From a8c917a5e23bf791fb23f1769033648a67251879 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Dec 10 2013 12:59:47 +0000
Subject: - Fix ldap_read_certs() interface to allow acess also link files
- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
- Allow tuned to run modprobe
- Allow portreserve to search /var/lib/sss dir
- Add SELinux support for the teamd package contains team network device control daemon.
- Dontaudit access check on /proc for bumblebee
- Bumblebee wants to load nvidia modules
- Fix rpm_named_filetrans_log_files and wine.te
- Add conman policy for rawhide
- DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Added new policy for ninfod
- Added new policy for openwsman
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix kernel_dontaudit_access_check_proc()
- Add support for /dev/uhid
- Allow sulogin to get the attributes of initctl and sys_admin cap
- Add kernel_dontaudit_access_check_proc()
- Fix dev_rw_ipmi_dev()
- Fix new interface in devices.if
- DRM master and input event devices are used by the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
---
diff --git a/permissivedomains.pp b/permissivedomains.pp
index f8ac2b9..c63c1f8 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index c864bad..28d0998 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -55,22 +55,67 @@ optional_policy(`
gen_require(`
type mip6d_t;
')
+ permissive mip6d_t;
')
optional_policy(`
gen_require(`
type opensm_t;
')
+ permissive opensm_t;
')
optional_policy(`
gen_require(`
- type bumblebee_t;
+ type bumblebee_t;
')
+ permissive bumblebee_t;
')
optional_policy(`
gen_require(`
type freqset_t;
')
+ permissive freqset_t;
')
+
+optional_policy(`
+ gen_require(`
+ type freeipmi_bmc_watchdog_t;
+ type freeipmi_ipmidetectd_t;
+ type freeipmi_ipmiseld_t;
+ ')
+ permissive freeipmi_bmc_watchdog_t;
+ permissive freeipmi_ipmidetectd_t;
+ permissive freeipmi_ipmidetectd_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type conman_t;
+ ')
+ permissive conman_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type opensm_t;
+ ')
+ permissive opensm_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type openwsman_t;
+ ')
+ permissive openwsman_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type ninfod_t;
+ ')
+ permissive ninfod_t;
+')
+
+
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index e982721..760f6d6 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5549,7 +5549,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..06129ea 100644
+index 4edc40d..d11b74d 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5636,7 +5636,7 @@ index 4edc40d..06129ea 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5652,6 +5652,7 @@ index 4edc40d..06129ea 100644
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
++network_port(conman, tcp,7890,s0, udp,7890,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
@@ -5659,7 +5660,7 @@ index 4edc40d..06129ea 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,19 +143,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5688,7 +5689,7 @@ index 4edc40d..06129ea 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +170,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5755,7 +5756,7 @@ index 4edc40d..06129ea 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +223,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5794,7 +5795,7 @@ index 4edc40d..06129ea 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +260,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5847,7 +5848,7 @@ index 4edc40d..06129ea 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +310,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5858,7 +5859,7 @@ index 4edc40d..06129ea 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +322,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5871,7 +5872,7 @@ index 4edc40d..06129ea 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +338,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +339,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5898,7 +5899,7 @@ index 4edc40d..06129ea 100644
########################################
#
-@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +388,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5907,7 +5908,7 @@ index 4edc40d..06129ea 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +402,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5963,7 +5964,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..e4d61f5 100644
+index b31c054..53df7ae 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6030,7 +6031,16 @@ index b31c054..e4d61f5 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -198,12 +208,22 @@ ifdef(`distro_debian',`
+@@ -172,6 +182,8 @@ ifdef(`distro_suse', `
+ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
++/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -198,12 +210,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6056,7 +6066,7 @@ index b31c054..e4d61f5 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..b708d28 100644
+index 76f285e..9f56be1 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6473,122 +6483,85 @@ index 76f285e..b708d28 100644
#######################################
##
## Set the attributes of the dlm control devices.
-@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',`
+@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',`
########################################
##
--## Get the attributes of the lvm comtrol device.
-+## Get the attributes of the loop comtrol device.
- ##
- ##
- ##
-@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',`
- ##
- ##
- #
--interface(`dev_getattr_lvm_control',`
-+interface(`dev_getattr_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, lvm_control_t)
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Read the lvm comtrol device.
-+## Read the loop comtrol device.
++## Read and write the dri devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_inherited_dri',`
++ gen_require(`
++ type device_t, dri_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
+ ## Dontaudit read and write on the dri devices.
##
##
- ##
-@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',`
- ##
- ##
- #
--interface(`dev_read_lvm_control',`
-+interface(`dev_read_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, lvm_control_t)
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
+@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',`
########################################
##
--## Read and write the lvm control device.
-+## Read and write the loop control device.
+-## Get the attributes of the framebuffer device node.
++## Read input event devices (/dev/input).
##
##
##
-@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',`
+@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',`
##
##
#
--interface(`dev_rw_lvm_control',`
-+interface(`dev_rw_loop_control',`
+-interface(`dev_getattr_framebuffer_dev',`
++interface(`dev_rw_inherited_input_dev',`
gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
+- type device_t, framebuf_device_t;
++ type device_t, event_device_t;
')
-- rw_chr_files_pattern($1, device_t, lvm_control_t)
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write lvm control device.
-+## Do not audit attempts to read and write loop control device.
- ##
- ##
- ##
-@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',`
- ##
- ##
- #
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_dontaudit_rw_loop_control',`
- gen_require(`
-- type lvm_control_t;
-+ type loop_control_device_t;
- ')
-
-- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+- getattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
')
++
########################################
##
--## Delete the lvm control device.
-+## Delete the loop control device.
+-## Set the attributes of the framebuffer device node.
++## Read ipmi devices.
##
##
##
-@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',`
##
##
#
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_delete_loop_control_dev',`
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
+- type device_t, framebuf_device_t;
++ type device_t, ipmi_device_t;
')
-- delete_chr_files_pattern($1, device_t, lvm_control_t)
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+- setattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ read_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
##
--## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+## Get the attributes of the loop comtrol device.
+-## Dot not audit attempts to set the attributes
+-## of the framebuffer device node.
++## Read and write ipmi devices.
##
##
##
@@ -6597,46 +6570,41 @@ index 76f285e..b708d28 100644
##
##
#
--interface(`dev_dontaudit_getattr_memory_dev',`
-+interface(`dev_getattr_lvm_control',`
+-interface(`dev_dontaudit_setattr_framebuffer_dev',`
++interface(`dev_rw_ipmi_dev',`
gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
+- type framebuf_device_t;
++ type device_t, ipmi_device_t;
')
-- dontaudit $1 memory_device_t:chr_file getattr;
-+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+- dontaudit $1 framebuf_device_t:chr_file setattr;
++ rw_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
##
--## Read raw memory devices (e.g. /dev/mem).
-+## Read the lvm comtrol device.
+-## Read the framebuffer.
++## Get the attributes of the framebuffer device node.
##
##
##
-@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
##
##
#
--interface(`dev_read_raw_memory',`
-+interface(`dev_read_lvm_control',`
+-interface(`dev_read_framebuffer',`
++interface(`dev_getattr_framebuffer_dev',`
gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_read;
-+ type device_t, lvm_control_t;
- ')
-
-- read_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_read;
-+ read_chr_files_pattern($1, device_t, lvm_control_t)
+- type framebuf_device_t;
++ type device_t, framebuf_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+##
-+## Read and write the lvm control device.
++## Set the attributes of the framebuffer device node.
+##
+##
+##
@@ -6644,17 +6612,18 @@ index 76f285e..b708d28 100644
+##
+##
+#
-+interface(`dev_rw_lvm_control',`
++interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
-+ type device_t, lvm_control_t;
++ type device_t, framebuf_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, lvm_control_t)
++ setattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+##
-+## Do not audit attempts to read and write lvm control device.
++## Dot not audit attempts to set the attributes
++## of the framebuffer device node.
