1893,11 +2635,14 @@ interface(`userdom_read_user_home_content_files',`
- #
- interface(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
-- type user_home_t;
++## Do not audit attempts to read user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_user_home_content_files',`
++ gen_require(`
+ attribute user_home_type;
+ type user_home_dir_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
++ ')
++
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
@@ -52702,7 +52681,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -1938,7 +2683,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -52711,7 +52690,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1946,10 +2691,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -52724,7 +52703,7 @@ index 9dc60c6..e6556aa 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2702,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -52733,7 +52712,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -1966,12 +2710,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -52802,7 +52781,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2007,8 +2805,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -52812,7 +52791,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2024,21 +2821,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52826,19 +52805,18 @@ index 9dc60c6..e6556aa 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
##
- ## Do not audit attempts to execute user home files.
-@@ -2120,7 +2911,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -52847,7 +52825,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2128,19 +2919,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -52871,7 +52849,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2148,12 +2937,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -52887,7 +52865,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2388,18 +3177,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -52945,7 +52923,7 @@ index 9dc60c6..e6556aa 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3239,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -52954,7 +52932,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2455,6 +3280,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -52980,34 +52958,12 @@ index 9dc60c6..e6556aa 100644
########################################
##
-@@ -2538,7 +3382,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
-## temporary symbolic links.
+## temporary files.
- ##
- ##
- ##
-@@ -2546,18 +3390,59 @@ interface(`userdom_manage_user_tmp_files',`
- ##
- ##
- #
--interface(`userdom_manage_user_tmp_symlinks',`
-+interface(`userdom_filetrans_named_user_tmp_files',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
- files_search_tmp($1)
- ')
-
- ########################################
- ##
- ## Create, read, write, and delete user
-+## temporary symbolic links.
+##
+##
+##
@@ -53015,26 +52971,26 @@ index 9dc60c6..e6556aa 100644
+##
+##
+#
-+interface(`userdom_manage_user_tmp_symlinks',`
++interface(`userdom_filetrans_named_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Create, read, write, and delete user
-+## temporary named pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
++## temporary symbolic links.
+ ##
+ ##
+ ##
+@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##
+ ##
+ #
+interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
@@ -53048,10 +53004,18 @@ index 9dc60c6..e6556aa 100644
+########################################
+##
+## Create, read, write, and delete user
- ## temporary named pipes.
- ##
- ##
-@@ -2661,6 +3546,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++## temporary named pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+ interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -53073,7 +53037,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3572,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -53095,7 +53059,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2692,19 +3587,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -53118,7 +53082,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2713,13 +3602,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -53179,7 +53143,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2814,6 +3746,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -53204,7 +53168,7 @@ index 9dc60c6..e6556aa 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3782,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -53247,7 +53211,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -2856,14 +3818,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -53285,7 +53249,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2882,8 +3863,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -53315,7 +53279,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -2955,6 +3955,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -53358,7 +53322,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4014,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -53383,7 +53347,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4032,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -53395,7 +53359,7 @@ index 9dc60c6..e6556aa 100644
## memory segments.
##
##
-@@ -3025,17 +4043,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -53416,7 +53380,7 @@ index 9dc60c6..e6556aa 100644
## memory segments.
##
##
-@@ -3044,12 +4062,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
##
##
#
@@ -53431,7 +53395,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -3094,7 +4112,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -53440,7 +53404,7 @@ index 9dc60c6..e6556aa 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4128,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -53474,7 +53438,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -3214,7 +4216,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -53501,7 +53465,7 @@ index 9dc60c6..e6556aa 100644
')
########################################
-@@ -3269,12 +4289,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -53517,7 +53481,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -3282,54 +4303,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -53589,7 +53553,7 @@ index 9dc60c6..e6556aa 100644
##
##
##
-@@ -3337,12 +4360,86 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',`
##
##
#
@@ -53601,10 +53565,11 @@ index 9dc60c6..e6556aa 100644
- allow $1 userdomain:fd use;
+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to inherit the file
+## Do not audit attempts to use user ttys.
+##
+##
@@ -53675,10 +53640,15 @@ index 9dc60c6..e6556aa 100644
+ ')
+
+ allow $1 userdomain:fd use;
- ')
-
- ########################################
-@@ -3382,6 +4479,42 @@ interface(`userdom_signal_all_users',`
++')
++
++########################################
++##
++## Do not audit attempts to inherit the file
+ ## descriptors from any user domains.
