From a13ca3133facf6c53e92da5de776530d888cfa99 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Apr 06 2012 12:39:57 +0000
Subject: * Fri Apr 6 2012 Miroslav Grepl 3.10.0-82
- Add httpd_use_fusefs boolean
- /etc/auto.* should be labeled bin_t
- Allow sshd_t to signal processes that it transitions to
- Rename rdate port to time port, and allow gnomeclock to connect to it
- Make amavis as nsswitch domain to allow using NIS
- Make procmail_t as home manager
- Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file
- Add port definition for l2tp ports
- Make qemu-dm running in xend_t domain
- Allow accountsd to read /proc data about gdm
- Allow rtkit to schedule wine processes
- label /var/lib/sss/mc same as pubconf
- Allow NM to read system config file
---
diff --git a/policy-F16.patch b/policy-F16.patch
index de11716..eed2aaa 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4955,7 +4955,7 @@ index 0000000..a03aec4
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..689a667
+index 0000000..1957119
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,188 @@
@@ -5141,7 +5141,7 @@ index 0000000..689a667
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
@@ -12909,7 +12909,7 @@ index f9a73d0..e10101a 100644
xserver_role($1_r, $1_wine_t)
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
-index be9246b..e3de8fa 100644
+index be9246b..90848c7 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -40,7 +40,7 @@ domain_mmap_low(wine_t)
@@ -12921,6 +12921,17 @@ index be9246b..e3de8fa 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
+@@ -55,6 +55,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(wine_t)
++')
++
++optional_policy(`
+ unconfined_domain(wine_t)
+ ')
+
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..95a3d06 100644
--- a/policy/modules/apps/wireshark.te
@@ -13028,10 +13039,18 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..b21e0b7 100644
+index 3fae11a..1334cc8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -71,6 +71,11 @@ ifdef(`distro_redhat',`
+@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
+ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -71,6 +72,11 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13043,7 +13062,7 @@ index 3fae11a..b21e0b7 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +102,6 @@ ifdef(`distro_redhat',`
+@@ -97,8 +103,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -13052,7 +13071,7 @@ index 3fae11a..b21e0b7 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +133,15 @@ ifdef(`distro_debian',`
+@@ -130,18 +134,15 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -13073,7 +13092,7 @@ index 3fae11a..b21e0b7 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +169,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13081,7 +13100,7 @@ index 3fae11a..b21e0b7 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,6 +180,8 @@ ifdef(`distro_gentoo',`
+@@ -179,6 +181,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -13090,7 +13109,7 @@ index 3fae11a..b21e0b7 100644
#
# /usr
#
-@@ -198,48 +201,51 @@ ifdef(`distro_gentoo',`
+@@ -198,48 +202,51 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -13184,7 +13203,7 @@ index 3fae11a..b21e0b7 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,9 +253,13 @@ ifdef(`distro_gentoo',`
+@@ -247,9 +254,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -13199,7 +13218,7 @@ index 3fae11a..b21e0b7 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +277,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +278,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -13210,7 +13229,7 @@ index 3fae11a..b21e0b7 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +300,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +301,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -13231,7 +13250,7 @@ index 3fae11a..b21e0b7 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +324,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +325,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -13245,7 +13264,7 @@ index 3fae11a..b21e0b7 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +338,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +339,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13257,7 +13276,7 @@ index 3fae11a..b21e0b7 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +384,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +385,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -13266,7 +13285,7 @@ index 3fae11a..b21e0b7 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +396,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +397,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13278,7 +13297,7 @@ index 3fae11a..b21e0b7 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +407,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +408,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -14619,7 +14638,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..a96b835 100644
+index 99b71cb..43656b7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14760,7 +14779,7 @@ index 99b71cb..a96b835 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14775,6 +14794,7 @@ index 99b71cb..a96b835 100644
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
++network_port(l2tp, tcp,1701,s0, udp,1701,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lirc, tcp,8765,s0)
+network_port(luci, tcp,8084,s0)
@@ -14790,7 +14810,7 @@ index 99b71cb..a96b835 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14823,11 +14843,11 @@ index 99b71cb..a96b835 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +238,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +239,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
-+network_port(rdate, tcp,37,s0, udp,37,s0)
++network_port(time, tcp,37,s0, udp,37,s0)
+network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -14870,7 +14890,7 @@ index 99b71cb..a96b835 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +281,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +282,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14884,7 +14904,7 @@ index 99b71cb..a96b835 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +299,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14892,7 +14912,7 @@ index 99b71cb..a96b835 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +309,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14905,7 +14925,7 @@ index 99b71cb..a96b835 100644
########################################
#
-@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +359,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -19060,7 +19080,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..fdb4b09 100644
+index 97fcdac..7adc55b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19358,7 +19378,76 @@ index 97fcdac..fdb4b09 100644
########################################
##
## Do not audit attempts to create,
-@@ -2080,6 +2260,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2025,6 +2205,68 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ##
++## Manage symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++##
++##
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`fs_fusefs_domtrans',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++##
+ ## Get the attributes of an hugetlbfs
+ ## filesystem.