+##
+##
+##
@@ -6662,17 +6631,17 @@ index 76f285e..b708d28 100644
+##
+##
+#
-+interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_setattr_framebuffer_dev',`
+ gen_require(`
-+ type lvm_control_t;
++ type framebuf_device_t;
+ ')
+
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ dontaudit $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
+##
-+## Delete the lvm control device.
++## Read the framebuffer.
+##
+##
+##
@@ -6680,17 +6649,72 @@ index 76f285e..b708d28 100644
+##
+##
+#
-+interface(`dev_delete_lvm_control_dev',`
++interface(`dev_read_framebuffer',`
+ gen_require(`
-+ type device_t, lvm_control_t;
++ type framebuf_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, framebuf_device_t)
+@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',`
+
+ ########################################
+ ##
+-## Get the attributes of the lvm comtrol device.
++## Get the attributes of the loop comtrol device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++##
++## Read the loop comtrol device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++##
++## Read and write the loop control device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
+ ')
+
-+ delete_chr_files_pattern($1, device_t, lvm_control_t)
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+##
-+## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Do not audit attempts to read and write loop control device.
+##
+##
+##
@@ -6698,17 +6722,17 @@ index 76f285e..b708d28 100644
+##
+##
+#
-+interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
-+ type memory_device_t;
++ type loop_control_device_t;
+ ')
+
-+ dontaudit $1 memory_device_t:chr_file getattr;
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
-+## Read raw memory devices (e.g. /dev/mem).
++## Delete the loop control device.
+##
+##
+##
@@ -6716,20 +6740,21 @@ index 76f285e..b708d28 100644
+##
+##
+#
-+interface(`dev_read_raw_memory',`
++interface(`dev_delete_loop_control_dev',`
+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_read;
++ type device_t, loop_control_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, memory_device_t)
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++')
+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_read;
- ')
-
- ########################################
-@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',`
++########################################
++##
++## Get the attributes of the loop comtrol device.
+ ##
+ ##
+ ##
+@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -6738,7 +6763,7 @@ index 76f285e..b708d28 100644
##
##
#
-@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
##
@@ -6763,7 +6788,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',`
##
##
#
@@ -6819,7 +6844,7 @@ index 76f285e..b708d28 100644
## range registers (MTRR).
##
##
-@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',`
##
##
#
@@ -6836,7 +6861,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',`
########################################
##
@@ -6879,7 +6904,7 @@ index 76f285e..b708d28 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
-@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
##
@@ -6904,7 +6929,7 @@ index 76f285e..b708d28 100644
## Read and write BIOS non-volatile RAM.
##
##
-@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',`
########################################
##
@@ -6931,7 +6956,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',`
##
##
#
@@ -6948,7 +6973,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
##
@@ -6957,7 +6982,7 @@ index 76f285e..b708d28 100644
## number generator devices (e.g., /dev/random)
##
##
-@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -6966,7 +6991,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -6975,7 +7000,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',`
##
##
#
@@ -7040,7 +7065,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',`
##
##
#
@@ -7085,7 +7110,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
@@ -7103,91 +7128,63 @@ index 76f285e..b708d28 100644
##
-## Read hardware state information.
+## Do not audit attempts to search sysfs.
- ##
--##
--##
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--##
--##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`dev_read_sysfs',`
++##
++##
++#
+interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- read_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ gen_require(`
++ type sysfs_t;
++ ')
++
+ dontaudit $1 sysfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Allow caller to modify hardware state information.
++')
++
++########################################
++##
+## List the contents of the sysfs directories.
- ##
- ##
- ##
-@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',`
- ##
- ##
- #
--interface(`dev_rw_sysfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_list_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- rw_files_pattern($1, sysfs_t, sysfs_t)
- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
- list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ##
--## Read and write the TPM device.
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
+## Write in a sysfs directories.
- ##
- ##
- ##
-@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',`
- ##
- ##
- #
--interface(`dev_rw_tpm',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
- gen_require(`
-- type device_t, tpm_device_t;
++ gen_require(`
+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ ')
++
+ allow $1 sysfs_t:dir write;
- ')
-
- ########################################
- ##
--## Read from pseudo random number generator devices (e.g., /dev/urandom).
++')
++
++########################################
++##
+## Do not audit attempts to write in a sysfs directory.
- ##
--##
--##
--## Allow the specified domain to read from pseudo random number
--## generator devices (e.g., /dev/urandom). Typically this is
++##
+##
+##
+## Domain to not audit.
@@ -7229,7 +7226,15 @@ index 76f285e..b708d28 100644
+########################################
+##
+## Relabel cpu online hardware state information.
-+##
+ ##
+-##
+-##
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-##
+-##
+##
+##
+## Domain allowed access.
@@ -7259,47 +7264,13 @@ index 76f285e..b708d28 100644
+## hardware installed on the system.
+##
+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_read_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to modify hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ rw_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
+ ##
+ ##
+ ## Domain allowed access.
+@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ##
+## Relabel hardware state directories.
+##
+##
@@ -7356,34 +7327,10 @@ index 76f285e..b708d28 100644
+
+########################################
+##
-+## Read and write the TPM device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_tpm',`
-+ gen_require(`
-+ type device_t, tpm_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, tpm_device_t)
-+')
-+
-+########################################
-+##
-+## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+##
-+##
-+##
-+## Allow the specified domain to read from pseudo random number
-+## generator devices (e.g., /dev/urandom). Typically this is
- ## used in situations when a cryptographically secure random
- ## number is not necessarily needed. One example is the Stack
- ## Smashing Protector (SSP, formerly known as ProPolice) support
-@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',`
+ ## Read and write the TPM device.
+ ##
+ ##
+@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -7409,7 +7356,7 @@ index 76f285e..b708d28 100644
## Getattr generic the USB devices.
##
##
-@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7421,7 +7368,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',`
##
##
#
@@ -7444,7 +7391,7 @@ index 76f285e..b708d28 100644
##
##
##
-@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
@@ -7460,7 +7407,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',`
########################################
##
@@ -7595,7 +7542,7 @@ index 76f285e..b708d28 100644
## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -7620,7 +7567,7 @@ index 76f285e..b708d28 100644
## Read and write VMWare devices.
##
##
-@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -7647,7 +7594,7 @@ index 76f285e..b708d28 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7798,6 +7745,7 @@ index 76f285e..b708d28 100644
+gen_require(`
+ type device_t;
+ type usb_device_t;
++ type uhid_device_t;
+ type sound_device_t;
+ type apm_bios_t;
+ type mouse_device_t;
@@ -8524,6 +8472,7 @@ index 76f285e..b708d28 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
+ dev_filetrans_xserver_named_dev($1)
+')
+
@@ -8592,7 +8541,7 @@ index 76f285e..b708d28 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..831344c 100644
+index 6529bd9..b31a5e8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8658,17 +8607,23 @@ index 6529bd9..831344c 100644
#
# Type for /dev/tpm
#
-@@ -266,6 +275,9 @@ dev_node(usbmon_device_t)
+@@ -266,6 +275,15 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
++#
++# uhid_device_t is the type for /dev/uhid
++#
++type uhid_device_t;
++dev_node(uhid_device_t)
++
+type vfio_device_t;
+dev_node(vfio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
-@@ -274,6 +286,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +292,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -8676,7 +8631,7 @@ index 6529bd9..831344c 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +332,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +338,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -8892,7 +8847,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..369ddc2 100644
+index cf04cb5..7e91ba9 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -9029,7 +8984,7 @@ index cf04cb5..369ddc2 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9061,6 +9016,10 @@ index cf04cb5..369ddc2 100644
+ seutil_filetrans_named_content(named_filetrans_domain)
+')
+
++optional_policy(`
++ wine_filetrans_named_content(named_filetrans_domain)
++')
++
+storage_filetrans_all_named_dev(named_filetrans_domain)
+
+term_filetrans_all_named_dev(named_filetrans_domain)
@@ -14372,7 +14331,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d47750f 100644
+index 649e458..646d467 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14384,6 +14343,16 @@ index 649e458..d47750f 100644
')
########################################
+@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
++ manage_dirs_pattern($1,debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+- list_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+
+ ########################################
@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
########################################
@@ -14450,7 +14419,33 @@ index 649e458..d47750f 100644
')
########################################
-@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on generic proc entries.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_access_check_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to
+ ## read system state information in proc.