+ ##
+ ##
+@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -53721,7 +53691,7 @@ index 9dc60c6..e6556aa 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4535,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -53782,7 +53752,7 @@ index 9dc60c6..e6556aa 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index ea4e912..25514be 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -10794,7 +10794,7 @@ index 02fefaa..308616e 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 687d4c4..3c5a83a 100644
+index 687d4c4..f668033 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
@@ -10887,7 +10887,7 @@ index 687d4c4..3c5a83a 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -10925,6 +10925,7 @@ index 687d4c4..3c5a83a 100644
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
++dev_rw_dri(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
@@ -10984,7 +10985,7 @@ index 687d4c4..3c5a83a 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -137,8 +151,9 @@ init_read_utmp(boinc_t)
+@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -10996,7 +10997,7 @@ index 687d4c4..3c5a83a 100644
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
-@@ -148,48 +163,61 @@ optional_policy(`
+@@ -148,48 +164,61 @@ optional_policy(`
mta_send_mail(boinc_t)
')
@@ -32031,10 +32032,10 @@ index 0000000..764ae00
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..33654d5
+index 0000000..c31e40e
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,302 @@
+policy_module(glusterd, 1.1.3)
+
+##
@@ -32099,7 +32100,7 @@ index 0000000..33654d5
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
-+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
@@ -32283,6 +32284,11 @@ index 0000000..33654d5
+ hostname_exec(glusterd_t)
+')
+
++
++optional_policy(`
++ kerberos_read_keytab(glusterd_t)
++')
++
+optional_policy(`
+ lvm_domtrans(glusterd_t)
+')
@@ -37022,6 +37028,166 @@ index 0000000..28816b4
+auth_use_nsswitch(hsqldb_t)
+
+sysnet_read_config(hsqldb_t)
+diff --git a/hwloc.fc b/hwloc.fc
+new file mode 100644
+index 0000000..d0c5a15
+--- /dev/null
++++ b/hwloc.fc
+@@ -0,0 +1,5 @@
++/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
++
++/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
++
++/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
+diff --git a/hwloc.if b/hwloc.if
+new file mode 100644
+index 0000000..c2349ec
+--- /dev/null
++++ b/hwloc.if
+@@ -0,0 +1,106 @@
++## Dump topology and locality information from hardware tables.
++
++########################################
++##
++## Execute hwloc dhwd in the hwloc dhwd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`hwloc_domtrans_dhwd',`
++ gen_require(`
++ type hwloc_dhwd_t, hwloc_dhwd_exec_t;
++ ')
++
++ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
++')
++
++########################################
++##
++## Execute hwloc dhwd in the hwloc dhwd domain, and
++## allow the specified role the hwloc dhwd domain,
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`hwloc_run_dhwd',`
++ gen_require(`
++ attribute_role hwloc_dhwd_roles;
++ ')
++
++ hwloc_domtrans_dhwd($1)
++ roleattribute $2 hwloc_dhwd_roles;
++')
++
++########################################
++##
++## Execute hwloc dhwd in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hwloc_exec_dhwd',`
++ gen_require(`
++ type hwloc_dhwd_exec_t;
++ ')
++
++ can_exec($1, hwloc_dhwd_exec_t)
++')
++
++########################################
++##
++## Read hwloc runtime files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hwloc_read_runtime_files',`
++ gen_require(`
++ type hwloc_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
++')
++
++########################################
++##
++## All of the rules required to
++## administrate an hwloc environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`hwloc_admin',`
++ gen_require(`
++ type hwloc_dhwd_t, hwloc_var_run_t;
++ ')
++
++ allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, hwloc_dhwd_t)
++
++ admin_pattern($1, hwloc_var_run_t)
++ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
++')
+diff --git a/hwloc.te b/hwloc.te
+new file mode 100644
+index 0000000..0f45fd5
+--- /dev/null
++++ b/hwloc.te
+@@ -0,0 +1,31 @@
++policy_module(hwloc, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role hwloc_dhwd_roles;
++roleattribute system_r hwloc_dhwd_roles;
++
++type hwloc_dhwd_t;
++type hwloc_dhwd_exec_t;
++init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
++role hwloc_dhwd_roles types hwloc_dhwd_t;
++
++type hwloc_var_run_t;
++files_pid_file(hwloc_var_run_t)
++
++type hwloc_dhwd_unit_t;
++systemd_unit_file(hwloc_dhwd_unit_t)
++
++########################################
++#
++# Local policy
++#
++
++allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
++allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
++files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
++
++dev_read_sysfs(hwloc_dhwd_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
index b46130e..e2ae3b2 100644
--- a/hypervkvp.fc
@@ -48067,7 +48233,7 @@ index 0000000..8bc27f4
+domain_use_interactive_fds(mcollective_t)
+
diff --git a/mediawiki.fc b/mediawiki.fc
-index 99f7c41..93ec6db 100644
+index 99f7c41..1745603 100644
--- a/mediawiki.fc
+++ b/mediawiki.fc
@@ -1,8 +1,8 @@
@@ -48079,12 +48245,12 @@ index 99f7c41..93ec6db 100644
+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
++/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
-+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
++/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
++/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
index 9771b4b..9b183e6 100644
--- a/mediawiki.if
@@ -57009,7 +57175,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
-index 0641e97..438eeb3 100644
+index 0641e97..f3b1111 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@@ -57058,12 +57224,10 @@ index 0641e97..438eeb3 100644
+
+ kernel_read_system_state(nagios_$1_plugin_t)
+
- ')
-
- ########################################
- ##
--## Do not audit attempts to read or
--## write nagios unnamed pipes.
