diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 81c7d86..906d448 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -1820,7 +1820,7 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..bfc85a0 100644
+index 03ec5ca..025c177 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
@@ -1843,41 +1843,234 @@ index 03ec5ca..bfc85a0 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -208,7 +202,7 @@ template(`su_role_template',`
+@@ -172,14 +166,6 @@ template(`su_role_template',`
+ role $2 types $1_su_t;
- auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ allow $3 $1_su_t:process signal;
+-
+- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+- dontaudit $1_su_t self:capability sys_tty_config;
+- allow $1_su_t self:process { setexec setsched setrlimit };
+- allow $1_su_t self:fifo_file rw_fifo_file_perms;
+- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+- allow $1_su_t self:key { search write };
+-
+ allow $1_su_t $3:key search;
+
+ # Transition from the user domain to this domain.
+@@ -194,125 +180,12 @@ template(`su_role_template',`
+ allow $3 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+- kernel_read_kernel_sysctls($1_su_t)
+- kernel_search_key($1_su_t)
+- kernel_link_key($1_su_t)
+-
+- # for SSP
+- dev_read_urand($1_su_t)
+-
+- fs_search_auto_mountpoints($1_su_t)
+
+- # needed for pam_rootok
+- selinux_compute_access_vector($1_su_t)
+-
+- auth_domtrans_chk_passwd($1_su_t)
+- auth_dontaudit_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
+- auth_rw_faillog($1_su_t)
+-
+- corecmd_search_bin($1_su_t)
+-
+- domain_use_interactive_fds($1_su_t)
+-
+- files_read_etc_files($1_su_t)
+- files_read_etc_runtime_files($1_su_t)
+- files_search_var_lib($1_su_t)
+- files_dontaudit_getattr_tmp_dirs($1_su_t)
+-
+- init_dontaudit_use_fds($1_su_t)
+- # Write to utmp.
+- init_rw_utmp($1_su_t)
+ auth_use_pam($1_su_t)
- auth_rw_faillog($1_su_t)
- corecmd_search_bin($1_su_t)
-@@ -228,10 +222,10 @@ template(`su_role_template',`
+ mls_file_write_all_levels($1_su_t)
logging_send_syslog_msg($1_su_t)
-
+-
- miscfiles_read_localization($1_su_t)
-
- userdom_use_user_terminals($1_su_t)
- userdom_search_user_home_dirs($1_su_t)
-+ userdom_search_admin_dir($1_su_t)
-
- ifdef(`distro_redhat',`
- # RHEL5 and possibly newer releases incl. Fedora
-@@ -277,12 +271,7 @@ template(`su_role_template',`
- ')
- ')
-
+-
+- userdom_use_user_terminals($1_su_t)
+- userdom_search_user_home_dirs($1_su_t)
+-
+- ifdef(`distro_redhat',`
+- # RHEL5 and possibly newer releases incl. Fedora
+- auth_domtrans_upd_passwd($1_su_t)
+-
+- optional_policy(`
+- locallogin_search_keys($1_su_t)
+- ')
+- ')
+-
+- ifdef(`distro_rhel4',`
+- domain_role_change_exemption($1_su_t)
+- domain_subj_id_change_exemption($1_su_t)
+- domain_obj_id_change_exemption($1_su_t)
+-
+- selinux_get_fs_mount($1_su_t)
+- selinux_validate_context($1_su_t)
+- selinux_compute_create_context($1_su_t)
+- selinux_compute_relabel_context($1_su_t)
+- selinux_compute_user_contexts($1_su_t)
+-
+- # Relabel ttys and ptys.
+- term_relabel_all_ttys($1_su_t)
+- term_relabel_all_ptys($1_su_t)
+- # Close and re-open ttys and ptys to get the fd into the correct domain.
+- term_use_all_ttys($1_su_t)
+- term_use_all_ptys($1_su_t)
+-
+- seutil_read_config($1_su_t)
+- seutil_read_default_contexts($1_su_t)
+-
+- if(secure_mode) {
+- # Only allow transitions to unprivileged user domains.
+- userdom_spec_domtrans_unpriv_users($1_su_t)
+- } else {
+- # Allow transitions to all user domains
+- userdom_spec_domtrans_all_users($1_su_t)
+- }
+-
+- optional_policy(`
+- unconfined_domtrans($1_su_t)
+- unconfined_signal($1_su_t)
+- ')
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $3:socket_class_set { read write };
- ')
-
- tunable_policy(`allow_polyinstantiation',`
-+ tunable_policy(`polyinstantiation_enabled',`
- fs_mount_xattr_fs($1_su_t)
- fs_unmount_xattr_fs($1_su_t)
- ')
+- fs_mount_xattr_fs($1_su_t)
+- fs_unmount_xattr_fs($1_su_t)
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_search_nfs($1_su_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_search_cifs($1_su_t)
+- ')
+-
+- optional_policy(`
+- cron_read_pipes($1_su_t)
+- ')
+-
+- optional_policy(`
+- kerberos_use($1_su_t)
+- ')
+-
+- optional_policy(`
+- # used when the password has expired
+- usermanage_read_crack_db($1_su_t)
+- ')
+-
+- # Modify .Xauthority file (via xauth program).
+- optional_policy(`
+- xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+- xserver_domtrans_xauth($1_su_t)
+- ')
+ ')
+
+ #######################################
+diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
+index 85bb77e..0df3b43 100644
+--- a/policy/modules/admin/su.te
++++ b/policy/modules/admin/su.te
+@@ -9,3 +9,81 @@ attribute su_domain_type;
+
+ type su_exec_t;
+ corecmd_executable_file(su_exec_t)
++
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++dontaudit su_domain_type self:capability sys_tty_config;
++allow su_domain_type self:process { setexec setsched setrlimit };
++allow su_domain_type self:fifo_file rw_fifo_file_perms;
++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
++allow su_domain_type self:key { search write };
++
++kernel_read_kernel_sysctls(su_domain_type)
++kernel_search_key(su_domain_type)
++kernel_link_key(su_domain_type)
++
++# for SSP
++dev_read_urand(su_domain_type)
++dev_dontaudit_getattr_all(su_domain_type)
++
++fs_search_auto_mountpoints(su_domain_type)
++
++# needed for pam_rootok
++selinux_compute_access_vector(su_domain_type)
++
++corecmd_search_bin(su_domain_type)
++
++domain_use_interactive_fds(su_domain_type)
++
++files_read_etc_files(su_domain_type)
++files_read_etc_runtime_files(su_domain_type)
++files_search_var_lib(su_domain_type)
++files_dontaudit_getattr_tmp_dirs(su_domain_type)
++
++init_dontaudit_use_fds(su_domain_type)
++# Write to utmp.