+ ##
+@@ -2080,6 +2322,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
##
@@ -19383,7 +19472,7 @@ index 97fcdac..fdb4b09 100644
## Read and write hugetlbfs files.
##
##
-@@ -2148,6 +2346,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2408,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -19391,7 +19480,7 @@ index 97fcdac..fdb4b09 100644
')
########################################
-@@ -2480,6 +2679,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2741,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -19399,7 +19488,7 @@ index 97fcdac..fdb4b09 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2718,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2780,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -19407,7 +19496,7 @@ index 97fcdac..fdb4b09 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2745,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2807,25 @@ interface(`fs_exec_nfs_files',`
########################################
##
@@ -19433,7 +19522,7 @@ index 97fcdac..fdb4b09 100644
## Append files
## on a NFS filesystem.
##
-@@ -2584,6 +2804,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2866,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
##
@@ -19476,7 +19565,7 @@ index 97fcdac..fdb4b09 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
-@@ -2598,7 +2854,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2916,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -19485,7 +19574,7 @@ index 97fcdac..fdb4b09 100644
')
########################################
-@@ -2736,7 +2992,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3054,7 @@ interface(`fs_search_removable',`
##
##
##
@@ -19494,7 +19583,7 @@ index 97fcdac..fdb4b09 100644
##
##
#
-@@ -2772,7 +3028,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3090,7 @@ interface(`fs_read_removable_files',`
##
##
##
@@ -19503,7 +19592,7 @@ index 97fcdac..fdb4b09 100644
##
##
#
-@@ -2965,6 +3221,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3283,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -19511,7 +19600,7 @@ index 97fcdac..fdb4b09 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3262,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3324,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -19519,7 +19608,7 @@ index 97fcdac..fdb4b09 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3303,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3365,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -19527,7 +19616,7 @@ index 97fcdac..fdb4b09 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3517,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3579,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -19552,7 +19641,7 @@ index 97fcdac..fdb4b09 100644
########################################
##
## Read and write NFS server files.
-@@ -3958,6 +4235,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4297,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
##
@@ -19595,7 +19684,7 @@ index 97fcdac..fdb4b09 100644
## Create, read, write, and delete
## tmpfs directories
##
-@@ -4175,6 +4488,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4550,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
@@ -19620,7 +19709,7 @@ index 97fcdac..fdb4b09 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4251,6 +4582,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4644,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
##
@@ -19646,7 +19735,7 @@ index 97fcdac..fdb4b09 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
##
-@@ -4457,6 +4807,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4869,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19655,7 +19744,7 @@ index 97fcdac..fdb4b09 100644
')
########################################
-@@ -4503,7 +4855,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4917,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -19664,7 +19753,7 @@ index 97fcdac..fdb4b09 100644
## Example attributes:
##
##
-@@ -4866,3 +5218,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5280,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -20651,7 +20740,7 @@ index 57c4a6a..6a19a94 100644
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..3e38191 100644
+index 1700ef2..6499ecb 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -20671,7 +20760,38 @@ index 1700ef2..3e38191 100644
dev_add_entry_generic_dirs($1)
')
-@@ -808,3 +811,369 @@ interface(`storage_unconfined',`
+@@ -267,6 +270,30 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ ')
+
+ dev_filetrans($1, fixed_disk_device_t, blk_file)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
+ ')
+
+ ########################################
+@@ -808,3 +835,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -24423,7 +24543,7 @@ index 0b827c5..b2d6129 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..2006219 100644
+index 30861ec..59f712e 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -24790,7 +24910,7 @@ index 30861ec..2006219 100644
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
-+allow abrt_dump_oops_t abrt_etc_t:file read_file_perms;
++read_files_patter(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
@@ -24848,7 +24968,7 @@ index c0f858d..d639ae0 100644
accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..0359b30 100644
+index 1632f10..9663f02 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -24887,12 +25007,19 @@ index 1632f10..0359b30 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +62,8 @@ optional_policy(`
+@@ -50,8 +57,15 @@ usermanage_domtrans_passwd(accountsd_t)
+
+ optional_policy(`
+ consolekit_read_log(accountsd_t)
++ consolekit_dbus_chat(accountsd_t)
+ ')
+
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
+
+optional_policy(`
++ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
@@ -25218,7 +25345,7 @@ index d96fdfa..e07158f 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..ae8c579 100644
+index deca9d3..ac92fce 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -25238,7 +25365,15 @@ index deca9d3..ae8c579 100644
domain_use_interactive_fds(amavis_t)
-@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
+@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
+
+ fs_getattr_xattr_fs(amavis_t)
+
++auth_use_nsswitch(amavis_t)
+ auth_dontaudit_read_shadow(amavis_t)
+
+ # uses uptime which reads utmp - redhat bug 561383
+@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -26072,10 +26207,10 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..4845736 100644
+index 3136c6a..ad1e64f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,225 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,232 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -26198,7 +26333,10 @@ index 3136c6a..4845736 100644
gen_tunable(httpd_can_sendmail, false)
+
-+##
+ ##
+-##
+-## Allow Apache to communicate with avahi service via dbus
+-##
+##
+## Allow http daemon to connect to zabbix
+##
@@ -26212,10 +26350,7 @@ index 3136c6a..4845736 100644
+##
+gen_tunable(httpd_can_check_spam, false)
+
- ##
--##
--## Allow Apache to communicate with avahi service via dbus
--##
++##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
@@ -26332,6 +26467,13 @@ index 3136c6a..4845736 100644
-## Allow httpd to run gpg
-##
+##
++## Allow httpd to access cifs file systems
++##
++##
++gen_tunable(httpd_use_fusefs, false)
++
++##
++##
+## Allow httpd to run gpg in gpg-web domain
+##
##
@@ -26357,7 +26499,7 @@ index 3136c6a..4845736 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +261,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +268,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26366,7 +26508,7 @@ index 3136c6a..4845736 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +272,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +279,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26376,7 +26518,7 @@ index 3136c6a..4845736 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +314,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +321,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26395,7 +26537,7 @@ index 3136c6a..4845736 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +334,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +341,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26406,7 +26548,7 @@ index 3136c6a..4845736 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +345,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +352,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26414,7 +26556,7 @@ index 3136c6a..4845736 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +367,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +374,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26438,7 +26580,7 @@ index 3136c6a..4845736 100644
########################################
#
# Apache server local policy
-@@ -281,11 +403,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +410,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26452,7 +26594,7 @@ index 3136c6a..4845736 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +453,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +460,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26463,7 +26605,7 @@ index 3136c6a..4845736 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +464,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +471,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26474,7 +26616,7 @@ index 3136c6a..4845736 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +481,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +488,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26484,7 +26626,7 @@ index 3136c6a..4845736 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +494,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +501,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26502,7 +26644,7 @@ index 3136c6a..4845736 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +512,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +519,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26518,7 +26660,7 @@ index 3136c6a..4845736 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +525,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +532,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26526,7 +26668,7 @@ index 3136c6a..4845736 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +537,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +544,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26630,8 +26772,14 @@ index 3136c6a..4845736 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +644,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +649,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -26688,7 +26836,7 @@ index 3136c6a..4845736 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +702,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +713,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26702,10 +26850,16 @@ index 3136c6a..4845736 100644
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
++')
++
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_t)
++ fs_manage_fusefs_files(httpd_t)
++ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +726,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +743,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26726,7 +26880,7 @@ index 3136c6a..4845736 100644
')
optional_policy(`
-@@ -513,7 +750,13 @@ optional_policy(`
+@@ -513,7 +767,13 @@ optional_policy(`
')
optional_policy(`
@@ -26741,7 +26895,7 @@ index 3136c6a..4845736 100644
')
optional_policy(`
-@@ -528,7 +771,19 @@ optional_policy(`
+@@ -528,7 +788,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26762,7 +26916,7 @@ index 3136c6a..4845736 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +792,13 @@ optional_policy(`
+@@ -537,8 +809,13 @@ optional_policy(`
')
optional_policy(`
@@ -26777,7 +26931,7 @@ index 3136c6a..4845736 100644
')
')
-@@ -556,7 +816,21 @@ optional_policy(`
+@@ -556,7 +833,21 @@ optional_policy(`
')
optional_policy(`
@@ -26799,7 +26953,7 @@ index 3136c6a..4845736 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +841,7 @@ optional_policy(`
+@@ -567,6 +858,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26807,7 +26961,7 @@ index 3136c6a..4845736 100644
')
optional_policy(`
-@@ -577,6 +852,20 @@ optional_policy(`
+@@ -577,6 +869,20 @@ optional_policy(`
')
optional_policy(`
@@ -26828,7 +26982,7 @@ index 3136c6a..4845736 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +880,11 @@ optional_policy(`
+@@ -591,6 +897,11 @@ optional_policy(`
')
optional_policy(`
@@ -26840,7 +26994,7 @@ index 3136c6a..4845736 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +897,12 @@ optional_policy(`
+@@ -603,6 +914,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26853,7 +27007,7 @@ index 3136c6a..4845736 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +916,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +933,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26866,7 +27020,7 @@ index 3136c6a..4845736 100644
########################################
#
-@@ -654,28 +958,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +975,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26910,7 +27064,7 @@ index 3136c6a..4845736 100644
')
########################################
-@@ -685,6 +991,8 @@ optional_policy(`
+@@ -685,6 +1008,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26919,7 +27073,7 @@ index 3136c6a..4845736 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1007,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1024,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -26945,7 +27099,7 @@ index 3136c6a..4845736 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1053,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1070,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -26978,7 +27132,7 @@ index 3136c6a..4845736 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1100,25 @@ optional_policy(`
+@@ -769,6 +1117,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27004,7 +27158,7 @@ index 3136c6a..4845736 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1139,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1156,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27022,7 +27176,7 @@ index 3136c6a..4845736 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1158,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1175,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27079,7 +27233,7 @@ index 3136c6a..4845736 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1209,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1226,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27107,10 +27261,20 @@ index 3136c6a..4845736 100644
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_sys_script_t)
++ fs_manage_fusefs_files(httpd_sys_script_t)
++ fs_manage_fusefs_symlinks(httpd_sys_script_t)
++ fs_manage_fusefs_dirs(httpd_suexec_t)
++ fs_manage_fusefs_files(httpd_suexec_t)
++ fs_manage_fusefs_symlinks(httpd_suexec_t)
++ fs_exec_fusefs_files(httpd_suexec_t)
++')
++
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1244,20 @@ optional_policy(`
+@@ -842,10 +1271,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27131,7 +27295,7 @@ index 3136c6a..4845736 100644
')
########################################
-@@ -891,11 +1303,49 @@ optional_policy(`
+@@ -891,11 +1330,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -33689,7 +33853,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..50a94a4 100644
+index 0f28095..5dafe6a 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33803,7 +33967,16 @@ index 0f28095..50a94a4 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -322,6 +336,8 @@ optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
++ # needed by smbspool
++ samba_stream_connect_nmbd(cupsd_t)
+ ')
+
+ optional_policy(`
+@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -33814,7 +33987,7 @@ index 0f28095..50a94a4 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -33825,7 +33998,7 @@ index 0f28095..50a94a4 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -33839,7 +34012,7 @@ index 0f28095..50a94a4 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +472,10 @@ optional_policy(`
+@@ -453,6 +474,10 @@ optional_policy(`
')
optional_policy(`
@@ -33850,7 +34023,7 @@ index 0f28095..50a94a4 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +490,10 @@ optional_policy(`
+@@ -467,6 +492,10 @@ optional_policy(`
')
optional_policy(`
@@ -33861,7 +34034,7 @@ index 0f28095..50a94a4 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +564,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -33869,7 +34042,7 @@ index 0f28095..50a94a4 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,13 +615,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +617,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -33889,7 +34062,7 @@ index 0f28095..50a94a4 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +638,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +640,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -33900,7 +34073,7 @@ index 0f28095..50a94a4 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +675,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +677,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -33909,7 +34082,7 @@ index 0f28095..50a94a4 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +721,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +723,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -33917,7 +34090,7 @@ index 0f28095..50a94a4 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +735,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -35965,10 +36138,10 @@ index 0000000..c2ac646
+
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
-index 0000000..3aae725
+index 0000000..6fc4865
--- /dev/null
+++ b/policy/modules/services/dirsrv.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
@@ -35982,6 +36155,9 @@ index 0000000..3aae725
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
++# BZ:
++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
@@ -40232,10 +40408,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..9f468a5 100644
+index 4fde46b..6c3eaea 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,27 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,29 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -40251,6 +40427,8 @@ index 4fde46b..9f468a5 100644
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
+
++corenet_tcp_connect_time_port(gnomeclock_t)
++
+dev_read_sysfs(gnomeclock_t)
-files_read_etc_files(gnomeclock_t)
@@ -40266,7 +40444,7 @@ index 4fde46b..9f468a5 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +46,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -40293,6 +40471,7 @@ index 4fde46b..9f468a5 100644
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
++ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
+')
+
@@ -41060,19 +41239,21 @@ index df48e5e..878d9df 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..5547c35 100644
+index c51a7b2..b07694c 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
-@@ -89,6 +89,8 @@ corenet_tcp_bind_ftp_port(inetd_t)
+@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
-++corenet_tcp_bind_rdate_port(inetd_t)
-++corenet_udp_bind_rdate_port(inetd_t)
++corenet_tcp_bind_echo_port(inetd_t)
++corenet_udp_bind_echo_port(inetd_t)
++corenet_tcp_bind_time_port(inetd_t)
++corenet_udp_bind_time_port(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
-@@ -149,7 +151,10 @@ miscfiles_read_localization(inetd_t)
+@@ -149,7 +153,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -42327,29 +42508,35 @@ index ca5cfdf..554ad30 100644
diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
new file mode 100644
-index 0000000..76d879e
+index 0000000..6b27066
--- /dev/null
+++ b/policy/modules/services/l2tpd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,18 @@
++/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
+
-+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+
-+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+
-+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0)
+
-+/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
++/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
-index 0000000..5783d58
+index 0000000..eb6ac8d
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,115 @@
-+
-+## policy for l2tpd
+@@ -0,0 +1,156 @@
++## Layer 2 Tunneling Protocol daemons.
+
+########################################
+##
@@ -42370,7 +42557,6 @@ index 0000000..5783d58
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
-+
+########################################
+##
+## Execute l2tpd server in the l2tpd domain.