+ ##
+@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -14475,7 +14470,7 @@ index 649e458..d47750f 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14484,7 +14479,7 @@ index 649e458..d47750f 100644
')
########################################
-@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -14510,7 +14505,7 @@ index 649e458..d47750f 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -14519,7 +14514,7 @@ index 649e458..d47750f 100644
##
##
#
-@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -14544,7 +14539,7 @@ index 649e458..d47750f 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -14569,7 +14564,7 @@ index 649e458..d47750f 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2757,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -14578,7 +14573,7 @@ index 649e458..d47750f 100644
')
########################################
-@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2795,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -14603,7 +14598,7 @@ index 649e458..d47750f 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2840,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -14629,7 +14624,7 @@ index 649e458..d47750f 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2968,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -14663,7 +14658,7 @@ index 649e458..d47750f 100644
########################################
##
-@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3150,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -14688,7 +14683,7 @@ index 649e458..d47750f 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3182,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -30883,7 +30878,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..5edc27b 100644
+index c04ac46..4f4ee1d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -31007,7 +31002,16 @@ index c04ac46..5edc27b 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -202,7 +198,7 @@ optional_policy(`
+ # Sulogin local policy
+ #
+
+-allow sulogin_t self:capability dac_override;
++allow sulogin_t self:capability { dac_override sys_admin };
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_fifo_file_perms;
+@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -31031,12 +31035,11 @@ index c04ac46..5edc27b 100644
init_getpgid_script(sulogin_t)
+init_getpgid(sulogin_t)
++init_getattr_initctl(sulogin_t)
logging_send_syslog_msg(sulogin_t)
-+
- seutil_read_config(sulogin_t)
- seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
@@ -37842,10 +37845,10 @@ index 0000000..35b4178
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a88f6e2
+index 0000000..c31945a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,652 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37956,6 +37959,7 @@ index 0000000..a88f6e2
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
++dev_rw_inherited_dri(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
@@ -39880,7 +39884,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..662bac5 100644
+index 3c5dba7..5b45016 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40850,7 +40854,7 @@ index 3c5dba7..662bac5 100644
userdom_change_password_template($1)
-@@ -761,82 +984,101 @@ template(`userdom_login_user_template', `
+@@ -761,83 +984,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40956,39 +40960,45 @@ index 3c5dba7..662bac5 100644
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
+ ')
++
++ optional_policy(`
++ mysql_filetrans_named_content($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ mysql_filetrans_named_content($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ oddjob_run_mkhomedir($1_t, $1_r)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ oddjob_run_mkhomedir($1_t, $1_r)
++ wine_filetrans_named_content($1_usertype)
')
++
')
-@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',`
+ #######################################
+@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -41001,7 +41011,7 @@ index 3c5dba7..662bac5 100644
##############################
#
# Local policy
-@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1160,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -41081,66 +41091,71 @@ index 3c5dba7..662bac5 100644
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-+
-+ optional_policy(`
-+ accountsd_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dontaudit_read_log($1_usertype)
-+ consolekit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ accountsd_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ consolekit_dontaudit_read_log($1_usertype)
++ consolekit_dbus_chat($1_usertype)
')
optional_policy(`
- gnome_role_template($1, $1_r, $1_t)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ realmd_dbus_chat($1_t)
')
optional_policy(`
-@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,19 +1261,40 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
- java_role($1_r, $1_t)
+ policykit_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_dontaudit_stream_connect($1_t)
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
-+ ')
-+
+ ')
+-')
+
+-#######################################
+-##
+-## The template for creating a unprivileged user roughly
+-## equivalent to a regular linux user.
+-##
+ optional_policy(`
+ rtkit_scheduled($1_usertype)
+ ')
+
+ optional_policy(`
+ systemd_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
- ')
--')
-
--#######################################
++ ')
++
++ optional_policy(`
++ setroubleshoot_dontaudit_stream_connect($1_t)
++ ')
++
+ optional_policy(`
+ udev_read_db($1_usertype)
+ ')
@@ -41151,10 +41166,14 @@ index 3c5dba7..662bac5 100644
+')
+
+#######################################
- ##
++##
++## The template for creating a unprivileged user roughly
++## equivalent to a regular linux user.
++##
+ ##
+ ##
## The template for creating a unprivileged user roughly
- ## equivalent to a regular linux user.
-@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1321,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -41192,7 +41211,7 @@ index 3c5dba7..662bac5 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1358,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -41218,9 +41237,11 @@ index 3c5dba7..662bac5 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ cdrecord_role($1_r, $1_t)
+ ')
+
@@ -41253,17 +41274,15 @@ index 3c5dba7..662bac5 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1420,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -41274,7 +41293,7 @@ index 3c5dba7..662bac5 100644
')
')
-@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1458,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -41285,7 +41304,7 @@ index 3c5dba7..662bac5 100644
')
##############################
-@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1476,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -41293,7 +41312,7 @@ index 3c5dba7..662bac5 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1488,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -41301,7 +41320,7 @@ index 3c5dba7..662bac5 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1497,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -41311,7 +41330,7 @@ index 3c5dba7..662bac5 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1514,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -41319,7 +41338,7 @@ index 3c5dba7..662bac5 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1532,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -41334,7 +41353,7 @@ index 3c5dba7..662bac5 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -41377,7 +41396,7 @@ index 3c5dba7..662bac5 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -41386,7 +41405,7 @@ index 3c5dba7..662bac5 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -41405,7 +41424,7 @@ index 3c5dba7..662bac5 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -41414,7 +41433,7 @@ index 3c5dba7..662bac5 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1656,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -41423,7 +41442,7 @@ index 3c5dba7..662bac5 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1670,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -41435,7 +41454,7 @@ index 3c5dba7..662bac5 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1684,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41478,7 +41497,7 @@ index 3c5dba7..662bac5 100644
')
optional_policy(`
-@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1769,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -41497,7 +41516,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1820,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -41549,7 +41568,7 @@ index 3c5dba7..662bac5 100644
##
##
## Domain allowed access.
-@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1969,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41581,7 +41600,7 @@ index 3c5dba7..662bac5 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2035,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -41596,7 +41615,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2058,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -41608,7 +41627,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2119,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -41651,7 +41670,7 @@ index 3c5dba7..662bac5 100644
########################################
##
## Create directories in the home dir root with
-@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2234,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41660,7 +41679,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2269,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -41675,7 +41694,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2299,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -41702,7 +41721,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2327,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41785,7 +41804,7 @@ index 3c5dba7..662bac5 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2410,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -41811,7 +41830,7 @@ index 3c5dba7..662bac5 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,15 +2459,18 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41827,188 +41846,144 @@ index 3c5dba7..662bac5 100644
########################################
##
+-## Do not audit attempts to read user home files.
+## Do not audit attempts to getattr user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_getattr_user_home_content',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:dir getattr;
-+ dontaudit $1 user_home_type:file getattr;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
+ ##
+@@ -1894,18 +2478,18 @@ interface(`userdom_read_user_home_content_files',`
+ ##
+ ##
#
- interface(`userdom_dontaudit_read_user_home_content_files',`
+-interface(`userdom_dontaudit_read_user_home_content_files',`
++interface(`userdom_dontaudit_getattr_user_home_content',`
gen_require(`
- type user_home_t;
+ attribute user_home_type;
-+ type user_home_dir_t;
')
- dontaudit $1 user_home_t:dir list_dir_perms;
- dontaudit $1 user_home_t:file read_file_perms;
-+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
-
- ########################################
- ##
--## Delete all user home content files.