++init_rw_utmp(su_domain_type)
++
++userdom_use_user_terminals(su_domain_type)
++userdom_search_user_home_dirs(su_domain_type)
++userdom_search_admin_dir(su_domain_type)
++
++ifdef(`distro_redhat',`
++ # RHEL5 and possibly newer releases incl. Fedora
++ auth_domtrans_upd_passwd(su_domain_type)
++
++ optional_policy(`
++ locallogin_search_keys(su_domain_type)
++ ')
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++ fs_mount_xattr_fs(su_domain_type)
++ fs_unmount_xattr_fs(su_domain_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(su_domain_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(su_domain_type)
++')
++
++optional_policy(`
++ cron_read_pipes(su_domain_type)
++')
++
++optional_policy(`
++ kerberos_use(su_domain_type)
++')
++
++optional_policy(`
++ # used when the password has expired
++ usermanage_read_crack_db(su_domain_type)
++')
++
++# Modify .Xauthority file (via xauth program).
++optional_policy(`
++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
++ xserver_domtrans_xauth(su_domain_type)
++')
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
@@ -3389,7 +3582,7 @@ index 644d4d7..f9bcd44 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..43cdcb9 100644
+index 9e9263a..7f08657 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
@@ -3516,7 +3709,35 @@ index 9e9263a..43cdcb9 100644
mmap_files_pattern($1, bin_t, bin_t)
')
-@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',`
+@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',`
+ interface(`corecmd_bin_spec_domtrans',`
+ gen_require(`
+ type bin_t;
++ type usr_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ domain_transition_pattern($1, bin_t, $2)
++
++ read_lnk_files_pattern($1, usr_t, usr_t)
++ domain_transition_pattern($1, usr_t, $2)
+ ')
+
+ ########################################
+@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',`
+ interface(`corecmd_bin_domtrans',`
+ gen_require(`
+ type bin_t;
++ type usr_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1, $2)
+ type_transition $1 bin_t:process $2;
++ type_transition $1 usr_t:process $2;
+ ')
+
+ ########################################
+@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',`
interface(`corecmd_exec_chroot',`
gen_require(`
type chroot_exec_t;
@@ -3524,7 +3745,7 @@ index 9e9263a..43cdcb9 100644
')
read_lnk_files_pattern($1, bin_t, bin_t)
-@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',`
+@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',`
########################################
##
@@ -3549,7 +3770,7 @@ index 9e9263a..43cdcb9 100644
## Get the attributes of all executable files.
##
##
-@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',`
can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type)
@@ -3560,7 +3781,7 @@ index 9e9263a..43cdcb9 100644
')
########################################
-@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -3568,7 +3789,7 @@ index 9e9263a..43cdcb9 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',`
mmap_files_pattern($1, bin_t, exec_type)
')
@@ -5190,7 +5411,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..17a4eab 100644
+index 4edc40d..cbc0e69 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5326,7 +5547,7 @@ index 4edc40d..17a4eab 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +168,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +168,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5337,7 +5558,7 @@ index 4edc40d..17a4eab 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(interwise, tcp,7778,s0, udp,7778,s0)
network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
@@ -5365,6 +5586,7 @@ index 4edc40d..17a4eab 100644
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
++network_port(rlogin, tcp,543,s0, tcp,2105,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -5392,7 +5614,7 @@ index 4edc40d..17a4eab 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +220,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +221,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5431,7 +5653,7 @@ index 4edc40d..17a4eab 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +258,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5484,7 +5706,7 @@ index 4edc40d..17a4eab 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +307,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +308,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5495,7 +5717,7 @@ index 4edc40d..17a4eab 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +319,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +320,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5508,7 +5730,7 @@ index 4edc40d..17a4eab 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +343,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +344,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5527,7 +5749,7 @@ index 4edc40d..17a4eab 100644
########################################
#
-@@ -330,6 +385,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +386,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5536,7 +5758,7 @@ index 4edc40d..17a4eab 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +399,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -16756,10 +16978,10 @@ index 234a940..d340f20 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..28cfc6a 100644
+index 5da7870..834a511 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
+@@ -8,12 +8,70 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -16799,6 +17021,8 @@ index 5da7870..28cfc6a 100644
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
++seutil_dbus_chat_semanage(staff_t)
++seutil_read_login_config(staff_t)
+
+storage_read_scsi_generic(staff_t)
+storage_write_scsi_generic(staff_t)
@@ -16828,7 +17052,7 @@ index 5da7870..28cfc6a 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,106 @@ optional_policy(`
+@@ -23,11 +81,106 @@ optional_policy(`
')
optional_policy(`
@@ -16936,7 +17160,7 @@ index 5da7870..28cfc6a 100644
')
optional_policy(`
-@@ -35,15 +186,31 @@ optional_policy(`
+@@ -35,15 +188,31 @@ optional_policy(`
')
optional_policy(`
@@ -16970,7 +17194,7 @@ index 5da7870..28cfc6a 100644
')
optional_policy(`
-@@ -52,10 +219,55 @@ optional_policy(`
+@@ -52,10 +221,55 @@ optional_policy(`
')
optional_policy(`
@@ -17026,7 +17250,7 @@ index 5da7870..28cfc6a 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +277,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +279,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17037,7 +17261,7 @@ index 5da7870..28cfc6a 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +288,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -17048,7 +17272,7 @@ index 5da7870..28cfc6a 100644
')
optional_policy(`
-@@ -101,10 +305,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +307,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17059,7 +17283,7 @@ index 5da7870..28cfc6a 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +325,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +327,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17070,7 +17294,7 @@ index 5da7870..28cfc6a 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +339,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17081,7 +17305,7 @@ index 5da7870..28cfc6a 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +368,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +370,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -19469,11 +19693,12 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..02d4ea6 100644
+index 76d9f66..e3c8586 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,16 +1,36 @@
+@@ -1,16 +1,37 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
@@ -20211,7 +20436,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..7931fba 100644
+index 5fc0391..007ac2e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20321,12 +20546,13 @@ index 5fc0391..7931fba 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +120,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
++userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file)
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
@@ -20368,7 +20594,7 @@ index 5fc0391..7931fba 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -154,40 +175,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +176,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -20434,7 +20660,7 @@ index 5fc0391..7931fba 100644
')
optional_policy(`
-@@ -195,6 +222,7 @@ optional_policy(`
+@@ -195,6 +223,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -20442,7 +20668,7 @@ index 5fc0391..7931fba 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +235,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -20450,7 +20676,7 @@ index 5fc0391..7931fba 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +252,54 @@ optional_policy(`
+@@ -223,33 +253,54 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -20514,7 +20740,7 @@ index 5fc0391..7931fba 100644
')
optional_policy(`
-@@ -257,11 +307,28 @@ optional_policy(`
+@@ -257,11 +308,28 @@ optional_policy(`
')
optional_policy(`
@@ -20544,7 +20770,7 @@ index 5fc0391..7931fba 100644
')
optional_policy(`
-@@ -269,6 +336,10 @@ optional_policy(`
+@@ -269,6 +337,10 @@ optional_policy(`
')
optional_policy(`
@@ -20555,7 +20781,7 @@ index 5fc0391..7931fba 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +350,69 @@ optional_policy(`
+@@ -279,13 +351,69 @@ optional_policy(`
')
optional_policy(`
@@ -20625,7 +20851,7 @@ index 5fc0391..7931fba 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +421,26 @@ optional_policy(`
+@@ -294,19 +422,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20653,7 +20879,7 @@ index 5fc0391..7931fba 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +458,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20666,7 +20892,7 @@ index 5fc0391..7931fba 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +471,138 @@ optional_policy(`
+@@ -331,3 +472,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -24259,7 +24485,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..2f6ba05 100644
+index 3efd5b6..362b3af 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -24316,13 +24542,12 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -95,48 +115,21 @@ interface(`auth_use_pam',`
+@@ -95,48 +115,20 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
+ attribute polydomain;
+ attribute login_pgm;
-+ type auth_home_t;
')
domain_type($1)
@@ -24371,7 +24596,7 @@ index 3efd5b6..2f6ba05 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
-@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',`
+@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -24423,7 +24648,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