@@ -42389,6 +42575,45 @@ index 0000000..5783d58
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
++<<<<<<< HEAD
++=======
++########################################
++##
++## Send to l2tpd via a unix dgram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_dgram_send',`
++ gen_require(`
++ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
++ ')
++
++ files_search_tmp($1)
++ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
++')
++
++########################################
++##
++## Read and write l2tpd sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_rw_socket',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:socket rw_socket_perms;
++')
++>>>>>>> 37639db... Add support for proL2TPd.
+
+########################################
+##
@@ -42446,9 +42671,8 @@ index 0000000..5783d58
+#
+interface(`l2tpd_admin',`
+ gen_require(`
-+ type l2tpd_t;
-+ type l2tpd_initrc_exec_t;
-+ type l2tpd_var_run_t;
++ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t;
++ type l2tp_etc_t, l2tpd_tmp_t;
+ ')
+
+ allow $1 l2tpd_t:process { ptrace signal_perms };
@@ -42459,16 +42683,21 @@ index 0000000..5783d58
+ role_transition $2 l2tpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, l2tp_etc_t)
++
+ files_search_pids($1)
+ admin_pattern($1, l2tpd_var_run_t)
-+')
+
++ files_search_tmp($1)
++ admin_pattern($1, l2tpd_tmp_t)
++')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..4aac893
+index 0000000..d3ce22f
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,94 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -42483,6 +42712,9 @@ index 0000000..4aac893
+type l2tpd_initrc_exec_t;
+init_script_file(l2tpd_initrc_exec_t)
+
++type l2tp_etc_t;
++files_config_file(l2tp_etc_t)
++
+type l2tpd_tmp_t;
+files_tmp_file(l2tpd_tmp_t)
+
@@ -42491,14 +42723,20 @@ index 0000000..4aac893
+
+########################################
+#
-+# l2tpd local policy
++# Local policy
+#
-+allow l2tpd_t self:capability net_bind_service;
-+allow l2tpd_t self:process signal;
+
++allow l2tpd_t self:capability { net_admin net_bind_service };
++allow l2tpd_t self:process signal;
+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++allow l2tpd_t self:netlink_socket create_socket_perms;
++allow l2tpd_t self:rawip_socket create_socket_perms;
++allow l2tpd_t self:socket create_socket_perms;
+allow l2tpd_t self:tcp_socket create_stream_socket_perms;
++allow l2tpd_t self:unix_dgram_socket sendto;
++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
+
+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
@@ -42509,10 +42747,34 @@ index 0000000..4aac893
+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
+
++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++
++corenet_all_recvfrom_unlabeled(l2tpd_t)
++corenet_all_recvfrom_netlabel(l2tpd_t)
++corenet_raw_sendrecv_generic_if(l2tpd_t)
++corenet_tcp_sendrecv_generic_if(l2tpd_t)
++corenet_udp_sendrecv_generic_if(l2tpd_t)
++corenet_raw_bind_generic_node(l2tpd_t)
+corenet_tcp_bind_generic_node(l2tpd_t)
+corenet_udp_bind_generic_node(l2tpd_t)
-+corenet_udp_bind_generic_port(l2tpd_t)
++corenet_raw_sendrecv_generic_node(l2tpd_t)
++corenet_tcp_sendrecv_generic_node(l2tpd_t)
++corenet_udp_sendrecv_generic_node(l2tpd_t)
++
+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_generic_port(l2tpd_t)
++
++corenet_udp_bind_l2tp_port(l2tpd_t)
++corenet_udp_sendrecv_l2tp_port(l2tpd_t)
++corenet_sendrecv_l2tp_server_packets(l2tpd_t)
++
++kernel_read_network_state(l2tpd_t)
++# net-pf-24 (pppox)
++kernel_request_load_module(l2tpd_t)
++
++# prol2tpc
++corecmd_exec_bin(l2tpd_t)
+
+dev_read_urand(l2tpd_t)
+
@@ -42525,8 +42787,13 @@ index 0000000..4aac893
+miscfiles_read_localization(l2tpd_t)
+
+sysnet_dns_name_resolve(l2tpd_t)
++
++optional_policy(`
++ ppp_domtrans(l2tpd_t)
++ ppp_signal(l2tpd_t)
++')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..f8a4301 100644
+index c62f23e..8b7e71f 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,10 @@
@@ -42545,7 +42812,7 @@ index c62f23e..f8a4301 100644
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 3aa8fa7..40b10fa 100644
--- a/policy/modules/services/ldap.if
@@ -47354,7 +47621,7 @@ index 2324d9e..4f46ff8 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..76e9108 100644
+index 0619395..293aaca 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -47432,7 +47699,7 @@ index 0619395..76e9108 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +139,11 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -47441,7 +47708,11 @@ index 0619395..76e9108 100644
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t)
++files_read_system_conf_files(NetworkManager_t)
+ files_read_usr_files(NetworkManager_t)
+ files_read_usr_src_files(NetworkManager_t)
+
+@@ -133,30 +160,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -47481,7 +47752,7 @@ index 0619395..76e9108 100644
')
optional_policy(`
-@@ -172,14 +205,21 @@ optional_policy(`
+@@ -172,14 +206,21 @@ optional_policy(`
')
optional_policy(`
@@ -47504,7 +47775,7 @@ index 0619395..76e9108 100644
')
')
-@@ -191,6 +231,7 @@ optional_policy(`
+@@ -191,6 +232,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -47512,7 +47783,7 @@ index 0619395..76e9108 100644
')
optional_policy(`
-@@ -202,23 +243,45 @@ optional_policy(`
+@@ -202,23 +244,45 @@ optional_policy(`
')
optional_policy(`
@@ -47558,7 +47829,7 @@ index 0619395..76e9108 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -241,6 +304,7 @@ optional_policy(`
+@@ -241,6 +305,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -47566,7 +47837,7 @@ index 0619395..76e9108 100644
')
optional_policy(`
-@@ -263,6 +327,7 @@ optional_policy(`
+@@ -263,6 +328,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -52908,7 +53179,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..52443cd 100644