-+## Delete files in a user home subdirectory.
- ##
- ##
- ##
-@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_delete_all_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_files',`
- gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
-+ type user_home_t;
- ')
-
-- userdom_search_user_home_content($1)
-- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_t:file delete_file_perms;
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
')
########################################
##
--## Delete files in a user home subdirectory.
-+## Delete all files in a user home subdirectory.
+-## Do not audit attempts to append user home files.
++## Do not audit attempts to read user home files.
##
##
##
-@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1913,17 +2497,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
##
##
#
--interface(`userdom_delete_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_files',`
+-interface(`userdom_dontaudit_append_user_home_content_files',`
++interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
- type user_home_t;
+ attribute user_home_type;
++ type user_home_dir_t;
')
-- allow $1 user_home_t:file delete_file_perms;
-+ allow $1 user_home_type:file delete_file_perms;
+- dontaudit $1 user_home_t:file append_file_perms;
++ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
')
########################################
##
-## Do not audit attempts to write user home files.
-+## Delete sock files in a user home subdirectory.
++## Do not audit attempts to append user home files.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -1931,32 +2519,30 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
##
##
#
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_sock_files',`
+-interface(`userdom_dontaudit_write_user_home_content_files',`
++interface(`userdom_dontaudit_append_user_home_content_files',`
gen_require(`
type user_home_t;
')
-- dontaudit $1 user_home_t:file relabel_file_perms;
-+ allow $1 user_home_t:sock_file delete_file_perms;
+- dontaudit $1 user_home_t:file write_file_perms;
++ dontaudit $1 user_home_t:file append_file_perms;
')
########################################
##
--## Read user home subdirectory symbolic links.
-+## Delete all sock files in a user home subdirectory.
+-## Delete all user home content files.
++## Do not audit attempts to write user home files.
##
##
##
-@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
--interface(`userdom_read_user_home_content_symlinks',`
-+interface(`userdom_delete_all_user_home_content_sock_files',`
+-interface(`userdom_delete_all_user_home_content_files',`
++interface(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
-- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
')
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ allow $1 user_home_type:sock_file delete_file_perms;
+- userdom_search_user_home_content($1)
+- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
++ dontaudit $1 user_home_t:file write_file_perms;
')
########################################
+@@ -1979,11 +2565,83 @@ interface(`userdom_delete_user_home_content_files',`
+
+ ########################################
##
--## Execute user home files.
+-## Do not audit attempts to write user home files.
+## Delete all files in a user home subdirectory.
##
##
##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_files',`
++ gen_require(`
+ attribute user_home_type;
- ')
-
-- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++ ')
++
++ allow $1 user_home_type:file delete_file_perms;
+')
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
++
+########################################
+##
-+## Do not audit attempts to write user home files.
++## Delete sock files in a user home subdirectory.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_user_home_content_sock_files',`
+ gen_require(`
+ type user_home_t;
- ')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-+ dontaudit $1 user_home_t:file relabel_file_perms;
++ ')
++
++ allow $1 user_home_t:sock_file delete_file_perms;
+')
+
+########################################
+##
-+## Read user home subdirectory symbolic links.
++## Delete all sock files in a user home subdirectory.
+##
+##
+##
@@ -42016,42 +41991,79 @@ index 3c5dba7..662bac5 100644
+##
+##
+#
-+interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
-+ type user_home_dir_t, user_home_t;
- ')
++ attribute user_home_type;
++ ')
+
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ##
-+## Execute user home files.
++ allow $1 user_home_type:sock_file delete_file_perms;
++')
++
++########################################
++##
++## Delete all files in a user home subdirectory.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
+#
-+interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
-+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
-+ files_search_home($1)
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ dontaudit $1 user_home_type:sock_file execute;
-+ ')
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++')
+
+########################################
+##
++## Do not audit attempts to write user home files.
++##
++##
++##
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2010,8 +2668,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -2027,21 +2684,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+ files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
+ ########################################
+ ##
## Do not audit attempts to execute user home files.
- ##
- ##
-@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2774,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -42060,7 +42072,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2782,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -42084,7 +42096,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2800,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -42100,7 +42112,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3042,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -42115,7 +42127,7 @@ index 3c5dba7..662bac5 100644
files_search_tmp($1)
')
-@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3066,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -42124,7 +42136,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3313,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -42150,7 +42162,7 @@ index 3c5dba7..662bac5 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3348,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -42166,7 +42178,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3376,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -42175,7 +42187,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3384,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -42210,7 +42222,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3502,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -42235,7 +42247,7 @@ index 3c5dba7..662bac5 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3538,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -42278,7 +42290,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3574,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -42316,7 +42328,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3619,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -42346,7 +42358,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3711,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -42447,7 +42459,7 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3780,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -42462,7 +42474,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3849,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -42471,7 +42483,7 @@ index 3c5dba7..662bac5 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3865,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -42505,7 +42517,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3953,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -42532,7 +42544,7 @@ index 3c5dba7..662bac5 100644
')
########################################
-@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +4026,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -42548,91 +42560,42 @@ index 3c5dba7..662bac5 100644
##
##
##
-@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3285,12 +4040,87 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
-interface(`userdom_dontaudit_use_user_ttys',`
+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ##
--## Read the process state of all user domains.
-+## Do not audit attempts to delete users
-+## temporary files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- read_files_pattern($1, userdomain, userdomain)
-- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- gen_require(`
-- attribute userdomain;
++ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+##
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Do not audit attempts to delete users
++## temporary files.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to use user ttys.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+##
+##
+##
@@ -42640,17 +42603,18 @@ index 3c5dba7..662bac5 100644
+##
+##
+#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
-+ type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
-+## Read the process state of all user domains.
++## Allow domain to read/write inherited users
++## fifo files.
+##
+##
+##
@@ -42658,33 +42622,43 @@ index 3c5dba7..662bac5 100644
+##
+##
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
-+ kernel_search_proc($1)
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
-+## Get the attributes of all user domains.
++## Do not audit attempts to use user ttys.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`userdom_getattr_all_users',`
-+ gen_require(`
-+ attribute userdomain;
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -3309,6 +4139,7 @@ interface(`userdom_read_all_users_state',`
')
- allow $1 userdomain:process getattr;
-@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',`
+ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -3385,6 +4216,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -42727,7 +42701,7 @@ index 3c5dba7..662bac5 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4272,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -42752,7 +42726,7 @@ index 3c5dba7..662bac5 100644
## Create keys for all user domains.
##
##
-@@ -3438,4 +4318,1646 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4323,1646 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index b63cc7f..42c23c2 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -9728,29 +9728,28 @@ index 41f8251..57f094e 100644
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
-index 0000000..17eea86
+index 0000000..b5ee23b
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
-+/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
-+/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
-index 0000000..f61b9c3
+index 0000000..23a4f86
--- /dev/null
+++ b/bumblebee.if
-@@ -0,0 +1,122 @@
-+
+@@ -0,0 +1,126 @@
+## policy for bumblebee
+
+########################################
+##
-+## Execute TEMPLATE in the bumblebee domin.
++## Execute bumblebee in the bumblebee domin.
+##
+##
+##
@@ -9766,6 +9765,7 @@ index 0000000..f61b9c3
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
++
+########################################
+##
+## Read bumblebee PID files.