########################################
##
@@ -24449,7 +24674,7 @@ index 3efd5b6..2f6ba05 100644
## Execute a login_program in the target domain,
## with a range transition.
##
-@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -24458,7 +24683,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -24484,7 +24709,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -24492,7 +24717,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -24503,7 +24728,7 @@ index 3efd5b6..2f6ba05 100644
')
#######################################
-@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -24555,7 +24780,7 @@ index 3efd5b6..2f6ba05 100644
')
#######################################
-@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +927,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -24586,7 +24811,7 @@ index 3efd5b6..2f6ba05 100644
##
##
##
-@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +957,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -24617,7 +24842,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +992,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -24636,7 +24861,7 @@ index 3efd5b6..2f6ba05 100644
##
##
##
-@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1013,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -24674,7 +24899,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1117,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -24708,7 +24933,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1219,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -24719,7 +24944,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1359,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -24727,7 +24952,7 @@ index 3efd5b6..2f6ba05 100644
')
#######################################
-@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1760,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -24753,7 +24978,7 @@ index 3efd5b6..2f6ba05 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1929,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -24779,7 +25004,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1953,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -24796,7 +25021,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
-@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1993,241 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -24977,6 +25202,28 @@ index 3efd5b6..2f6ba05 100644
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
+
++
++########################################
++##
++## Read the authorization data in the user home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_read_home_content',`
++
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, auth_home_t, auth_home_t)
++')
++
++
+########################################
+##
+## Create auth directory in the user home directory
@@ -28845,7 +29092,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..18ef725 100644
+index 9e54bf9..e324045 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28918,7 +29165,7 @@ index 9e54bf9..18ef725 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +166,33 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -28927,7 +29174,9 @@ index 9e54bf9..18ef725 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
+ auth_use_nsswitch(ipsec_t)
++auth_read_home_content(ipsec_t)
+
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -28951,7 +29200,7 @@ index 9e54bf9..18ef725 100644
seutil_sigchld_newrole(ipsec_t)
')
-@@ -187,10 +204,10 @@ optional_policy(`
+@@ -187,10 +205,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -28966,7 +29215,7 @@ index 9e54bf9..18ef725 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -206,14 +223,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+@@ -206,14 +224,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
@@ -28985,7 +29234,7 @@ index 9e54bf9..18ef725 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -29002,7 +29251,7 @@ index 9e54bf9..18ef725 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -29011,7 +29260,7 @@ index 9e54bf9..18ef725 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -29023,7 +29272,7 @@ index 9e54bf9..18ef725 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -29047,7 +29296,7 @@ index 9e54bf9..18ef725 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +356,10 @@ optional_policy(`
+@@ -322,6 +357,10 @@ optional_policy(`
')
optional_policy(`
@@ -29058,7 +29307,7 @@ index 9e54bf9..18ef725 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +373,7 @@ optional_policy(`
+@@ -335,7 +374,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29067,7 +29316,7 @@ index 9e54bf9..18ef725 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29087,12 +29336,12 @@ index 9e54bf9..18ef725 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
-miscfiles_read_localization(racoon_t)
-
+-
sysnet_exec_ifconfig(racoon_t)
+auth_use_pam(racoon_t)
@@ -29817,7 +30066,7 @@ index 808ba93..9d8f729 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..f0cbd38 100644
+index 23a645e..52a8540 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -29850,21 +30099,23 @@ index 23a645e..f0cbd38 100644
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
+files_list_var_lib(ldconfig_t)
++files_dontaudit_leaks(ldconfig_t)
+files_manage_var_lib_symlinks(ldconfig_t)
+
corecmd_search_bin(ldconfig_t)
domain_use_interactive_fds(ldconfig_t)
+-files_search_var_lib(ldconfig_t)
+files_search_home(ldconfig_t)
- files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
init_use_script_ptys(ldconfig_t)
init_read_script_tmp_files(ldconfig_t)
@@ -33166,7 +33417,7 @@ index d43f3b1..f958391 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..bddf002 100644
+index 3822072..ae12cfa 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -33410,8 +33661,8 @@ index 3822072..bddf002 100644
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir list_dir_perms;
-+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
+########################################
@@ -33432,8 +33683,8 @@ index 3822072..bddf002 100644
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir list_dir_perms;
-+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
#######################################
@@ -33651,7 +33902,7 @@ index 3822072..bddf002 100644
')
#######################################
-@@ -1137,3 +1488,99 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1488,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -33751,6 +34002,29 @@ index 3822072..bddf002 100644
+ filetrans_pattern($1, default_context_t, file_context_t, dir, "files")
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
++
++#######################################
++##
++## Send and receive messages from
++## semanage dbus server over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dbus_chat_semanage',`
++ gen_require(`
++ type semanage_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(semanage_t, $1)
++
++ allow $1 semanage_t:dbus send_msg;
++ allow semanage_t $1:dbus send_msg;
++')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ec01d0b..076b0a0 100644
--- a/policy/modules/system/selinuxutil.te
@@ -34966,7 +35240,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..7a9577f 100644
+index b7686d5..087fe08 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -35062,7 +35336,7 @@ index b7686d5..7a9577f 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -35085,10 +35359,11 @@ index b7686d5..7a9577f 100644
files_dontaudit_search_locks(dhcpc_t)
files_getattr_generic_locks(dhcpc_t)
+files_rw_inherited_tmp_file(dhcpc_t)
++files_dontaudit_rw_inherited_locks(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -35105,7 +35380,7 @@ index b7686d5..7a9577f 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -35121,7 +35396,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -174,10 +204,6 @@ optional_policy(`
+@@ -174,10 +205,6 @@ optional_policy(`
')
optional_policy(`
@@ -35132,7 +35407,7 @@ index b7686d5..7a9577f 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +216,36 @@ optional_policy(`