+index 29b9295..ec68440 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -52951,7 +53222,7 @@ index 29b9295..52443cd 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +100,10 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -52959,10 +53230,12 @@ index 29b9295..52443cd 100644
-userdom_dontaudit_search_user_home_dirs(procmail_t)
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
++
++userdom_home_manager(procmail_t)
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -112,6 +125,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -112,6 +127,12 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
clamav_domtrans_clamscan(procmail_t)
clamav_search_lib(procmail_t)
@@ -52975,7 +53248,7 @@ index 29b9295..52443cd 100644
')
optional_policy(`
-@@ -125,6 +144,11 @@ optional_policy(`
+@@ -125,6 +146,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -57726,10 +57999,36 @@ index 69a6074..596dbb3 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..0a29f68 100644
+index 82cb169..f9c229f 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
+@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',`
+
+ ########################################
+ ##
++## Connect to nmbd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`samba_stream_connect_nmbd',`
++ gen_require(`
++ type nmbd_t, nmbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++')
++
++########################################
++##
+ ## Execute samba server in the samba domain.
+ ##
+ ##
+@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',`
########################################
##
@@ -57759,7 +58058,7 @@ index 82cb169..0a29f68 100644
## Execute samba net in the samba_net domain.
##
##
-@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',`
########################################
##
@@ -57785,7 +58084,7 @@ index 82cb169..0a29f68 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
##
-@@ -103,6 +145,51 @@ interface(`samba_run_net',`
+@@ -103,6 +164,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -57837,7 +58136,7 @@ index 82cb169..0a29f68 100644
########################################
##
## Execute smbmount in the smbmount domain.
-@@ -327,7 +414,6 @@ interface(`samba_search_var',`
+@@ -327,7 +433,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -57845,7 +58144,7 @@ index 82cb169..0a29f68 100644
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -348,7 +434,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +453,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -57853,7 +58152,7 @@ index 82cb169..0a29f68 100644
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -57861,7 +58160,7 @@ index 82cb169..0a29f68 100644
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -57872,7 +58171,7 @@ index 82cb169..0a29f68 100644
')
########################################
-@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
##
##
@@ -57891,7 +58190,7 @@ index 82cb169..0a29f68 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -57899,7 +58198,7 @@ index 82cb169..0a29f68 100644
')
########################################
-@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',`
########################################
##
@@ -57937,7 +58236,7 @@ index 82cb169..0a29f68 100644
## All of the rules required to administrate
## an samba environment
##
-@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,21 +795,12 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -57965,7 +58264,7 @@ index 82cb169..0a29f68 100644
')
allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +790,9 @@ interface(`samba_admin',`
+@@ -684,6 +809,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
@@ -57975,7 +58274,7 @@ index 82cb169..0a29f68 100644
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +818,6 @@ interface(`samba_admin',`
+@@ -709,9 +837,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -57985,7 +58284,7 @@ index 82cb169..0a29f68 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +833,7 @@ interface(`samba_admin',`
+@@ -727,4 +852,7 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -58525,10 +58824,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..96adff5
+index 0000000..afa8d37
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,102 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -58597,6 +58896,8 @@ index 0000000..96adff5
+
+storage_raw_rw_fixed_disk(sanlock_t)
+
++auth_use_nsswitch(sanlock_t)
++
+dev_read_urand(sanlock_t)
+
+logging_send_syslog_msg(sanlock_t)
@@ -60440,7 +60741,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..7b3d2db 100644
+index 4b2230e..51dc8d8 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -60477,7 +60778,26 @@ index 4b2230e..7b3d2db 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+@@ -40,6 +40,9 @@ logging_log_file(squid_log_t)
+ type squid_tmpfs_t;
+ files_tmpfs_file(squid_tmpfs_t)
+
++type squid_tmp_t;
++files_tmp_file(squid_tmp_t)
++
+ type squid_var_run_t;
+ files_pid_file(squid_var_run_t)
+
+@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+ manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+ fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++
+ manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+ files_pid_filetrans(squid_t, squid_var_run_t, file)
kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
@@ -60485,7 +60805,7 @@ index 4b2230e..7b3d2db 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -60495,7 +60815,7 @@ index 4b2230e..7b3d2db 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +187,7 @@ optional_policy(`
+@@ -185,6 +194,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -60503,7 +60823,7 @@ index 4b2230e..7b3d2db 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +209,7 @@ optional_policy(`
+@@ -206,3 +216,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -60536,7 +60856,7 @@ index 078bcd7..84d29ee 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..9001bca 100644
+index 22adaca..8cbaa9a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -60971,7 +61291,7 @@ index 22adaca..9001bca 100644
')
######################################
-@@ -735,3 +893,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +893,82 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -61011,6 +61331,7 @@ index 22adaca..9001bca 100644
+
+ allow sshd_t $1:process dyntransition;
+ allow $1 sshd_t:process sigchld;
++ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
+')
+
+########################################
@@ -61054,7 +61375,7 @@ index 22adaca..9001bca 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..e411df0 100644
+index 2dad3c8..7ef3f55 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -61392,6 +61713,10 @@ index 2dad3c8..e411df0 100644
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
+- ')
+-',`
+- optional_policy(`
+- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
@@ -61412,10 +61737,6 @@ index 2dad3c8..e411df0 100644
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
--',`
-- optional_policy(`
-- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
-- ')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
@@ -61467,7 +61788,7 @@ index 2dad3c8..e411df0 100644
')
optional_policy(`
-@@ -363,3 +436,82 @@ optional_policy(`
+@@ -363,3 +436,81 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -61502,7 +61823,6 @@ index 2dad3c8..e411df0 100644
+# chroot_user_t local policy
+#
+
-+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
@@ -61550,6 +61870,19 @@ index 2dad3c8..e411df0 100644
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
+diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
+index 4271815..4bc00ea 100644
+--- a/policy/modules/services/sssd.fc
++++ b/policy/modules/services/sssd.fc
+@@ -4,6 +4,8 @@
+
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++
+ /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..ce8c972 100644
--- a/policy/modules/services/sssd.if
@@ -67963,7 +68296,7 @@ index 28ad538..40f76db 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..2c6ee0e 100644
+index 73554ec..cd2c7cc 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -68096,7 +68429,7 @@ index 73554ec..2c6ee0e 100644
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
- ')
++ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
@@ -68136,7 +68469,7 @@ index 73554ec..2c6ee0e 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
-+ ')
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
')
@@ -68377,7 +68710,7 @@ index 73554ec..2c6ee0e 100644
')
########################################
-@@ -1659,3 +1800,33 @@ interface(`auth_unconfined',`
+@@ -1659,3 +1800,35 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -68396,6 +68729,7 @@ index 73554ec..2c6ee0e 100644
+ gen_require(`
+ type shadow_t;
+ type faillog_t;
++ type lastlog_t;
+ type wtmp_t;
+ ')
+
@@ -68405,6 +68739,7 @@ index 73554ec..2c6ee0e 100644
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
+ files_var_filetrans($1, shadow_t, file, "shadow")
+ files_var_filetrans($1, shadow_t, file, "shadow-")
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
@@ -68965,7 +69300,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..f2689e3 100644
+index 94fd8dd..82d8769 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -69063,17 +69398,17 @@ index 94fd8dd..f2689e3 100644
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
-+# userdom_dontaudit_use_user_terminals($1)
- ')
-
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-- ')
--
++# userdom_dontaudit_use_user_terminals($1)
+ ')
+
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
@@ -69177,7 +69512,15 @@ index 94fd8dd..f2689e3 100644
########################################
##
## Execute init (/sbin/init) with a domain transition.
-@@ -451,6 +501,10 @@ interface(`init_exec',`
+@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`init_exec',`
+ gen_require(`
+@@ -451,6 +500,29 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -69185,10 +69528,29 @@ index 94fd8dd..f2689e3 100644
+ tunable_policy(`init_systemd',`
+ systemd_exec_systemctl($1)
+ ')
++')
++
++#######################################
++##
++## Dontaudit getattr on the init program.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`init_dontaudit_getattr_exec',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ dontaudit $1 init_exec_t:file getattr;
')
########################################
-@@ -509,6 +563,24 @@ interface(`init_sigchld',`
+@@ -509,6 +581,24 @@ interface(`init_sigchld',`
########################################
##
@@ -69213,7 +69575,7 @@ index 94fd8dd..f2689e3 100644
## Connect to init with a unix socket.
##
##
-@@ -519,10 +591,66 @@ interface(`init_sigchld',`
+@@ -519,10 +609,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -69282,7 +69644,7 @@ index 94fd8dd..f2689e3 100644
')
########################################
-@@ -688,19 +816,25 @@ interface(`init_telinit',`
+@@ -688,19 +834,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -69309,7 +69671,7 @@ index 94fd8dd..f2689e3 100644
')
')
-@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +882,7 @@ interface(`init_rw_initctl',`
##
##
##
@@ -69318,7 +69680,7 @@ index 94fd8dd..f2689e3 100644
##
##
#
-@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -69342,7 +69704,7 @@ index 94fd8dd..f2689e3 100644
')
')
-@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +953,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -69388,7 +69750,7 @@ index 94fd8dd..f2689e3 100644
')
########################################
-@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -69403,7 +69765,7 @@ index 94fd8dd..f2689e3 100644
files_search_etc($1)
')
-@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1259,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -69428,7 +69790,7 @@ index 94fd8dd..f2689e3 100644