@@ -9802,7 +9802,7 @@ index 0000000..f61b9c3
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
@@ -9852,9 +9852,13 @@ index 0000000..f61b9c3
+ type bumblebee_unit_file_t;
+ ')
+
-+ allow $1 bumblebee_t:process { ptrace signal_perms };
++ allow $1 bumblebee_t:process { signal_perms };
+ ps_process_pattern($1, bumblebee_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bumblebee_t:process ptrace;
++ ')
++
+ files_search_pids($1)
+ admin_pattern($1, bumblebee_var_run_t)
+
@@ -9869,10 +9873,10 @@ index 0000000..f61b9c3
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..f39fc96
+index 0000000..8d91220
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,47 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -9884,8 +9888,6 @@ index 0000000..f39fc96
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
-+permissive bumblebee_t;
-+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
@@ -9896,6 +9898,7 @@ index 0000000..f39fc96
+#
+# bumblebee local policy
+#
++
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
@@ -9908,6 +9911,7 @@ index 0000000..f39fc96
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
@@ -9917,6 +9921,8 @@ index 0000000..f39fc96
+
+logging_send_syslog_msg(bumblebee_t)
+
++modutils_domtrans_insmod(bumblebee_t)
++
+miscfiles_read_localization(bumblebee_t)
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
@@ -11069,10 +11075,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..12585f0
+index 0000000..748f5d5
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,247 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -11201,6 +11207,7 @@ index 0000000..12585f0
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
++ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
@@ -13824,6 +13831,218 @@ index 3f2b672..8fb887d 100644
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
+diff --git a/conman.fc b/conman.fc
+new file mode 100644
+index 0000000..5f97ba9
+--- /dev/null
++++ b/conman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
++
++/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
++
++/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++
+diff --git a/conman.if b/conman.if
+new file mode 100644
+index 0000000..54b4b04
+--- /dev/null
++++ b/conman.if
+@@ -0,0 +1,142 @@
++## Conman is a program for connecting to remote consoles being managed by conmand
++
++########################################
++##
++## Execute conman in the conman domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`conman_domtrans',`
++ gen_require(`
++ type conman_t, conman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, conman_exec_t, conman_t)
++')
++
++########################################
++##
++## Read conman's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`conman_read_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++##
++## Append to conman log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`conman_append_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++##
++## Manage conman log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`conman_manage_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, conman_log_t, conman_log_t)
++ manage_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++##
++## Execute conman server in the conman domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`conman_systemctl',`
++ gen_require(`
++ type conman_t;
++ type conman_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 conman_unit_file_t:file read_file_perms;
++ allow $1 conman_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, conman_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an conman environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`conman_admin',`
++ gen_require(`
++ type conman_t;
++ type conman_log_t;
++ type conman_unit_file_t;
++ ')
++
++ allow $1 conman_t:process { signal_perms };
++ ps_process_pattern($1, conman_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 conman_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, conman_log_t)
++
++ conman_systemctl($1)
++ admin_pattern($1, conman_unit_file_t)
++ allow $1 conman_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/conman.te b/conman.te
+new file mode 100644
+index 0000000..0de2d4d
+--- /dev/null
++++ b/conman.te
+@@ -0,0 +1,45 @@
++policy_module(conman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type conman_t;
++type conman_exec_t;
++init_daemon_domain(conman_t, conman_exec_t)
++
++type conman_log_t;
++logging_log_file(conman_log_t)
++
++type conman_unit_file_t;
++systemd_unit_file(conman_unit_file_t)
++
++########################################
++#
++# conman local policy
++#
++
++allow conman_t self:capability { sys_tty_config };
++allow conman_t self:process { setrlimit signal_perms };
++
++allow conman_t self:fifo_file rw_fifo_file_perms;
++allow conman_t self:unix_stream_socket create_stream_socket_perms;
++allow conman_t self:tcp_socket { listen create_socket_perms };
++
++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
++manage_files_pattern(conman_t, conman_log_t, conman_log_t)
++logging_log_filetrans(conman_t, conman_log_t, { dir })
++
++corenet_tcp_bind_generic_node(conman_t)
++corenet_tcp_bind_conman_port(conman_t)
++
++corecmd_exec_bin(conman_t)
++
++auth_read_passwd(conman_t)
++
++logging_send_syslog_msg(conman_t)
++
++optional_policy(`
++ freeipmi_stream_connect(conman_t)
++')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
@@ -19278,7 +19497,7 @@ index afcf3a2..e6ecc4d 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..493ab48 100644
+index 2c2e7e1..2ead441 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -19326,7 +19545,7 @@ index 2c2e7e1..493ab48 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -19385,7 +19604,9 @@ index 2c2e7e1..493ab48 100644
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
--
++dev_rw_inherited_input_dev(system_dbusd_t)
++dev_rw_inherited_dri(system_dbusd_t)
+
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_rw_inherited_non_security_files(system_dbusd_t)
@@ -19403,7 +19624,7 @@ index 2c2e7e1..493ab48 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -19461,10 +19682,9 @@ index 2c2e7e1..493ab48 100644
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(system_dbusd_t)
+')
+
@@ -19481,9 +19701,10 @@ index 2c2e7e1..493ab48 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -19577,7 +19798,7 @@ index 2c2e7e1..493ab48 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -19602,7 +19823,7 @@ index 2c2e7e1..493ab48 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -19610,7 +19831,7 @@ index 2c2e7e1..493ab48 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -19652,7 +19873,7 @@ index 2c2e7e1..493ab48 100644
')
########################################
-@@ -244,5 +344,6 @@ optional_policy(`
+@@ -244,5 +347,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -25243,6 +25464,180 @@ index c81b6e8..34e1f1c 100644
+optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
+diff --git a/freeipmi.fc b/freeipmi.fc
+new file mode 100644
+index 0000000..0942a2e
+--- /dev/null
++++ b/freeipmi.fc
+@@ -0,0 +1,17 @@
++/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
++/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
++/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
++
++/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
++/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
++/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
++
++/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++
++/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
++
++
++/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
++/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
++/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
+diff --git a/freeipmi.if b/freeipmi.if
+new file mode 100644
+index 0000000..dc94853
+--- /dev/null
++++ b/freeipmi.if
+@@ -0,0 +1,71 @@
++## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification
++
++#####################################
++##
++## Creates types and rules for a basic
++## freeipmi init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`freeipmi_domain_template',`
++ gen_require(`
++ attribute freeipmi_domain, freeipmi_pid;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type freeipmi_$1_t, freeipmi_domain;
++ type freeipmi_$1_exec_t;
++ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
++ role system_r types freeipmi_$1_t;
++
++ type freeipmi_$1_unit_file_t;
++ systemd_unit_file(freeipmi_$1_unit_file_t)
++
++ type freeipmi_$1_var_run_t, freeipmi_pid;
++ files_pid_file(freeipmi_$1_var_run_t)
++
++ #############################
++ #
++ # Local policy
++ #
++
++ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
++
++ kernel_read_system_state(freeipmi_$1_t)
++
++ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
++ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
++
++ auth_use_nsswitch(freeipmi_$1_t)
++
++ logging_send_syslog_msg(freeipmi_$1_t)
++')
++
++####################################
++##
++## Connect to cluster domains over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`freeipmi_stream_connect',`
++ gen_require(`
++ attribute freeipmi_domain, freeipmi_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
++')
++
+diff --git a/freeipmi.te b/freeipmi.te
+new file mode 100644
+index 0000000..1408208
+--- /dev/null
++++ b/freeipmi.te
+@@ -0,0 +1,68 @@
++policy_module(freeipmi, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute freeipmi_domain;
++attribute freeipmi_pid;
++
++freeipmi_domain_template(ipmidetectd)
++freeipmi_domain_template(ipmiseld)
++freeipmi_domain_template(bmc_watchdog)
++
++type freeipmi_var_lib_t;
++files_type(freeipmi_var_lib_t)
++
++type freeipmi_var_cache_t;
++files_type(freeipmi_var_cache_t)
++
++########################################
++#
++# freeipmi_domain local policy
++#
++
++allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
++allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
++allow freeipmi_domain self:sem create_sem_perms;
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
++
++sysnet_dns_name_resolve(freeipmi_domain)
++
++#######################################
++#
++# bmc-watchdog local policy
++#
++
++files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
++
++dev_read_raw_memory(freeipmi_bmc_watchdog_t)
++dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
++
++#######################################
++#
++# ipmidetectd local policy
++#
++
++files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
++
++#######################################
++#
++# ipmiseld local policy
++#
++
++allow freeipmi_ipmiseld_t self:capability sys_rawio;
++
++allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
++
++files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 0000000..3cd9c38
@@ -30834,10 +31229,10 @@ index 0000000..17c3627
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
-index 0000000..d2ad022
+index 0000000..ddc67b0
--- /dev/null
+++ b/hypervkvp.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,61 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
@@ -30878,6 +31273,8 @@ index 0000000..d2ad022
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
++dev_read_sysfs(hyperv_domain)
++
+########################################
+#
+# hypervkvp local policy
@@ -31672,10 +32069,38 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..4b9b978 100644
+index 1a35420..2ea1241 100644
--- a/iscsi.if
+++ b/iscsi.if
-@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',`
+@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
+ ########################################
+ ##
+ ## Create, read, write, and delete
++## iscsid lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`iscsi_manage_lock',`
++ gen_require(`
++ type iscsi_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
++ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
+ ## iscsid sempaphores.
+ ##
+ ##
+@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
########################################
##
@@ -31712,7 +32137,7 @@ index 1a35420..4b9b978 100644
##
##
##
-@@ -99,16 +113,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -35878,7 +36303,7 @@ index bc25c95..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..9cdc21e 100644
+index ee0c7cc..4ac8f2d 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -35986,7 +36411,7 @@ index ee0c7cc..9cdc21e 100644
##
##
##
-@@ -41,22 +119,28 @@ interface(`ldap_read_config',`
+@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
########################################
##
@@ -36010,6 +36435,7 @@ index ee0c7cc..9cdc21e 100644
+ files_search_etc($1)
+ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
++ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
########################################
@@ -36020,7 +36446,7 @@ index ee0c7cc..9cdc21e 100644
##
##
##
-@@ -64,18 +148,13 @@ interface(`ldap_use',`
+@@ -64,18 +149,13 @@ interface(`ldap_use',`
##
##
#
@@ -36042,7 +36468,7 @@ index ee0c7cc..9cdc21e 100644
##
##
##
-@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
##
##
#
@@ -36070,7 +36496,7 @@ index ee0c7cc..9cdc21e 100644
##
##
##
-@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
##
##
##
@@ -36079,7 +36505,7 @@ index ee0c7cc..9cdc21e 100644
##
##
##
-@@ -115,28 +192,28 @@ interface(`ldap_admin',`
+@@ -115,28 +193,28 @@ interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
@@ -36117,7 +36543,7 @@ index ee0c7cc..9cdc21e 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +221,8 @@ interface(`ldap_admin',`
+@@ -144,4 +222,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -37031,7 +37457,7 @@ index 7bab8e5..efdfd9d 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..30e3cd2 100644
+index 4256a4c..81fec37 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
@@ -37091,19 +37517,20 @@ index 4256a4c..30e3cd2 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +146,11 @@ optional_policy(`
+@@ -137,6 +146,12 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
++ raid_read_conf_files(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -145,6 +159,13 @@ optional_policy(`
+@@ -145,6 +160,13 @@ optional_policy(`
samba_read_share_files(logwatch_t)
')
@@ -37117,7 +37544,7 @@ index 4256a4c..30e3cd2 100644
########################################
#
# Mail local policy
-@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +186,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -38627,10 +39054,10 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..7fee444 100644
+index 5a414e0..24f45a8 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -38677,6 +39104,7 @@ index 5a414e0..7fee444 100644
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
++files_dontaudit_search_all_mountpoints(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
@@ -39351,10 +39779,10 @@ index cba62db..562833a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 92508b2..db83591 100644
+index 92508b2..2213a03 100644
--- a/milter.te
+++ b/milter.te
-@@ -1,77 +1,110 @@
+@@ -1,77 +1,117 @@
-policy_module(milter, 1.4.2)
+policy_module(milter, 1.4.0)
@@ -39374,6 +39802,9 @@ index 92508b2..db83591 100644
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
++type dkim_milter_tmp_t;
++files_tmp_file(dkim_milter_tmp_t)
++
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
@@ -39433,6 +39864,10 @@ index 92508b2..db83591 100644
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
++
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+auth_use_nsswitch(dkim_milter_t)
@@ -39493,7 +39928,7 @@ index 92508b2..db83591 100644
optional_policy(`
mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +112,45 @@ optional_policy(`
+@@ -79,30 +119,45 @@ optional_policy(`
########################################
#
@@ -45399,10 +45834,10 @@ index 97370e4..3549b8f 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index c48dc17..43d56e3 100644
+index c48dc17..297f831 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,11 +1,24 @@
+@@ -1,11 +1,25 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -45420,6 +45855,7 @@ index c48dc17..43d56e3 100644
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
@@ -45435,7 +45871,7 @@ index c48dc17..43d56e3 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -47391,10 +47827,10 @@ index 56c0fbd..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..2b818b9 100644
+index a1fb3c3..dfb99d2 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,43 +1,45 @@
+@@ -1,43 +1,47 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -47423,7 +47859,7 @@ index a1fb3c3..2b818b9 100644
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -47438,6 +47874,7 @@ index a1fb3c3..2b818b9 100644
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -47460,6 +47897,7 @@ index a1fb3c3..2b818b9 100644
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -48270,6 +48708,144 @@ index 0b48a30..e61d367 100644
-miscfiles_read_localization(wpa_cli_t)
-
term_dontaudit_use_console(wpa_cli_t)
+diff --git a/ninfod.fc b/ninfod.fc
+new file mode 100644
+index 0000000..cc31b9f
+--- /dev/null
++++ b/ninfod.fc
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/ninfod.* -- gen_context(system_u:object_r:ninfod_unit_file_t,s0)
++
++/usr/sbin/ninfod -- gen_context(system_u:object_r:ninfod_exec_t,s0)
++
++/var/run/ninfod.* -- gen_context(system_u:object_r:ninfod_run_t,s0)
++
+diff --git a/ninfod.if b/ninfod.if
+new file mode 100644
+index 0000000..a7f57d9
+--- /dev/null
++++ b/ninfod.if
+@@ -0,0 +1,79 @@
++
++## Respond to IPv6 Node Information Queries
++
++########################################
++##
++## Execute ninfod in the ninfod domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ninfod_domtrans',`
++ gen_require(`
++ type ninfod_t, ninfod_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ninfod_exec_t, ninfod_t)
++')
++########################################
++##
++## Execute ninfod server in the ninfod domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ninfod_systemctl',`
++ gen_require(`
++ type ninfod_t;
++ type ninfod_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ninfod_unit_file_t:file read_file_perms;
++ allow $1 ninfod_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ninfod_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an ninfod environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`ninfod_admin',`
++ gen_require(`
++ type ninfod_t;
++ type ninfod_unit_file_t;
++ ')
++
++ allow $1 ninfod_t:process { signal_perms };
++ ps_process_pattern($1, ninfod_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ninfod_t:process ptrace;
++ ')
++
++ ninfod_systemctl($1)
++ admin_pattern($1, ninfod_unit_file_t)
++ allow $1 ninfod_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/ninfod.te b/ninfod.te
+new file mode 100644
+index 0000000..d75c408
+--- /dev/null
++++ b/ninfod.te
+@@ -0,0 +1,35 @@
++policy_module(ninfod, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ninfod_t;
++type ninfod_exec_t;
++init_daemon_domain(ninfod_t, ninfod_exec_t)
++
++type ninfod_run_t;
++files_pid_file(ninfod_run_t)
++
++type ninfod_unit_file_t;
++systemd_unit_file(ninfod_unit_file_t)
++
++########################################
++#
++# ninfod local policy
++#
++allow ninfod_t self:capability { net_raw setuid };
++allow ninfod_t self:process setcap;
++allow ninfod_t self:fifo_file rw_fifo_file_perms;
++allow ninfod_t self:rawip_socket { create setopt };
++allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
++files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
++
++auth_use_nsswitch(ninfod_t)
++
++logging_send_syslog_msg(ninfod_t)
++
++sysnet_dns_name_resolve(ninfod_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa..cd0e015 100644
--- a/nis.fc
@@ -54195,16 +54771,16 @@ index 0000000..51650fa
+/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
-index 0000000..a62f050
+index 0000000..776fda7
--- /dev/null
+++ b/opensm.if
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,223 @@
+
+## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB
+
+########################################
+##
-+## Execute TEMPLATE in the opensm domin.
++## Execute opensm in the opensm domin.
+##
+##
+##
@@ -54307,7 +54883,6 @@ index 0000000..a62f050
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`opensm_read_log',`
+ gen_require(`
@@ -54374,7 +54949,7 @@ index 0000000..a62f050
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
+
@@ -54399,12 +54974,16 @@ index 0000000..a62f050
+ type opensm_t;
+ type opensm_cache_t;
+ type opensm_log_t;
-+ type opensm_unit_file_t;
++ type opensm_unit_file_t;
+ ')
+
-+ allow $1 opensm_t:process { ptrace signal_perms };
++ allow $1 opensm_t:process { signal_perms };
+ ps_process_pattern($1, opensm_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 opensm_t:process ptrace;
++ ')
++
+ files_search_var($1)
+ admin_pattern($1, opensm_cache_t)
+
@@ -55139,6 +55718,152 @@ index 508fedf..a499612 100644
+optional_policy(`
+ plymouthd_exec_plymouth(openvswitch_t)
+')
+diff --git a/openwsman.fc b/openwsman.fc
+new file mode 100644
+index 0000000..00d0643
+--- /dev/null
++++ b/openwsman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0)
++
++/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0)
++
++/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0)
++
++/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
+diff --git a/openwsman.if b/openwsman.if
+new file mode 100644
+index 0000000..42ed4ba
+--- /dev/null
++++ b/openwsman.if
+@@ -0,0 +1,78 @@
++## WS-Management Server
++
++########################################
++##
++## Execute openwsman in the openwsman domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openwsman_domtrans',`
++ gen_require(`
++ type openwsman_t, openwsman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openwsman_exec_t, openwsman_t)
++')
++########################################
++##
++## Execute openwsman server in the openwsman domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openwsman_systemctl',`
++ gen_require(`
++ type openwsman_t;
++ type openwsman_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 openwsman_unit_file_t:file read_file_perms;
++ allow $1 openwsman_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, openwsman_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an openwsman environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`openwsman_admin',`
++ gen_require(`
++ type openwsman_t;
++ type openwsman_unit_file_t;
++ ')
++
++ allow $1 openwsman_t:process { signal_perms };
++ ps_process_pattern($1, openwsman_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 openwsman_t:process ptrace;
++ ')
++
++ openwsman_systemctl($1)
++ admin_pattern($1, openwsman_unit_file_t)
++ allow $1 openwsman_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/openwsman.te b/openwsman.te
+new file mode 100644
+index 0000000..49dc5ef
+--- /dev/null
++++ b/openwsman.te
+@@ -0,0 +1,43 @@
++policy_module(openwsman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openwsman_t;
++type openwsman_exec_t;
++init_daemon_domain(openwsman_t, openwsman_exec_t)
++
++type openwsman_log_t;
++logging_log_file(openwsman_log_t)
++
++type openwsman_run_t;
++files_pid_file(openwsman_run_t)
++
++type openwsman_unit_file_t;
++systemd_unit_file(openwsman_unit_file_t)
++
++########################################
++#
++# openwsman local policy
++#
++allow openwsman_t self:process { fork };
++allow openwsman_t self:fifo_file rw_fifo_file_perms;
++allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
++allow openwsman_t self:tcp_socket { create_socket_perms listen };
++
++manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
++logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
++
++manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
++files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
++
++auth_use_nsswitch(openwsman_t)
++
++corenet_tcp_bind_vnc_port(openwsman_t)
++
++dev_read_urand(openwsman_t)
++
++logging_send_syslog_msg(openwsman_t)
++
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 0000000..80fb8c3
@@ -56042,10 +56767,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..6b5b74b 100644
+index dfd46e4..4694942 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,25 @@
+@@ -1,15 +1,29 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -56054,29 +56779,33 @@ index dfd46e4..6b5b74b 100644
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
-+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
++
++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
@@ -56180,7 +56909,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..252377d 100644
+index 7bcf327..38e75ee 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -56204,7 +56933,7 @@ index 7bcf327..252377d 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,278 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,288 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -56401,7 +57130,10 @@ index 7bcf327..252377d 100644
+# pegasus openlmi storage local policy
+#
+
-+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio };
++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
++allow pegasus_openlmi_storage_t self:process setrlimit;
++
++allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -56413,6 +57145,7 @@ index 7bcf327..252377d 100644
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
++kernel_request_load_module(pegasus_openlmi_storage_t)
+
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
@@ -56427,6 +57160,8 @@ index 7bcf327..252377d 100644
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
++files_read_kernel_modules(pegasus_openlmi_storage_t)
++
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
@@ -56443,6 +57178,10 @@ index 7bcf327..252377d 100644
+')
+
+optional_policy(`
++ iscsi_manage_lock(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+')
+
@@ -56488,7 +57227,7 @@ index 7bcf327..252377d 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +311,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -56519,7 +57258,7 @@ index 7bcf327..252377d 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +337,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -56552,7 +57291,7 @@ index 7bcf327..252377d 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +365,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -56564,7 +57303,7 @@ index 7bcf327..252377d 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +381,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -56600,7 +57339,7 @@ index 7bcf327..252377d 100644
')
optional_policy(`
-@@ -151,16 +415,24 @@ optional_policy(`
+@@ -151,16 +425,24 @@ optional_policy(`
')
optional_policy(`
@@ -56629,7 +57368,7 @@ index 7bcf327..252377d 100644
')
optional_policy(`
-@@ -168,7 +440,7 @@ optional_policy(`
+@@ -168,7 +450,7 @@ optional_policy(`
')
optional_policy(`
@@ -60145,7 +60884,7 @@ index 5ad5291..7f1ae2a 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index a38b57a..aa9d604 100644
+index a38b57a..49758db 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -60156,13 +60895,17 @@ index a38b57a..aa9d604 100644
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
-@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t)
+@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
-files_read_etc_files(portreserve_t)
-
+-
userdom_dontaudit_search_user_home_content(portreserve_t)
++
++optional_policy(`
++ sssd_search_lib(portreserve_t)
++')
diff --git a/portslave.te b/portslave.te
index e85e33d..a7d7c55 100644
--- a/portslave.te
@@ -69740,7 +70483,7 @@ index 5806046..d83ec27 100644
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f..98a0758 100644
+index 951db7f..c0cabe8 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -69821,7 +70564,7 @@ index 951db7f..98a0758 100644
##
##
##
-@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
##
##
#
@@ -69889,7 +70632,7 @@ index 951db7f..98a0758 100644
+
+########################################
+##
-+## Manage mdadm config files.
++## Read mdadm config files.
+##
+##
##
@@ -69900,7 +70643,7 @@ index 951db7f..98a0758 100644
-##
#
-interface(`raid_admin_mdadm',`
-+interface(`raid_manage_conf_files',`
++interface(`raid_read_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
@@ -69908,7 +70651,24 @@ index 951db7f..98a0758 100644
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
--
++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++')
++
++########################################
++##
++## Manage mdadm config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`raid_manage_conf_files',`
++ gen_require(`
++ type mdadm_conf_t;
++ ')
+
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
@@ -70817,6 +71577,68 @@ index e9765c0..ea21331 100644
+/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+diff --git a/rdisc.if b/rdisc.if
+index 170ef52..7dd9193 100644
+--- a/rdisc.if
++++ b/rdisc.if
+@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
+ corecmd_search_bin($1)
+ can_exec($1, rdisc_exec_t)
+ ')
++
++########################################
++##
++## Execute rdisc server in the rdisc domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rdisc_systemctl',`
++ gen_require(`
++ type rdisc_t;
++ type rdisc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rdisc_unit_file_t:file read_file_perms;
++ allow $1 rdisc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rdisc_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an rdisc environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`rdisc_admin',`
++ gen_require(`
++ type rdisc_t;
++ type rdisc_unit_file_t;
++ ')
++
++ allow $1 rdisc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rdisc_t)
++
++ rdisc_systemctl($1)
++ admin_pattern($1, rdisc_unit_file_t)
++ allow $1 rdisc_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/rdisc.te b/rdisc.te
index 9196c1d..b775931 100644
--- a/rdisc.te
@@ -76354,7 +77176,7 @@ index ebe91fc..576ca21 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..cafc027 100644
+index 0628d50..952ee2a 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -76613,16 +77435,34 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
########################################
##
-## Inherit and use rpm script file descriptors.
++## Create rpm logs with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_named_filetrans_log_files',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
++ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date")
++')
++
++########################################
++##
+## Inherit and use file descriptors from RPM scripts.
##
##
##
-@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
########################################
##
@@ -76633,7 +77473,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -76650,7 +77490,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -76668,7 +77508,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -76684,7 +77524,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
##
@@ -76693,7 +77533,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
########################################
##
@@ -76703,7 +77543,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
########################################
##
@@ -76712,7 +77552,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -76726,7 +77566,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
########################################
##
@@ -76736,7 +77576,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
########################################
##
@@ -76766,7 +77606,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -76775,7 +77615,7 @@ index 0628d50..cafc027 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
#####################################
##
@@ -76785,7 +77625,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
######################################
##
@@ -76795,7 +77635,7 @@ index 0628d50..cafc027 100644
##
##
##
-@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +688,72 @@ interface(`rpm_manage_pid_files',`
##
#
interface(`rpm_pid_filetrans',`
@@ -85706,7 +86546,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..fee904f 100644
+index 703efa3..a0dbe3f 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -85868,7 +86708,7 @@ index 703efa3..fee904f 100644
')
optional_policy(`
-@@ -135,9 +193,16 @@ optional_policy(`
+@@ -135,9 +193,17 @@ optional_policy(`
')
optional_policy(`
@@ -85879,6 +86719,7 @@ index 703efa3..fee904f 100644
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
+ rpm_manage_pid_files(sosreport_t)
++ rpm_named_filetrans_log_files(sosreport_t)
+ rpm_read_db(sosreport_t)
+ rpm_signull(sosreport_t)
+')
@@ -92163,7 +93004,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..6b315d8 100644
+index 7116181..9f596dc 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -92224,7 +93065,7 @@ index 7116181..6b315d8 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -92249,6 +93090,8 @@ index 7116181..6b315d8 100644
-miscfiles_read_localization(tuned_t)
+mount_read_pid_files(tuned_t)
++
++modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
@@ -98439,7 +99282,7 @@ index cdca8c7..3c09628 100644
manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
')
diff --git a/wine.if b/wine.if
-index fd2b6cc..52a2e72 100644
+index fd2b6cc..938c4a7 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,57 @@
@@ -98588,8 +99431,31 @@ index fd2b6cc..52a2e72 100644
')
########################################
+@@ -165,3 +169,22 @@ interface(`wine_rw_shm',`
+
+ allow $1 wine_t:shm rw_shm_perms;
+ ')
++
++########################################
++##
++## Transition to wine named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`wine_filetrans_named_content',`
++ gen_require(`
++ type wine_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
++')
++
diff --git a/wine.te b/wine.te
-index b51923c..8e47110 100644
+index b51923c..4906ce0 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
@@ -98605,7 +99471,7 @@ index b51923c..8e47110 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
-@@ -25,56 +26,57 @@ role wine_roles types wine_t;
+@@ -25,56 +26,58 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@@ -98617,34 +99483,34 @@ index b51923c..8e47110 100644
# Local policy
#
+domain_mmap_low(wine_t)
-+
-+optional_policy(`
-+ unconfined_domain(wine_t)
-+')
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
++optional_policy(`
++ unconfined_domain(wine_t)
++')
-can_exec(wine_t, wine_exec_t)
+
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+########################################
+#
+# Common wine domain policy
+#
--userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
-+allow wine_domain self:process { execstack execmem execheap };
-+allow wine_domain self:fifo_file manage_fifo_file_perms;
-
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-+can_exec(wine_domain, wine_exec_t)
++allow wine_domain self:process { execstack execmem execheap };
++allow wine_domain self:fifo_file manage_fifo_file_perms;
-domain_mmap_low(wine_t)
++can_exec(wine_domain, wine_exec_t)
++
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
-+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine")
+userdom_tmpfs_filetrans(wine_domain, file)
++wine_filetrans_named_content(wine_domain)
-files_execmod_all_files(wine_t)
+files_execmod_all_files(wine_domain)
@@ -98674,19 +99540,19 @@ index b51923c..8e47110 100644
optional_policy(`
- rtkit_scheduled(wine_t)
--')
--
--optional_policy(`
-- unconfined_domain(wine_t)
+ rtkit_scheduled(wine_domain)
')
optional_policy(`
-- xserver_read_xdm_pid(wine_t)
-- xserver_rw_shm(wine_t)
+- unconfined_domain(wine_t)
+ xserver_read_xdm_pid(wine_domain)
+ xserver_rw_shm(wine_domain)
')
+
+-optional_policy(`
+- xserver_read_xdm_pid(wine_t)
+- xserver_rw_shm(wine_t)
+-')
diff --git a/wireshark.te b/wireshark.te
index cf5cab6..a2d910f 100644
--- a/wireshark.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9979122..d49e679 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 108%{?dist}
+Release: 109%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,48 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 10 2013 Miroslav Grepl 3.12.1-109
+- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
+- Add labeling for /usr/lib/systemd/system/mariadb.service
+- Allow hyperv_domain to read sysfs
+- Fix ldap_read_certs() interface to allow acess also link files
+- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
+- Allow tuned to run modprobe
+- Allow portreserve to search /var/lib/sss dir
+- Add SELinux support for the teamd package contains team network device control daemon.
+- Dontaudit access check on /proc for bumblebee
+- Bumblebee wants to load nvidia modules
+- Fix rpm_named_filetrans_log_files and wine.te
+- Add conman policy for rawhide
+- DRM master and input event devices are used by the TakeDevice API
+- Clean up bumblebee policy
+- Update pegasus_openlmi_storage_t policy
+- Add freeipmi_stream_connect() interface
+- Allow logwatch read madm.conf to support RAID setup
+- Add raid_read_conf_files() interface
+- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
+- add rpm_named_filetrans_log_files() interface
+- Allow dkim-milter to create files/dirs in /tmp
+- update freeipmi policy
+- Add policy for freeipmi services
+- Added rdisc_admin and rdisc_systemctl interfaces
+- opensm policy clean up
+- openwsman policy clean up
+- ninfod policy clean up
+- Added new policy for ninfod
+- Added new policy for openwsman
+- Added rdisc_admin and rdisc_systemctl interfaces
+- Fix kernel_dontaudit_access_check_proc()
+- Add support for /dev/uhid
+- Allow sulogin to get the attributes of initctl and sys_admin cap
+- Add kernel_dontaudit_access_check_proc()
+- Fix dev_rw_ipmi_dev()
+- Fix new interface in devices.if
+- DRM master and input event devices are used by the TakeDevice API
+- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
+- Added support for default conman port
+- Add interfaces for ipmi devices
+
* Wed Dec 4 2013 Miroslav Grepl 3.12.1-108
- Allow sosreport to send a signal to ABRT
- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t