+@@ -190,23 +217,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -35169,7 +35444,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -216,7 +255,11 @@ optional_policy(`
+@@ -216,7 +256,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -35182,7 +35457,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -228,6 +271,10 @@ optional_policy(`
+@@ -228,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -35193,7 +35468,7 @@ index b7686d5..7a9577f 100644
vmware_append_log(dhcpc_t)
')
-@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -35217,7 +35492,7 @@ index b7686d5..7a9577f 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -35238,6 +35513,7 @@ index b7686d5..7a9577f 100644
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
++files_dontaudit_rw_inherited_locks(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
+
@@ -35247,7 +35523,7 @@ index b7686d5..7a9577f 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -35275,7 +35551,7 @@ index b7686d5..7a9577f 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -35298,7 +35574,7 @@ index b7686d5..7a9577f 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -35312,7 +35588,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -339,7 +430,15 @@ optional_policy(`
+@@ -339,7 +432,15 @@ optional_policy(`
')
optional_policy(`
@@ -35329,7 +35605,7 @@ index b7686d5..7a9577f 100644
')
optional_policy(`
-@@ -360,3 +459,13 @@ optional_policy(`
+@@ -360,3 +461,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -38735,7 +39011,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..fbcee33 100644
+index 3c5dba7..991cb36 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39297,7 +39573,7 @@ index 3c5dba7..fbcee33 100644
##############################
#
-@@ -501,41 +632,52 @@ template(`userdom_common_user_template',`
+@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -39320,7 +39596,6 @@ index 3c5dba7..fbcee33 100644
- kernel_read_device_sysctls($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-+ kernel_stream_connect($1_usertype)
- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
@@ -39373,7 +39648,7 @@ index 3c5dba7..fbcee33 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +688,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -39532,7 +39807,7 @@ index 3c5dba7..fbcee33 100644
')
optional_policy(`
-@@ -642,23 +811,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -39561,7 +39836,7 @@ index 3c5dba7..fbcee33 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +838,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -39570,7 +39845,7 @@ index 3c5dba7..fbcee33 100644
')
optional_policy(`
-@@ -680,9 +847,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39583,7 +39858,7 @@ index 3c5dba7..fbcee33 100644
')
')
-@@ -693,32 +860,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39630,7 +39905,7 @@ index 3c5dba7..fbcee33 100644
')
')
-@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -39668,7 +39943,7 @@ index 3c5dba7..fbcee33 100644
userdom_change_password_template($1)
-@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -39804,22 +40079,24 @@ index 3c5dba7..fbcee33 100644
')
')
-@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
+
##############################
#
# Local policy
-@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',`
+ #
# Local policy
#
++ kernel_stream_connect($1_usertype)
- auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
@@ -40049,20 +40326,20 @@ index 3c5dba7..fbcee33 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 19c3de3..c1ad325 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -2023,7 +2023,7 @@ index 7f4dfbc..4d750fa 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..95b56a6 100644
+index ed45974..cd5a4fa 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
@@ -2033,7 +2033,7 @@ index ed45974..95b56a6 100644
+type amanda_exec_t;
type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-+init_daemon_domain(amanda_t, amanda_exec_t)
++init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
-type amanda_exec_t;
@@ -4639,7 +4639,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..12b3640 100644
+index 1a82e29..217ba9e 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5828,7 +5828,7 @@ index 1a82e29..12b3640 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +917,42 @@ optional_policy(`
+@@ -781,34 +917,46 @@ optional_policy(`
')
optional_policy(`
@@ -5838,6 +5838,10 @@ index 1a82e29..12b3640 100644
+')
+
+optional_policy(`
++ gssproxy_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ jetty_admin(httpd_t)
+')
+
@@ -5882,7 +5886,7 @@ index 1a82e29..12b3640 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +960,18 @@ optional_policy(`
+@@ -816,8 +964,18 @@ optional_policy(`
')
optional_policy(`
@@ -5901,7 +5905,7 @@ index 1a82e29..12b3640 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +980,7 @@ optional_policy(`
+@@ -826,6 +984,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5909,7 +5913,7 @@ index 1a82e29..12b3640 100644
')
optional_policy(`
-@@ -836,20 +991,39 @@ optional_policy(`
+@@ -836,20 +995,39 @@ optional_policy(`
')
optional_policy(`
@@ -5955,7 +5959,7 @@ index 1a82e29..12b3640 100644
')
optional_policy(`
-@@ -857,19 +1031,35 @@ optional_policy(`
+@@ -857,19 +1035,35 @@ optional_policy(`
')
optional_policy(`
@@ -5991,7 +5995,7 @@ index 1a82e29..12b3640 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1067,170 @@ optional_policy(`
+@@ -877,65 +1071,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6061,11 +6065,10 @@ index 1a82e29..12b3640 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -6124,10 +6127,11 @@ index 1a82e29..12b3640 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -6184,7 +6188,7 @@ index 1a82e29..12b3640 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6339,7 +6343,7 @@ index 1a82e29..12b3640 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1323,104 @@ optional_policy(`
+@@ -1077,172 +1327,104 @@ optional_policy(`
')
')
@@ -6359,13 +6363,13 @@ index 1a82e29..12b3640 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
--
++allow httpd_sys_script_t self:process getsched;
+
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6520,8 +6524,7 @@ index 1a82e29..12b3640 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -6537,7 +6540,8 @@ index 1a82e29..12b3640 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6575,7 +6579,7 @@ index 1a82e29..12b3640 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6672,7 +6676,7 @@ index 1a82e29..12b3640 100644
########################################
#
-@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6689,15 +6693,14 @@ index 1a82e29..12b3640 100644
')
########################################
-@@ -1324,49 +1519,38 @@ optional_policy(`
+@@ -1324,49 +1523,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
-+auth_use_nsswitch(httpd_user_script_t)
-
+-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
@@ -6707,7 +6710,8 @@ index 1a82e29..12b3640 100644
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
-')
--
++auth_use_nsswitch(httpd_user_script_t)
+
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
@@ -6754,7 +6758,7 @@ index 1a82e29..12b3640 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6772,8 +6776,7 @@ index 1a82e29..12b3640 100644
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-
--allow httpd_gpg_t self:process setrlimit;
++
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
@@ -6807,7 +6810,8 @@ index 1a82e29..12b3640 100644
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
-+
+
+-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-allow httpd_gpg_t httpd_t:fd use;
@@ -9203,10 +9207,10 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..d4b9ffa 100644
+index 7c92aa1..e27b377 100644
--- a/boinc.te
+++ b/boinc.te
-@@ -1,11 +1,13 @@
+@@ -1,11 +1,20 @@
-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
@@ -9216,13 +9220,20 @@ index 7c92aa1..d4b9ffa 100644
#
-type boinc_t;
++##
++##
++## Allow boinc_domain execmem/execstack.