++')
++
++########################################
++##
+## Execute the nagios unconfined plugins with
+## a domain transition.
+##
@@ -57080,10 +57244,12 @@ index 0641e97..438eeb3 100644
+ ')
+
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read or
+-## write nagios unnamed pipes.
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
##
@@ -57160,10 +57326,11 @@ index 0641e97..438eeb3 100644
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read nagios temporary files.
+## Append nagios spool files.
+##
+##
@@ -57179,11 +57346,10 @@ index 0641e97..438eeb3 100644
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
- ')
-
- ########################################
- ##
--## Read nagios temporary files.
++')
++
++########################################
++##
+## Allow the specified domain to read
+## nagios temporary files.
##
@@ -57196,11 +57362,10 @@ index 0641e97..438eeb3 100644
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
- ')
-
- ########################################
- ##
--## Execute nrpe with a domain transition.
++')
++
++########################################
++##
+## Allow the specified domain to read
+## nagios temporary files.
+##
@@ -57217,16 +57382,17 @@ index 0641e97..438eeb3 100644
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Execute nrpe with a domain transition.
+## Execute the nagios NRPE with
+## a domain transition.
##
##
##
-@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@@ -57234,6 +57400,24 @@ index 0641e97..438eeb3 100644
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
++######################################
++##
++## Do not audit attempts to write nrpe daemon unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nagios_dontaudit_write_pipes_nrpe',`
++ gen_require(`
++ type nrpe_t;
++ ')
++
++ dontaudit $1 nrpe_t:fifo_file write;
++')
++
########################################
##
-## All of the rules required to
@@ -57243,7 +57427,7 @@ index 0641e97..438eeb3 100644
##
##
##
-@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',`
##
##
##
@@ -85669,10 +85853,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..dfb3396 100644
+index 47de2d6..bc62d96 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,95 @@
+@@ -1,31 +1,96 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -85763,6 +85947,7 @@ index 47de2d6..dfb3396 100644
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
@@ -86660,7 +86845,7 @@ index c8bdea2..1574225 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..1a605f9 100644
+index 6cf79c4..943fd8b 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -87028,7 +87213,7 @@ index 6cf79c4..1a605f9 100644
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
-+allow fenced_t self:process { getsched setpgid signal_perms };
++allow fenced_t self:process { getsched setcap setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
@@ -107626,7 +107811,7 @@ index 97cd155..49321a5 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..948bc5b 100644
+index 585a77f..a7cb326 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
@@ -107672,7 +107857,7 @@ index 585a77f..948bc5b 100644
dev_read_urand(tmpreaper_t)
-@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
@@ -107683,11 +107868,9 @@ index 585a77f..948bc5b 100644
-files_getattr_all_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
+-files_setattr_all_tmp_dirs(tmpreaper_t)
+files_delete_all_non_security_files(tmpreaper_t)
-+# why does it need setattr?
- files_setattr_all_tmp_dirs(tmpreaper_t)
-+files_setattr_isid_type_dirs(tmpreaper_t)
-+files_setattr_usr_dirs(tmpreaper_t)
++files_setattr_non_security_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
@@ -107696,7 +107879,7 @@ index 585a77f..948bc5b 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
@@ -107704,7 +107887,7 @@ index 585a77f..948bc5b 100644
miscfiles_delete_man_pages(tmpreaper_t)
ifdef(`distro_debian',`
-@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
+@@ -53,10 +79,33 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -107739,7 +107922,7 @@ index 585a77f..948bc5b 100644
')
optional_policy(`
-@@ -64,6 +116,7 @@ optional_policy(`
+@@ -64,6 +113,7 @@ optional_policy(`
')
optional_policy(`
@@ -107747,7 +107930,7 @@ index 585a77f..948bc5b 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +132,19 @@ optional_policy(`
+@@ -79,7 +129,19 @@ optional_policy(`
')
optional_policy(`
@@ -107768,7 +107951,7 @@ index 585a77f..948bc5b 100644
')
optional_policy(`
-@@ -89,3 +154,8 @@ optional_policy(`
+@@ -89,3 +151,8 @@ optional_policy(`
optional_policy(`
rpm_manage_cache(tmpreaper_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3eac2b6..abdb6c7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 190%{?dist}
+Release: 191%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -645,6 +645,20 @@ exit 0
%endif
%changelog
+* Thu Jun 08 2016 Lukas Vrabec 3.13.1-191
+- Add hwloc-dump-hwdata SELinux policy
+- Add labels for mediawiki123
+- Fix label for all fence_scsi_check scripts
+- Allow setcap for fenced
+- Allow glusterd domain read krb5_keytab_t files.
+- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
+- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
+- Update refpolicy to handle hwloc
+- Fix typo in files_setattr_non_security_dirs.
+- Add interface files_setattr_non_security_dirs()
+- Add support for onloadfs
+- Additional access required for unconfined domains
+
* Mon May 30 2016 Lukas Vrabec 3.13.1-190
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs