From 92e9b347de4f942419726f7c049e2a71f8de4074 Mon Sep 17 00:00:00 2001
From: rhatdan
Date: Oct 31 2012 15:27:30 +0000
Subject: Merge branch 'f18' of ssh://pkgs.fedoraproject.org/selinux-policy into f18
---
diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
index 6d19ebf..eacb29a 100644
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -425,13 +425,6 @@ dictd = module
#
distcc = off
-# Layer: services
-# Module: dkim
-#
-# DKIM signing and verifying filter for MTAs
-#
-dkim = module
-
# Layer: admin
# Module: dmidecode
#
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 8e49feb..03eea28 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -579,13 +579,6 @@ dirsrv = module
#
distcc = off
-# Layer: services
-# Module: dkim
-#
-# DKIM signing and verifying filter for MTAs
-#
-dkim = module
-
# Layer: admin
# Module: dmidecode
#
diff --git a/permissivedomains.pp b/permissivedomains.pp
index ea16f06..71adce4 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 904ffa3..099990f 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -10,14 +10,6 @@ optional_policy(`
optional_policy(`
gen_require(`
- type dkim_t;
- ')
-
- permissive dkim_t;
-')
-
-optional_policy(`
- gen_require(`
type rngd_t;
')
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b8161ff..aa40274 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -108998,10 +108998,10 @@ index d218387..c406594 100644
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..530d2df 100644
+index 7a6f06f..bf04b0a 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,16 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -109013,12 +109013,14 @@ index 7a6f06f..530d2df 100644
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
--/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index a778bb1..5e914db 100644
--- a/policy/modules/admin/bootloader.if
@@ -109105,7 +109107,7 @@ index a778bb1..5e914db 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..3ee2ca5 100644
+index ab0439a..803bd27 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
@@ -109119,7 +109121,7 @@ index ab0439a..3ee2ca5 100644
#
# boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,14 +19,18 @@ files_type(boot_runtime_t)
+@@ -19,14 +19,21 @@ files_type(boot_runtime_t)
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
@@ -109129,6 +109131,9 @@ index ab0439a..3ee2ca5 100644
+
+type bootloader_var_run_t;
+files_pid_file(bootloader_var_run_t)
++
++type bootloader_var_lib_t;
++files_type(bootloader_var_lib_t)
#
# bootloader_etc_t is the configuration file,
@@ -109140,7 +109145,7 @@ index ab0439a..3ee2ca5 100644
#
# The temp file is used for initrd creation;
-@@ -41,7 +45,7 @@ dev_node(bootloader_tmp_t)
+@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#
@@ -109149,7 +109154,7 @@ index ab0439a..3ee2ca5 100644
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-@@ -59,6 +63,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
@@ -109157,10 +109162,15 @@ index ab0439a..3ee2ca5 100644
+manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
+files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
+
++manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file })
++
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
-@@ -81,6 +89,8 @@ dev_rw_nvram(bootloader_t)
+@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
@@ -109169,7 +109179,7 @@ index ab0439a..3ee2ca5 100644
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
-@@ -89,7 +99,9 @@ mls_file_read_all_levels(bootloader_t)
+@@ -89,7 +107,9 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
@@ -109179,7 +109189,7 @@ index ab0439a..3ee2ca5 100644
corecmd_exec_all_executables(bootloader_t)
-@@ -98,12 +110,14 @@ domain_use_interactive_fds(bootloader_t)
+@@ -98,12 +118,14 @@ domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
@@ -109194,7 +109204,7 @@ index ab0439a..3ee2ca5 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -111,6 +125,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +133,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
@@ -109202,7 +109212,7 @@ index ab0439a..3ee2ca5 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -118,19 +133,21 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,19 +141,21 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
@@ -109227,7 +109237,7 @@ index ab0439a..3ee2ca5 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -166,7 +183,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +191,8 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
@@ -109237,7 +109247,7 @@ index ab0439a..3ee2ca5 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -174,6 +192,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -109248,7 +109258,7 @@ index ab0439a..3ee2ca5 100644
fstools_exec(bootloader_t)
')
-@@ -183,6 +205,14 @@ optional_policy(`
+@@ -183,6 +213,14 @@ optional_policy(`
')
optional_policy(`
@@ -109263,7 +109273,7 @@ index ab0439a..3ee2ca5 100644
kudzu_domtrans(bootloader_t)
')
-@@ -195,15 +225,13 @@ optional_policy(`
+@@ -195,17 +233,19 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -109273,14 +109283,18 @@ index ab0439a..3ee2ca5 100644
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
--')
--
--optional_policy(`
-- nscd_socket_use(bootloader_t)
+ modutils_domtrans_insmod_uncond(bootloader_t)
')
optional_policy(`
+- nscd_socket_use(bootloader_t)
++ rpm_rw_pipes(bootloader_t)
+ ')
+
+ optional_policy(`
+- rpm_rw_pipes(bootloader_t)
++ udev_read_pid_files(bootloader_t)
+ ')
diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
index b7f053b..5d4fc31 100644
--- a/policy/modules/admin/consoletype.fc
@@ -115320,7 +115334,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..a8f9817 100644
+index cf04cb5..4a81c65 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -115437,7 +115451,7 @@ index cf04cb5..a8f9817 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +218,258 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +218,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -115560,6 +115574,10 @@ index cf04cb5..a8f9817 100644
+')
+
+optional_policy(`
++ rpcbind_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ sysnet_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -128379,7 +128397,7 @@ index c6fdab7..32f45fa 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..38016b7 100644
+index 28ad538..dac7844 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,25 @@
@@ -128391,7 +128409,8 @@ index 28ad538..38016b7 100644
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -131309,7 +131328,7 @@ index d26fe81..98fad18 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..52b1afc 100644
+index 4a88fa1..533881b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -131537,10 +131556,10 @@ index 4a88fa1..52b1afc 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
-miscfiles_read_localization(init_t)
-+userdom_use_user_ttys(init_t)
-+
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
@@ -131573,14 +131592,15 @@ index 4a88fa1..52b1afc 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -131702,14 +131722,13 @@ index 4a88fa1..52b1afc 100644
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -131730,10 +131749,14 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -213,6 +446,22 @@ optional_policy(`
+@@ -213,6 +446,26 @@ optional_policy(`
')
optional_policy(`
++ rpcbind_filetrans_named_content(init_t)
++')
++
++optional_policy(`
+ systemd_filetrans_named_content(init_t)
+')
+
@@ -131753,7 +131776,7 @@ index 4a88fa1..52b1afc 100644
unconfined_domain(init_t)
')
-@@ -222,8 +471,9 @@ optional_policy(`
+@@ -222,8 +475,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -131765,7 +131788,7 @@ index 4a88fa1..52b1afc 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +501,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +505,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -131782,7 +131805,7 @@ index 4a88fa1..52b1afc 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +526,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +530,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -131825,7 +131848,7 @@ index 4a88fa1..52b1afc 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +563,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +567,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -131833,7 +131856,7 @@ index 4a88fa1..52b1afc 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +574,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +578,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -131844,7 +131867,7 @@ index 4a88fa1..52b1afc 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +585,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +589,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -131864,7 +131887,7 @@ index 4a88fa1..52b1afc 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +602,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +606,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -131872,7 +131895,7 @@ index 4a88fa1..52b1afc 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +610,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +614,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -131884,7 +131907,7 @@ index 4a88fa1..52b1afc 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +629,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +633,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -131898,7 +131921,7 @@ index 4a88fa1..52b1afc 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +644,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +648,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -131912,7 +131935,7 @@ index 4a88fa1..52b1afc 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +659,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +663,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -131920,7 +131943,7 @@ index 4a88fa1..52b1afc 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +671,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +675,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -131928,7 +131951,7 @@ index 4a88fa1..52b1afc 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +690,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +694,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -131952,7 +131975,7 @@ index 4a88fa1..52b1afc 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +755,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +759,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -131963,7 +131986,7 @@ index 4a88fa1..52b1afc 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +779,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +783,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -131972,7 +131995,7 @@ index 4a88fa1..52b1afc 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +794,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +798,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -131980,7 +132003,7 @@ index 4a88fa1..52b1afc 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +815,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +819,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -131988,7 +132011,7 @@ index 4a88fa1..52b1afc 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +825,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +829,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -132029,7 +132052,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -549,14 +866,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +870,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -132061,7 +132084,7 @@ index 4a88fa1..52b1afc 100644
')
')
-@@ -567,6 +901,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +905,39 @@ ifdef(`distro_suse',`
')
')
@@ -132101,7 +132124,7 @@ index 4a88fa1..52b1afc 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +946,8 @@ optional_policy(`
+@@ -579,6 +950,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -132110,7 +132133,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -600,6 +969,7 @@ optional_policy(`
+@@ -600,6 +973,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -132118,7 +132141,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -612,6 +982,17 @@ optional_policy(`
+@@ -612,6 +986,17 @@ optional_policy(`
')
optional_policy(`
@@ -132136,7 +132159,7 @@ index 4a88fa1..52b1afc 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1009,13 @@ optional_policy(`
+@@ -628,9 +1013,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -132150,7 +132173,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -655,6 +1040,10 @@ optional_policy(`
+@@ -655,6 +1044,10 @@ optional_policy(`
')
optional_policy(`
@@ -132161,7 +132184,7 @@ index 4a88fa1..52b1afc 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1061,15 @@ optional_policy(`
+@@ -672,6 +1065,15 @@ optional_policy(`
')
optional_policy(`
@@ -132177,7 +132200,7 @@ index 4a88fa1..52b1afc 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1110,7 @@ optional_policy(`
+@@ -712,6 +1114,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -132185,7 +132208,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -729,7 +1128,14 @@ optional_policy(`
+@@ -729,7 +1132,14 @@ optional_policy(`
')
optional_policy(`
@@ -132200,7 +132223,7 @@ index 4a88fa1..52b1afc 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1158,10 @@ optional_policy(`
+@@ -752,6 +1162,10 @@ optional_policy(`
')
optional_policy(`
@@ -132211,7 +132234,7 @@ index 4a88fa1..52b1afc 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1171,20 @@ optional_policy(`
+@@ -761,10 +1175,20 @@ optional_policy(`
')
optional_policy(`
@@ -132232,7 +132255,7 @@ index 4a88fa1..52b1afc 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1193,10 @@ optional_policy(`
+@@ -773,6 +1197,10 @@ optional_policy(`
')
optional_policy(`
@@ -132243,7 +132266,7 @@ index 4a88fa1..52b1afc 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1218,6 @@ optional_policy(`
+@@ -794,8 +1222,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -132252,7 +132275,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -804,6 +1226,10 @@ optional_policy(`
+@@ -804,6 +1230,10 @@ optional_policy(`
')
optional_policy(`
@@ -132263,7 +132286,7 @@ index 4a88fa1..52b1afc 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1239,12 @@ optional_policy(`
+@@ -813,10 +1243,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -132276,7 +132299,7 @@ index 4a88fa1..52b1afc 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1256,6 @@ optional_policy(`
+@@ -828,8 +1260,6 @@ optional_policy(`
')
optional_policy(`
@@ -132285,7 +132308,7 @@ index 4a88fa1..52b1afc 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1266,30 @@ optional_policy(`
+@@ -840,12 +1270,30 @@ optional_policy(`
')
optional_policy(`
@@ -132318,7 +132341,7 @@ index 4a88fa1..52b1afc 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1299,18 @@ optional_policy(`
+@@ -855,6 +1303,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -132337,7 +132360,7 @@ index 4a88fa1..52b1afc 100644
')
optional_policy(`
-@@ -870,6 +1326,10 @@ optional_policy(`
+@@ -870,6 +1330,10 @@ optional_policy(`
')
optional_policy(`
@@ -132348,7 +132371,7 @@ index 4a88fa1..52b1afc 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1340,178 @@ optional_policy(`
+@@ -880,3 +1344,178 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -133020,10 +133043,15 @@ index 0646ee7..f0e41a1 100644
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..0fbc39e 100644
+index ef8bbaf..a21d5fe 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
-@@ -28,14 +28,17 @@ ifdef(`distro_redhat',`
+@@ -1,3 +1,4 @@
++
+ #
+ # /emul
+ #
+@@ -28,14 +29,17 @@ ifdef(`distro_redhat',`
# /etc
#
/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
@@ -133042,7 +133070,7 @@ index ef8bbaf..0fbc39e 100644
/lib/.* gen_context(system_u:object_r:lib_t,s0)
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -52,9 +55,8 @@ ifdef(`distro_gentoo',`
+@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',`
#
# /opt
#
@@ -133053,7 +133081,7 @@ index ef8bbaf..0fbc39e 100644
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -103,6 +105,12 @@ ifdef(`distro_redhat',`
+@@ -103,6 +106,12 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -133066,7 +133094,7 @@ index ef8bbaf..0fbc39e 100644
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -111,12 +119,12 @@ ifdef(`distro_redhat',`
+@@ -111,12 +120,12 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -133081,7 +133109,7 @@ index ef8bbaf..0fbc39e 100644
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -140,6 +148,8 @@ ifdef(`distro_redhat',`
+@@ -140,6 +149,8 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133090,7 +133118,7 @@ index ef8bbaf..0fbc39e 100644
/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -147,12 +157,11 @@ ifdef(`distro_redhat',`
+@@ -147,12 +158,11 @@ ifdef(`distro_redhat',`
/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133106,7 +133134,7 @@ index ef8bbaf..0fbc39e 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -181,6 +190,7 @@ ifdef(`distro_redhat',`
+@@ -181,11 +191,13 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133114,7 +133142,13 @@ index ef8bbaf..0fbc39e 100644
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -240,14 +250,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+ /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133130,7 +133164,7 @@ index ef8bbaf..0fbc39e 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +275,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133161,7 +133195,7 @@ index ef8bbaf..0fbc39e 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +304,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -133256,6 +133290,10 @@ index ef8bbaf..0fbc39e 100644
+
+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ifdef(`fixed',`
+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133274,9 +133312,6 @@ index ef8bbaf..0fbc39e 100644
+/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
+/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135159,7 +135194,7 @@ index fe3427d..2a501db 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..1c044d6 100644
+index 926ba65..9cac7b3 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -135265,19 +135300,20 @@ index 926ba65..1c044d6 100644
## Read public files used for file
## transfer services.
##
-@@ -744,8 +796,9 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
- files_etc_filetrans($1, locale_t, file)
-
++ files_etc_filetrans($1, locale_t, lnk_file)
+ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
+ files_etc_filetrans($1, locale_t, file, "locale.conf" )
+ files_etc_filetrans($1, locale_t, file, "timezone" )
')
########################################
-@@ -769,3 +822,43 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -141363,10 +141399,10 @@ index 0280b32..61f19e9 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..ce61aed 100644
+index db75976..65191bd 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,20 @@
+@@ -1,4 +1,21 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -141374,6 +141410,7 @@ index db75976..ce61aed 100644
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+/root/\.debug(/.*)? <>
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 83f2d78..30b1348 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2072,7 +2072,7 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..50e40f7 100644
+index fd9fa07..9ac41bc 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,39 +1,57 @@
@@ -2217,7 +2217,7 @@ index fd9fa07..50e40f7 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +146,25 @@ ifdef(`distro_debian', `
+@@ -109,3 +146,26 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -2235,6 +2235,7 @@ index fd9fa07..50e40f7 100644
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3004,7 +3005,7 @@ index 6480167..e77ad76 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..08c3720 100644
+index 0833afb..c1e855c 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3131,7 +3132,7 @@ index 0833afb..08c3720 100644
## Allow httpd to read home directories
##
##
-@@ -100,6 +173,20 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
##
##
@@ -3149,10 +3150,17 @@ index 0833afb..08c3720 100644
+
+##
+##
++## Allow Apache to query NS records
++##
++##
++gen_tunable(httpd_verify_dns, false)
++
++##
++##
## Allow httpd daemon to change its resource limits
##
##
-@@ -114,6 +201,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
##
##
@@ -3166,7 +3174,7 @@ index 0833afb..08c3720 100644
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -130,12 +224,26 @@ gen_tunable(httpd_unified, false)
+@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
##
##
@@ -3193,7 +3201,7 @@ index 0833afb..08c3720 100644
##
## Allow httpd to run gpg
##
-@@ -149,12 +257,28 @@ gen_tunable(httpd_use_gpg, false)
+@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
##
gen_tunable(httpd_use_nfs, false)
@@ -3222,7 +3230,7 @@ index 0833afb..08c3720 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -173,7 +297,7 @@ files_type(httpd_cache_t)
+@@ -173,7 +304,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -3231,7 +3239,7 @@ index 0833afb..08c3720 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -184,6 +308,9 @@ role system_r types httpd_helper_t;
+@@ -184,6 +315,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -3241,7 +3249,7 @@ index 0833afb..08c3720 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -223,7 +350,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -223,7 +357,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -3264,7 +3272,7 @@ index 0833afb..08c3720 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -233,6 +374,11 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -233,6 +381,11 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -3276,7 +3284,7 @@ index 0833afb..08c3720 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -240,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -240,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -3284,7 +3292,7 @@ index 0833afb..08c3720 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -261,14 +408,23 @@ files_type(httpd_var_lib_t)
+@@ -261,14 +415,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -3308,7 +3316,7 @@ index 0833afb..08c3720 100644
########################################
#
# Apache server local policy
-@@ -288,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -288,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -3322,7 +3330,7 @@ index 0833afb..08c3720 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -3334,7 +3342,7 @@ index 0833afb..08c3720 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -3345,7 +3353,7 @@ index 0833afb..08c3720 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +523,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,8 +530,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3357,7 +3365,7 @@ index 0833afb..08c3720 100644
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +542,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -3378,7 +3386,7 @@ index 0833afb..08c3720 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +563,14 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -3393,7 +3401,7 @@ index 0833afb..08c3720 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -396,61 +572,112 @@ domain_use_interactive_fds(httpd_t)
+@@ -396,61 +579,112 @@ domain_use_interactive_fds(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
@@ -3514,7 +3522,7 @@ index 0833afb..08c3720 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3578,7 +3586,7 @@ index 0833afb..08c3720 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3601,7 +3609,7 @@ index 0833afb..08c3720 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +787,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +794,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3622,7 +3630,7 @@ index 0833afb..08c3720 100644
')
optional_policy(`
-@@ -525,6 +811,9 @@ optional_policy(`
+@@ -525,6 +818,9 @@ optional_policy(`
')
optional_policy(`
@@ -3632,7 +3640,7 @@ index 0833afb..08c3720 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +829,24 @@ optional_policy(`
+@@ -540,6 +836,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3657,7 +3665,7 @@ index 0833afb..08c3720 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +856,24 @@ optional_policy(`
+@@ -549,13 +863,24 @@ optional_policy(`
')
optional_policy(`
@@ -3683,7 +3691,7 @@ index 0833afb..08c3720 100644
')
optional_policy(`
-@@ -573,7 +891,21 @@ optional_policy(`
+@@ -573,7 +898,21 @@ optional_policy(`
')
optional_policy(`
@@ -3705,7 +3713,7 @@ index 0833afb..08c3720 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +916,7 @@ optional_policy(`
+@@ -584,6 +923,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3713,7 +3721,7 @@ index 0833afb..08c3720 100644
')
optional_policy(`
-@@ -594,6 +927,36 @@ optional_policy(`
+@@ -594,6 +934,36 @@ optional_policy(`
')
optional_policy(`
@@ -3750,7 +3758,7 @@ index 0833afb..08c3720 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +971,11 @@ optional_policy(`
+@@ -608,6 +978,11 @@ optional_policy(`
')
optional_policy(`
@@ -3762,7 +3770,7 @@ index 0833afb..08c3720 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +988,12 @@ optional_policy(`
+@@ -620,6 +995,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3775,13 +3783,17 @@ index 0833afb..08c3720 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1007,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1014,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
+
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
+tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
@@ -3815,7 +3827,7 @@ index 0833afb..08c3720 100644
########################################
#
-@@ -671,28 +1076,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1087,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3859,7 +3871,7 @@ index 0833afb..08c3720 100644
')
########################################
-@@ -702,6 +1109,7 @@ optional_policy(`
+@@ -702,6 +1120,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3867,7 +3879,7 @@ index 0833afb..08c3720 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1124,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1135,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3896,7 +3908,7 @@ index 0833afb..08c3720 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1154,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1165,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -3914,7 +3926,7 @@ index 0833afb..08c3720 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1172,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1183,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3947,7 +3959,7 @@ index 0833afb..08c3720 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1219,25 @@ optional_policy(`
+@@ -786,6 +1230,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3973,7 +3985,7 @@ index 0833afb..08c3720 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1258,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1269,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3991,7 +4003,7 @@ index 0833afb..08c3720 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1277,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1288,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4050,7 +4062,7 @@ index 0833afb..08c3720 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1328,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1339,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4091,7 +4103,7 @@ index 0833afb..08c3720 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1373,20 @@ optional_policy(`
+@@ -859,10 +1384,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4112,7 +4124,7 @@ index 0833afb..08c3720 100644
')
########################################
-@@ -878,11 +1402,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1413,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4124,7 +4136,7 @@ index 0833afb..08c3720 100644
########################################
#
-@@ -908,11 +1430,138 @@ optional_policy(`
+@@ -908,11 +1441,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -4880,6 +4892,192 @@ index 159610b..164b672 100644
mysql_stream_connect(asterisk_t)
')
+diff --git a/authconfig.fc b/authconfig.fc
+new file mode 100644
+index 0000000..86bbf21
+--- /dev/null
++++ b/authconfig.fc
+@@ -0,0 +1,3 @@
++/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
++
++/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
+diff --git a/authconfig.if b/authconfig.if
+new file mode 100644
+index 0000000..98ab9ed
+--- /dev/null
++++ b/authconfig.if
+@@ -0,0 +1,132 @@
++
++## policy for authconfig
++
++########################################
++##
++## Execute TEMPLATE in the authconfig domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`authconfig_domtrans',`
++ gen_require(`
++ type authconfig_t, authconfig_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
++')
++
++########################################
++##
++## Search authconfig lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_search_lib',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ allow $1 authconfig_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read authconfig lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_read_lib_files',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++########################################
++##
++## Manage authconfig lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_manage_lib_files',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++########################################
++##
++## Manage authconfig lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_manage_lib_dirs',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an authconfig environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`authconfig_admin',`
++ gen_require(`
++ type authconfig_t;
++ type authconfig_var_lib_t;
++ ')
++
++ allow $1 authconfig_t:process { ptrace signal_perms };
++ ps_process_pattern($1, authconfig_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, authconfig_var_lib_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/authconfig.te b/authconfig.te
+new file mode 100644
+index 0000000..aeea7cf
+--- /dev/null
++++ b/authconfig.te
+@@ -0,0 +1,33 @@
++policy_module(authconfig, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type authconfig_t;
++type authconfig_exec_t;
++application_domain(authconfig_t, authconfig_exec_t)
++
++type authconfig_var_lib_t;
++files_type(authconfig_var_lib_t)
++
++########################################
++#
++# authconfig local policy
++#
++allow authconfig_t self:fifo_file rw_fifo_file_perms;
++allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
++
++domain_use_interactive_fds(authconfig_t)
++
++files_read_etc_files(authconfig_t)
++
++init_domtrans_script(authconfig_t)
++
++unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
index f16ab68..e4178a4 100644
--- a/automount.fc
@@ -9437,10 +9635,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..7a7220c
+index 0000000..1e73280
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,199 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -9499,6 +9697,7 @@ index 0000000..7a7220c
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
++dev_read_sysfs(cloudform_domain)
+
+files_read_etc_files(cloudform_domain)
+
@@ -16513,7 +16712,7 @@ index f706b99..aa049fc 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 1819518..4848cfe 100644
+index 1819518..1363f96 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
@@ -16642,7 +16841,7 @@ index 1819518..4848cfe 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -178,55 +194,83 @@ optional_policy(`
+@@ -178,55 +194,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -16660,6 +16859,7 @@ index 1819518..4848cfe 100644
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
++allow devicekit_power_t self:capability2 compromise_kernel;
+allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -16733,7 +16933,7 @@ index 1819518..4848cfe 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,10 +279,16 @@ optional_policy(`
+@@ -235,10 +280,16 @@ optional_policy(`
')
optional_policy(`
@@ -16750,7 +16950,7 @@ index 1819518..4848cfe 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -261,14 +311,21 @@ optional_policy(`
+@@ -261,14 +312,21 @@ optional_policy(`
')
optional_policy(`
@@ -16773,7 +16973,7 @@ index 1819518..4848cfe 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +333,31 @@ optional_policy(`
+@@ -276,9 +334,31 @@ optional_policy(`
')
optional_policy(`
@@ -26889,10 +27089,10 @@ index 0000000..1b3514a
+
diff --git a/isnsd.te b/isnsd.te
new file mode 100644
-index 0000000..fa4b4d7
+index 0000000..951fbae
--- /dev/null
+++ b/isnsd.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,52 @@
+policy_module(isnsd, 1.0.0)
+
+########################################
@@ -26922,6 +27122,7 @@ index 0000000..fa4b4d7
+allow isnsd_t self:process { signal };
+
+allow isnsd_t self:fifo_file rw_fifo_file_perms;
++allow isnsd_t self:tcp_socket { listen };
+allow isnsd_t self:udp_socket { listen };
+allow isnsd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -28148,7 +28349,7 @@ index 4198ff5..d1ab262 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index b29d8e2..7bc0ab1 100644
+index b29d8e2..6a6dcf0 100644
--- a/kdump.te
+++ b/kdump.te
@@ -15,15 +15,28 @@ files_config_file(kdump_etc_t)
@@ -28180,7 +28381,7 @@ index b29d8e2..7bc0ab1 100644
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
-@@ -36,3 +49,85 @@ dev_read_framebuffer(kdump_t)
+@@ -36,3 +49,87 @@ dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
term_use_console(kdump_t)
@@ -28201,9 +28402,11 @@ index b29d8e2..7bc0ab1 100644
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
++can_exec(kdumpctl_t, kdumpctl_tmp_t)
+
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
+
@@ -32334,13 +32537,14 @@ index b681608..9c4fc55 100644
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
-index 1ec5a6c..9485753 100644
+index 1ec5a6c..64ac6f0 100644
--- a/milter.fc
+++ b/milter.fc
-@@ -1,13 +1,21 @@
+@@ -1,15 +1,26 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
++/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
@@ -32359,7 +32563,11 @@ index 1ec5a6c..9485753 100644
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+ /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index ee72cbe..bdf319a 100644
--- a/milter.if
@@ -33657,7 +33865,7 @@ index b397fde..c7c031d 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..1c81b41 100644
+index d4fcb75..a54e4ec 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -33857,7 +34065,7 @@ index d4fcb75..1c81b41 100644
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
@@ -44460,10 +44668,10 @@ index 0000000..83c13cf
+
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..5e5f291
+index 0000000..733a153
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,289 @@
+@@ -0,0 +1,287 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -44725,8 +44933,6 @@ index 0000000..5e5f291
+domain_dontaudit_read_all_domains_state(pki_apache_domain)
+ps_process_pattern(pki_apache_domain, pki_apache_domain)
+
-+miscfiles_read_localization(pki_apache_domain)
-+
+sysnet_read_config(pki_apache_domain)
+
+ifdef(`targeted_policy',`
@@ -52453,10 +52659,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..b1347a4
+index 0000000..8ef2a1b
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,97 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -52503,6 +52709,10 @@ index 0000000..b1347a4
+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+
+optional_policy(`
++ authconfig_domtrans(realmd_t)
++')
++
++optional_policy(`
+ dbus_system_domain(realmd_t, realmd_exec_t)
+
+ optional_policy(`
@@ -54846,10 +55056,10 @@ index 0000000..8b505d5
+')
diff --git a/rngd.te b/rngd.te
new file mode 100644
-index 0000000..243ecf9
+index 0000000..868faed
--- /dev/null
+++ b/rngd.te
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,37 @@
+policy_module(rngd, 1.0.0)
+
+########################################
@@ -54887,8 +55097,6 @@ index 0000000..243ecf9
+files_read_etc_files(rngd_t)
+
+logging_send_syslog_msg(rngd_t)
-+
-+miscfiles_read_localization(rngd_t)
diff --git a/roundup.if b/roundup.if
index 30c4b75..e07c2ff 100644
--- a/roundup.if
@@ -55463,7 +55671,7 @@ index f5c47d6..164ce1f 100644
-/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/rpcbind.if b/rpcbind.if
-index a96249c..5f38427 100644
+index a96249c..54e6f2d 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
@@ -55476,7 +55684,7 @@ index a96249c..5f38427 100644
')
########################################
-@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',`
+@@ -117,6 +116,42 @@ interface(`rpcbind_manage_lib_files',`
########################################
##
@@ -55498,10 +55706,28 @@ index a96249c..5f38427 100644
+
+########################################
+##
++## Transition to rpcbind named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_filetrans_named_content',`
++ gen_require(`
++ type rpcbind_var_run_t;
++ ')
++
++ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
++')
++
++########################################
++##
## All of the rules required to administrate
## an rpcbind environment
##
-@@ -138,11 +155,20 @@ interface(`rpcbind_admin',`
+@@ -138,11 +173,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -68387,7 +68613,7 @@ index 6f0736b..cebdb3e 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..ad97e84 100644
+index 947bbc6..2ab5066 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -68685,13 +68911,14 @@ index 947bbc6..ad97e84 100644
xen_rw_image_files(svirt_t)
')
-@@ -176,22 +297,41 @@ optional_policy(`
+@@ -176,22 +297,42 @@ optional_policy(`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
++allow virtd_t self:capability2 compromise_kernel;
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -68734,7 +68961,7 @@ index 947bbc6..ad97e84 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +342,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +343,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -68769,7 +68996,7 @@ index 947bbc6..ad97e84 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +374,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +375,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -68784,6 +69011,7 @@ index 947bbc6..ad97e84 100644
+kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
++kernel_setsched(virtd_t)
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -68792,7 +69020,7 @@ index 947bbc6..ad97e84 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +401,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +403,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -68826,7 +69054,7 @@ index 947bbc6..ad97e84 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +433,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +435,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -68845,7 +69073,7 @@ index 947bbc6..ad97e84 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +459,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +461,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -68855,7 +69083,7 @@ index 947bbc6..ad97e84 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +469,32 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +471,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -68888,7 +69116,7 @@ index 947bbc6..ad97e84 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +513,10 @@ optional_policy(`
+@@ -322,6 +515,10 @@ optional_policy(`
')
optional_policy(`
@@ -68899,7 +69127,7 @@ index 947bbc6..ad97e84 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +530,34 @@ optional_policy(`
+@@ -335,19 +532,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -68935,7 +69163,7 @@ index 947bbc6..ad97e84 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +572,12 @@ optional_policy(`
+@@ -362,6 +574,12 @@ optional_policy(`
')
optional_policy(`
@@ -68948,7 +69176,7 @@ index 947bbc6..ad97e84 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +585,11 @@ optional_policy(`
+@@ -369,11 +587,11 @@ optional_policy(`
')
optional_policy(`
@@ -68965,7 +69193,7 @@ index 947bbc6..ad97e84 100644
')
optional_policy(`
-@@ -384,6 +600,7 @@ optional_policy(`
+@@ -384,6 +602,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -68973,7 +69201,7 @@ index 947bbc6..ad97e84 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -403,34 +620,48 @@ optional_policy(`
+@@ -403,34 +622,48 @@ optional_policy(`
# virtual domains common policy
#
@@ -69029,7 +69257,7 @@ index 947bbc6..ad97e84 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +669,11 @@ dev_write_sound(virt_domain)
+@@ -438,10 +671,11 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -69042,7 +69270,7 @@ index 947bbc6..ad97e84 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,23 +681,512 @@ files_search_all(virt_domain)
+@@ -449,23 +683,513 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -69160,6 +69388,9 @@ index 947bbc6..ad97e84 100644
+
+term_use_all_inherited_terms(virsh_t)
+
++userdom_search_admin_dir(virsh_t)
++userdom_read_home_certs(virsh_t)
++
+init_stream_connect_script(virsh_t)
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
@@ -69429,7 +69660,7 @@ index 947bbc6..ad97e84 100644
+virt_lxc_domain_template(svirt_lxc_net)
+
+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+dontaudit svirt_lxc_net_t self:capability2 { block_suspend };
++dontaudit svirt_lxc_net_t self:capability2 block_suspend;
+
+allow svirt_lxc_net_t self:process setrlimit;
+
@@ -69554,8 +69785,6 @@ index 947bbc6..ad97e84 100644
+
+logging_send_syslog_msg(virt_qemu_ga_t)
+
-+miscfiles_read_localization(virt_qemu_ga_t)
-+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
diff --git a/vlock.te b/vlock.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 647f4dd..b78f6b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 47%{?dist}
+Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -522,6 +522,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 30 2012 Miroslav Grepl 3.11.1-48
+- Fix label on /etc/group.lock
+- Allow gnomeclock to create lnk_file in /etc
+- label /root/.pki as a home_cert_t
+- Add interface to make sure rpcbind.sock is created with the correct label
+- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules
+- opendkim should be a part of milter
+- Allow libvirt to set the kernel sched algorythm
+- Allow mongod to read sysfs_t
+- Add authconfig policy
+- Remove calls to miscfiles_read_localization all domains get this
+- Allow virsh_t to read /root/.pki/ content
+- Add label for log directory under /var/www/stickshift
+
* Mon Oct 29 2012 Miroslav Grepl 3.11.1-47
- Allow getty to setattr on usb ttys
- Allow sshd to search all directories for sshd_home_t content