++##
++##
++gen_tunable(boinc_execmem, true)
++
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -9254,7 +9265,6 @@ index 7c92aa1..d4b9ffa 100644
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
-+allow boinc_domain self:process execmem;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@@ -9276,6 +9286,10 @@ index 7c92aa1..d4b9ffa 100644
+
+miscfiles_read_fonts(boinc_domain)
+
++tunable_policy(`boinc_execmem',`
++ allow boinc_domain self:process { execstack execmem };
++')
++
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
@@ -9298,7 +9312,7 @@ index 7c92aa1..d4b9ffa 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9395,7 +9409,7 @@ index 7c92aa1..d4b9ffa 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +141,69 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -13907,7 +13921,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..b934cb7 100644
+index 83d6744..afa2f78 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
@@ -13955,7 +13969,7 @@ index 83d6744..b934cb7 100644
## All of the rules required to
## administrate an couchdb environment.
##
-@@ -10,6 +48,108 @@
+@@ -10,6 +48,127 @@
## Domain allowed access.
##
##
@@ -14026,6 +14040,25 @@ index 83d6744..b934cb7 100644
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
++#######################################
++##
++## Search couchdb PID dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_search_pid_dirs',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:dir search_dir_perms;
++')
++
+########################################
+##
+## Execute couchdb server in the couchdb domain.
@@ -14064,7 +14097,7 @@ index 83d6744..b934cb7 100644
##
##
## Role allowed access.
-@@ -19,14 +159,19 @@
+@@ -19,14 +178,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -14085,7 +14118,7 @@ index 83d6744..b934cb7 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +191,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -17097,7 +17130,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..09ef91c 100644
+index 9f34c2e..d084359 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -17539,7 +17572,7 @@ index 9f34c2e..09ef91c 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -17552,6 +17585,7 @@ index 9f34c2e..09ef91c 100644
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
@@ -17572,7 +17606,7 @@ index 9f34c2e..09ef91c 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +557,6 @@ optional_policy(`
+@@ -546,7 +558,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17580,7 +17614,7 @@ index 9f34c2e..09ef91c 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17732,7 +17766,7 @@ index 9f34c2e..09ef91c 100644
########################################
#
-@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17740,7 +17774,7 @@ index 9f34c2e..09ef91c 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17754,7 +17788,7 @@ index 9f34c2e..09ef91c 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17763,7 +17797,7 @@ index 9f34c2e..09ef91c 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +649,4 @@ optional_policy(`
+@@ -769,3 +650,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -17813,7 +17847,7 @@ index 9fa7ffb..fd3262c 100644
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
diff --git a/cvs.te b/cvs.te
-index 53fc3af..989aabf 100644
+index 53fc3af..897ad64 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
@@ -17830,7 +17864,7 @@ index 53fc3af..989aabf 100644
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
-@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t)
+@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -17841,11 +17875,12 @@ index 53fc3af..989aabf 100644
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
++corenet_tcp_bind_cvs_port(cvs_t)
+
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -17867,7 +17902,7 @@ index 53fc3af..989aabf 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +112,5 @@ optional_policy(`
+@@ -103,4 +113,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -18180,7 +18215,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..8c49f40 100644
+index afcf3a2..e6ecc4d 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -18198,7 +18233,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -41,59 +41,64 @@ interface(`dbus_stub',`
+@@ -41,59 +41,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
@@ -18273,8 +18308,11 @@ index afcf3a2..8c49f40 100644
- ifdef(`hide_broken_symptoms',`
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
-- ')
+ logging_send_syslog_msg($1_dbusd_t)
++
++ optional_policy(`
++ mozilla_domtrans_spec($1_dbusd_t, $1_t)
+ ')
')
#######################################
@@ -18285,7 +18323,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -103,65 +108,29 @@ template(`dbus_role_template',`
+@@ -103,65 +112,29 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -18360,7 +18398,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -175,19 +144,21 @@ interface(`dbus_connect_all_session_bus',`
+@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
##
##
#
@@ -18387,7 +18425,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -196,72 +167,23 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
##
#
interface(`dbus_session_bus_client',`
@@ -18467,7 +18505,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -270,59 +192,17 @@ interface(`dbus_spec_session_bus_client',`
+@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
##
#
interface(`dbus_send_session_bus',`
@@ -18529,7 +18567,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -380,69 +260,32 @@ interface(`dbus_manage_lib_files',`
+@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',`
########################################
##
@@ -18610,7 +18648,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -457,20 +300,21 @@ interface(`dbus_all_session_domain',`
+@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',`
##
##
#
@@ -18636,7 +18674,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -489,7 +333,7 @@ interface(`dbus_connect_system_bus',`
+@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',`
########################################
##
@@ -18645,7 +18683,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -508,7 +352,7 @@ interface(`dbus_send_system_bus',`
+@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',`
########################################
##
@@ -18654,7 +18692,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -527,8 +371,8 @@ interface(`dbus_system_bus_unconfined',`
+@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',`
########################################
##
@@ -18665,7 +18703,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -543,33 +387,24 @@ interface(`dbus_system_bus_unconfined',`
+@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -18703,7 +18741,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -587,26 +422,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -18736,7 +18774,7 @@ index afcf3a2..8c49f40 100644
##
##
##
-@@ -614,10 +448,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -23936,7 +23974,7 @@ index 5cf6ac6..0fc685b 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..2888d51 100644
+index c8014f8..bacc80c 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -24017,7 +24055,7 @@ index c8014f8..2888d51 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +102,10 @@ optional_policy(`
+@@ -85,9 +102,17 @@ optional_policy(`
')
optional_policy(`
@@ -24028,6 +24066,13 @@ index c8014f8..2888d51 100644
iptables_domtrans(firewalld_t)
')
+ optional_policy(`
+ modutils_domtrans_insmod(firewalld_t)
+ ')
++
++optional_policy(`
++ NetworkManager_read_state(firewalld_t)
++')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
@@ -24949,7 +24994,7 @@ index 1e29af1..c67e44e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..eafea5b 100644
+index 93b0301..ad8eb38 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -24967,13 +25012,7 @@ index 93b0301..eafea5b 100644