## Dontaudit read all init script files.
##
##
-@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1328,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -69442,7 +69804,7 @@ index 94fd8dd..f2689e3 100644
')
########################################
-@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1568,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -69470,7 +69832,7 @@ index 94fd8dd..f2689e3 100644
## init scripts over dbus.
##
##
-@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1675,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -69496,7 +69858,7 @@ index 94fd8dd..f2689e3 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1752,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -69521,7 +69883,7 @@ index 94fd8dd..f2689e3 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1837,24 @@ interface(`init_read_utmp',`
########################################
##
@@ -69546,7 +69908,7 @@ index 94fd8dd..f2689e3 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1943,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -69555,7 +69917,7 @@ index 94fd8dd..f2689e3 100644
')
########################################
-@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1984,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -69684,7 +70046,7 @@ index 94fd8dd..f2689e3 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2140,194 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -75600,7 +75962,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..dac04f8 100644
+index 34d0ec5..a9ce01d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -75636,6 +75998,15 @@ index 34d0ec5..dac04f8 100644
########################################
#
+@@ -44,7 +54,7 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_s
+ dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate ptrace signal_perms };
+
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -76421,10 +76792,10 @@ index 0000000..1688a39
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b8c56f1
+index 0000000..9106ba4
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,379 @@
+@@ -0,0 +1,381 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -76646,6 +77017,8 @@ index 0000000..b8c56f1
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
@@ -81811,7 +82184,7 @@ index 9b4a930..8525f8a 100644
+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
+')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index a865da7..a5ed06e 100644
+index a865da7..f22f770 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,12 +1,10 @@
@@ -81824,7 +82197,7 @@ index a865da7..a5ed06e 100644
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
-/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
-+/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
++#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -81915,7 +82288,7 @@ index 77d41b6..7ccb440 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..b82a902 100644
+index 4350ba0..c4c4bcb 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -81946,7 +82319,18 @@ index 4350ba0..b82a902 100644
########################################
#
# blktap local policy
-@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',`
+@@ -170,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+ #
+ # qemu-dm local policy
+ #
++
++# TODO: This part of policy should be removed
++# qemu-dm should run in xend_t domain
++
+ # Do we need to allow execution of qemu-dm?
+ tunable_policy(`xend_run_qemu',`
+ allow qemu_dm_t self:capability sys_resource;
+@@ -208,9 +209,14 @@ tunable_policy(`xend_run_qemu',`
# xend local policy
#
@@ -81954,8 +82338,15 @@ index 4350ba0..b82a902 100644
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
++
++# needed by qemu_dm
++allow xend_t self:capability sys_resource;
++allow xend_t self:process setrlimit;
++
dontaudit xend_t self:process ptrace;
-@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t)
+ # internal communication is often done using fifo and unix sockets.
+ allow xend_t self:fifo_file rw_fifo_file_perms;
+@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -81965,10 +82356,11 @@ index 4350ba0..b82a902 100644
miscfiles_read_hwdata(xend_t)
-mount_domtrans(xend_t)
-
+-
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
-@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+ sysnet_domtrans_ifconfig(xend_t)
+@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -81977,7 +82369,7 @@ index 4350ba0..b82a902 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +341,23 @@ optional_policy(`
+@@ -349,6 +349,23 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -82001,7 +82393,7 @@ index 4350ba0..b82a902 100644
########################################
#
# Xen console local policy
-@@ -413,9 +422,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +430,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -82013,7 +82405,7 @@ index 4350ba0..b82a902 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +452,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +460,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -82025,7 +82417,7 @@ index 4350ba0..b82a902 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +469,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +477,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -82122,7 +82514,7 @@ index 4350ba0..b82a902 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +484,4 @@ optional_policy(`
+@@ -559,8 +492,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b9473eb..8c479a8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 6 2012 Miroslav Grepl 3.10.0-82
+- Add httpd_use_fusefs boolean
+- /etc/auto.* should be labeled bin_t
+- Allow sshd_t to signal processes that it transitions to
+- Rename rdate port to time port, and allow gnomeclock to connect to it
+- Make amavis as nsswitch domain to allow using NIS
+- Make procmail_t as home manager
+- Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file
+- Add port definition for l2tp ports
+- Make qemu-dm running in xend_t domain
+- Allow accountsd to read /proc data about gdm
+- Allow rtkit to schedule wine processes
+- label /var/lib/sss/mc same as pubconf
+- Allow NM to read system config file
+
* Wed Mar 13 2012 Miroslav Grepl 3.10.0-81
- boinc fixes
- Allow vnstat to search through var_lib_t directories