## Determine whether Git system daemon
## can search home directories.
##
-@@ -87,15 +79,16 @@ apache_content_template(git)
- type git_system_t, git_daemon;
- type gitd_exec_t;
- inetd_service_domain(git_system_t, gitd_exec_t)
-+init_domain(git_system_t, gitd_exec_t)
-
- type git_session_t, git_daemon;
+@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -24986,7 +25025,7 @@ index 93b0301..eafea5b 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -24995,7 +25034,7 @@ index 93b0301..eafea5b 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -25006,17 +25045,19 @@ index 93b0301..eafea5b 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
++corenet_tcp_bind_git_port(git_system_t)
++
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -25853,7 +25894,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..71aa685 100644
+index d03fd43..237de86 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,155 @@
@@ -26570,7 +26611,7 @@ index d03fd43..71aa685 100644
##
##
##
-@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -26648,6 +26689,7 @@ index d03fd43..71aa685 100644
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
++ gnome_read_usr_config($1)
')
########################################
@@ -26676,7 +26718,7 @@ index d03fd43..71aa685 100644
##
##
##
-@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',`
##
##
#
@@ -26774,7 +26816,7 @@ index d03fd43..71aa685 100644
##
##
##
-@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -26935,7 +26977,7 @@ index d03fd43..71aa685 100644
##
##
##
-@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -29789,14 +29831,16 @@ index 05387d1..08a489c 100644
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.if b/inetd.if
-index fbb54e7..b347964 100644
+index fbb54e7..05c3777 100644
--- a/inetd.if
+++ b/inetd.if
-@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
++ init_domain($1, $2)
++
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
@@ -33958,7 +34002,7 @@ index 19777b8..63d46d3 100644
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..cb979b0 100644
+index 2cf3815..a43a4f6 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
@@ -33977,7 +34021,7 @@ index 2cf3815..cb979b0 100644
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
-@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -33988,6 +34032,7 @@ index 2cf3815..cb979b0 100644
+corenet_udp_sendrecv_generic_node(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
++corenet_udp_bind_ktalkd_port(ktalkd_t)
+
dev_read_urand(ktalkd_t)
@@ -35984,7 +36029,7 @@ index b9270f7..15f3748 100644
')
diff --git a/lsm.fc b/lsm.fc
new file mode 100644
-index 0000000..711c04b
+index 0000000..81cd4e0
--- /dev/null
+++ b/lsm.fc
@@ -0,0 +1,5 @@
@@ -35992,7 +36037,7 @@ index 0000000..711c04b
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
-+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
++/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
index 0000000..52d5956
@@ -38957,7 +39002,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..3209b1c 100644
+index 6194b80..f1a5676 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -39111,7 +39156,8 @@ index 6194b80..3209b1c 100644
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
--
++ mozilla_filetrans_home_content($2)
+
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@@ -39126,8 +39172,7 @@ index 6194b80..3209b1c 100644
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
-+ mozilla_filetrans_home_content($2)
-
+-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -39243,42 +39288,69 @@ index 6194b80..3209b1c 100644
##
##
##
-@@ -265,27 +173,11 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,152 @@ interface(`mozilla_exec_user_plugin_home_files',`
##
#
interface(`mozilla_execmod_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
- mozilla_execmod_user_plugin_home_files($1)
--')
--
--########################################
--##
++ gen_require(`
++ type mozilla_home_t;
++ ')
++
++ allow $1 mozilla_home_t:file execmod;
+ ')
+
+ ########################################
+ ##
-## Mozilla plugin home directory file
-## text relocation.
--##
--##
--##
++## Run mozilla in the mozilla domain.
+ ##
+ ##
+ ##
-## Domain allowed access.
--##
--##
--#
++## Domain allowed to transition.
+ ##
+ ##
+ #
-interface(`mozilla_execmod_user_plugin_home_files',`
++interface(`mozilla_domtrans',`
gen_require(`
- type mozilla_plugin_home_t;
-+ type mozilla_home_t;
++ type mozilla_t, mozilla_exec_t;
')
- allow $1 mozilla_plugin_home_t:file execmod;
-+ allow $1 mozilla_home_t:file execmod;
++ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
-@@ -303,102 +195,107 @@ interface(`mozilla_domtrans',`
- type mozilla_t, mozilla_exec_t;
+ ##
+-## Run mozilla in the mozilla domain.
++## Execute a mozilla_exec_t in the specified domain.
+ ##
+ ##
+ ##
+ ## Domain allowed to transition.
+ ##
+ ##
++##
++##
++## The type of the new process.
++##
++##
+ #
+-interface(`mozilla_domtrans',`
++interface(`mozilla_domtrans_spec',`
+ gen_require(`
+- type mozilla_t, mozilla_exec_t;
++ type mozilla_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
++ domtrans_pattern($1, mozilla_exec_t, $2)
')
########################################
@@ -39429,7 +39501,7 @@ index 6194b80..3209b1c 100644
')
########################################
-@@ -424,8 +321,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +344,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
@@ -39439,7 +39511,7 @@ index 6194b80..3209b1c 100644
##
##
##
-@@ -433,76 +329,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +352,126 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -39482,6 +39554,24 @@ index 6194b80..3209b1c 100644
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
++')
++
++#######################################
++##
++## Read/Write mozilla_plugin tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`mozilla_plugin_rw_tmpfs_files',`
++ gen_require(`
++ type mozilla_plugin_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
')
########################################
@@ -39577,7 +39667,7 @@ index 6194b80..3209b1c 100644
##
##
##
-@@ -510,19 +438,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +479,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -39602,7 +39692,7 @@ index 6194b80..3209b1c 100644
##
##
##
-@@ -530,45 +457,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -45391,7 +45481,7 @@ index a1fb3c3..82f8ae6 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..0b68b86 100644
+index 0e8508c..f8893f8 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -45477,14 +45567,42 @@ index 0e8508c..0b68b86 100644
##
-## Execute networkmanager scripts with
-## an automatic domain transition to initrc.
-+## Execute NetworkManager scripts with an automatic domain transition to initrc.
++## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
##
##
##
-@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',`
-
- ########################################
- ##
+@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
+ ##
+ ##
+ #
++interface(`networkmanager_NetworkManagerrc_domtrans',`
++ gen_require(`
++ type NetworkManager_NetworkManagerrc_exec_t;
++ ')
++
++ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
++')
++
++#######################################
++##
++## Execute NetworkManager scripts with an automatic domain transition to initrc.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
+ interface(`networkmanager_initrc_domtrans',`
++ gen_require(`
++ type NetworkManager_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
++')
++
++########################################
++##
+## Execute NetworkManager server in the NetworkManager domain.
+##
+##
@@ -45494,27 +45612,29 @@ index 0e8508c..0b68b86 100644
+##
+#
+interface(`networkmanager_systemctl',`
-+ gen_require(`
+ gen_require(`
+- type NetworkManager_initrc_exec_t;
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
-+ ')
-+
+ ')
+
+- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
## Send and receive messages from
-## networkmanager over dbus.
+## NetworkManager over dbus.
##
##
##
-@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
########################################
##
@@ -45545,7 +45665,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
########################################
##
@@ -45554,7 +45674,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -45584,7 +45704,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
##
##
#
@@ -45609,7 +45729,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
##
##
#
@@ -45638,7 +45758,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -45729,6 +45849,26 @@ index 0e8508c..0b68b86 100644
+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
++#######################################
++##
++## Read the process state (/proc/pid) of NetworkManager.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`NetworkManager_read_state',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:dir search_dir_perms;
++ allow $1 NetworkManager_t:file read_file_perms;
++ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
++')
++
+########################################
+##
+## Transition to networkmanager named content
@@ -46181,7 +46321,7 @@ index 8aa1bfa..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index 46e55c3..346242e 100644
+index 46e55c3..6e4e061 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
@@ -46190,13 +46330,14 @@ index 46e55c3..346242e 100644
########################################
##
-@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',`
+@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
gen_require(`
type var_yp_t;
')
-
- allow $1 self:capability net_bind_service;
--
++ dontaudit $1 self:capability net_bind_service;
+
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@@ -46210,7 +46351,7 @@ index 46e55c3..346242e 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -49,14 +44,11 @@ interface(`nis_use_ypbind_uncond',`
+@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
@@ -46226,7 +46367,7 @@ index 46e55c3..346242e 100644
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
-@@ -88,14 +80,14 @@ interface(`nis_use_ypbind_uncond',`
+@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
##
#
interface(`nis_use_ypbind',`
@@ -46243,7 +46384,7 @@ index 46e55c3..346242e 100644
##
##
##
-@@ -105,7 +97,7 @@ interface(`nis_use_ypbind',`
+@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
##
#
interface(`nis_authenticate',`
@@ -46252,7 +46393,7 @@ index 46e55c3..346242e 100644
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
-@@ -133,20 +125,19 @@ interface(`nis_domtrans_ypbind',`
+@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
#######################################
##
@@ -46280,7 +46421,7 @@ index 46e55c3..346242e 100644
can_exec($1, ypbind_exec_t)
')
-@@ -169,11 +160,11 @@ interface(`nis_exec_ypbind',`
+@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
#
interface(`nis_run_ypbind',`
gen_require(`
@@ -46294,7 +46435,7 @@ index 46e55c3..346242e 100644
')
########################################
-@@ -196,7 +187,7 @@ interface(`nis_signal_ypbind',`
+@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
########################################
##
@@ -46303,7 +46444,7 @@ index 46e55c3..346242e 100644
##
##
##
-@@ -272,10 +263,11 @@ interface(`nis_read_ypbind_pid',`
+@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
#
interface(`nis_delete_ypbind_pid',`
gen_require(`
@@ -46317,7 +46458,7 @@ index 46e55c3..346242e 100644
')
########################################
-@@ -355,8 +347,57 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
##
@@ -46377,7 +46518,7 @@ index 46e55c3..346242e 100644
##
##
##
-@@ -372,32 +413,56 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -56516,7 +56657,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..ad46f29 100644
+index 49694e8..a1497cd 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -56835,14 +56976,14 @@ index 49694e8..ad46f29 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +287,7 @@ optional_policy(`
+@@ -266,6 +287,6 @@ optional_policy(`
')
optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
-
+-
diff --git a/polipo.fc b/polipo.fc
index d35614b..11f77ee 100644
--- a/polipo.fc
@@ -66570,7 +66711,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..8c4ba04 100644
+index 3698b51..136b017 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66592,7 +66733,7 @@ index 3698b51..8c4ba04 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -66613,7 +66754,10 @@ index 3698b51..8c4ba04 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t)
+
+ kernel_read_system_state(rabbitmq_beam_t)
++kernel_read_fs_sysctls(rabbitmq_beam_t)
+
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -66628,11 +66772,13 @@ index 3698b51..8c4ba04 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+
@@ -66648,20 +66794,24 @@ index 3698b51..8c4ba04 100644
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
++fs_search_cgroup_dirs(rabbitmq_beam_t)
+
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
++
++storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
sysnet_dns_name_resolve(rabbitmq_beam_t)
+logging_send_syslog_msg(rabbitmq_beam_t)
+
+optional_policy(`
++ couchdb_manage_lib_files(rabbitmq_beam_t)
+ couchdb_read_conf_files(rabbitmq_beam_t)
+ couchdb_read_log_files(rabbitmq_beam_t)
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
++ couchdb_search_pid_dirs(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -66677,7 +66827,7 @@ index 3698b51..8c4ba04 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -67066,7 +67216,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..0bf7d02 100644
+index 2c1730b..8e46216 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -67118,7 +67268,7 @@ index 2c1730b..0bf7d02 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +63,27 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -67139,6 +67289,7 @@ index 2c1730b..0bf7d02 100644
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
++fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
@@ -67147,7 +67298,7 @@ index 2c1730b..0bf7d02 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +92,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -67169,7 +67320,7 @@ index 2c1730b..0bf7d02 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +123,17 @@ optional_policy(`
+@@ -97,9 +124,17 @@ optional_policy(`
')
optional_policy(`
@@ -71359,18 +71510,10 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d34cdec..eeeee9b 100644
+index d34cdec..33f56c0 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -9,6 +9,7 @@ type rlogind_t;
- type rlogind_exec_t;
- auth_login_pgm_domain(rlogind_t)
- inetd_service_domain(rlogind_t, rlogind_exec_t)
-+init_daemon_domain(rlogind_t, rlogind_exec_t)
-
- type rlogind_devpts_t;
- term_login_pty(rlogind_devpts_t)
-@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -71381,7 +71524,7 @@ index d34cdec..eeeee9b 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -71389,7 +71532,7 @@ index d34cdec..eeeee9b 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
@@ -71397,6 +71540,14 @@ index d34cdec..eeeee9b 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
+@@ -58,6 +58,7 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
+ corenet_udp_sendrecv_generic_node(rlogind_t)
+ corenet_tcp_sendrecv_all_ports(rlogind_t)
+ corenet_udp_sendrecv_all_ports(rlogind_t)
++corenet_tcp_bind_rlogin_port(rlogind_t)
+
+ dev_read_urand(rlogind_t)
+
@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
@@ -74277,7 +74428,7 @@ index f1140ef..ebc2190 100644
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..0820cb2 100644
+index e3e7c96..ec50426 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -74286,7 +74437,7 @@ index e3e7c96..0820cb2 100644
########################################
#
-@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
#
##
@@ -74362,7 +74513,6 @@ index e3e7c96..0820cb2 100644
-init_daemon_domain(rsync_t, rsync_exec_t)
-application_domain(rsync_t, rsync_exec_t)
-role rsync_roles types rsync_t;
-+init_domain(rsync_t, rsync_exec_t)
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
@@ -74374,7 +74524,7 @@ index e3e7c96..0820cb2 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -74405,7 +74555,7 @@ index e3e7c96..0820cb2 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -77354,10 +77504,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..ce3ac47
+index 0000000..23af146
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,481 @@
+@@ -0,0 +1,482 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -77832,10 +77982,11 @@ index 0000000..ce3ac47
+logging_send_syslog_msg(sandbox_net_client_t)
+
+optional_policy(`
++ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
@@ -81733,10 +81884,25 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..e3580b2 100644
+index 703efa3..f9d6ed6 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull };
+@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
+ type sosreport_tmpfs_t;
+ files_tmpfs_file(sosreport_tmpfs_t)
+
++type sosreport_var_run_t;
++files_pid_file(sosreport_var_run_t)
++
+ optional_policy(`
+ pulseaudio_tmpfs_content(sosreport_tmpfs_t)
+ ')
+@@ -29,10 +32,13 @@ optional_policy(`
+ #
+
+ allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
++dontaudit sosreport_t self:capability { sys_ptrace };
+ allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
@@ -81745,16 +81911,37 @@ index 703efa3..e3580b2 100644
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t)
+@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
+ files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
++
+ manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+ fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+
+@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
++dev_rw_generic_usb_dev(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -70,7 +74,6 @@ files_list_all(sosreport_t)
+@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t)
+ domain_getattr_all_pipes(sosreport_t)
+
+ files_getattr_all_sockets(sosreport_t)
++files_getattr_all_files(sosreport_t)
++files_getattr_all_pipes(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -81762,7 +81949,7 @@ index 703efa3..e3580b2 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -81774,6 +81961,7 @@ index 703efa3..e3580b2 100644
+term_getattr_pty_fs(sosreport_t)
+term_getattr_all_ptys(sosreport_t)
++term_use_generic_ptys(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
@@ -81796,18 +81984,16 @@ index 703efa3..e3580b2 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -103,6 +114,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ brctl_domtrans(sosreport_t)
+ abrt_manage_cache(sosreport_t)
++ abrt_stream_connect(sosreport_t)
+')
+
+optional_policy(`
- cups_stream_connect(sosreport_t)
++ brctl_domtrans(sosreport_t)
')
-@@ -111,6 +126,11 @@ optional_policy(`
+ optional_policy(`
+@@ -111,6 +141,11 @@ optional_policy(`
')
optional_policy(`
@@ -86052,7 +86238,7 @@ index e9c0964..ff77783 100644
xserver_rw_xdm_pipes(telepathy_domain)
')
diff --git a/telnet.te b/telnet.te
-index 9f89916..5f4c85e 100644
+index 9f89916..1bdef51 100644
--- a/telnet.te
+++ b/telnet.te
@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
@@ -86082,7 +86268,15 @@ index 9f89916..5f4c85e 100644
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_generic_if(telnetd_t)
corenet_udp_sendrecv_generic_if(telnetd_t)
-@@ -56,7 +59,6 @@ dev_read_urand(telnetd_t)
+@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t)
+ corenet_udp_sendrecv_generic_node(telnetd_t)
+ corenet_tcp_sendrecv_all_ports(telnetd_t)
+ corenet_udp_sendrecv_all_ports(telnetd_t)
++corenet_tcp_bind_telnetd_port(telnetd_t)
+
+ corecmd_search_bin(telnetd_t)
+
+@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t)
domain_interactive_fd(telnetd_t)
@@ -86090,7 +86284,7 @@ index 9f89916..5f4c85e 100644
files_read_etc_runtime_files(telnetd_t)
files_search_home(telnetd_t)
-@@ -69,12 +71,12 @@ init_rw_utmp(telnetd_t)
+@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
@@ -86105,7 +86299,7 @@ index 9f89916..5f4c85e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -86,7 +88,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
@@ -86571,7 +86765,7 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index c93c973..b04d201 100644
+index c93c973..4ec1eb0 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -86583,7 +86777,7 @@ index c93c973..b04d201 100644
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
+@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
@@ -86591,7 +86785,11 @@ index c93c973..b04d201 100644
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
+ corenet_tcp_bind_iscsi_port(tgtd_t)
++corenet_tcp_connect_isns_port(tgtd_t)
+ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@@ -91470,7 +91668,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..2361150 100644
+index 1f22fba..6eecffc 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -92328,7 +92526,7 @@ index 1f22fba..2361150 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +592,261 @@ optional_policy(`
+@@ -737,44 +592,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -92349,6 +92547,7 @@ index 1f22fba..2361150 100644
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
@@ -92613,7 +92812,7 @@ index 1f22fba..2361150 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92640,7 +92839,7 @@ index 1f22fba..2361150 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92672,7 +92871,7 @@ index 1f22fba..2361150 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +910,20 @@ optional_policy(`
+@@ -847,14 +911,20 @@ optional_policy(`
')
optional_policy(`
@@ -92694,7 +92893,7 @@ index 1f22fba..2361150 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +948,65 @@ optional_policy(`
+@@ -879,49 +949,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -92778,7 +92977,7 @@ index 1f22fba..2361150 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -92798,7 +92997,7 @@ index 1f22fba..2361150 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -92822,7 +93021,7 @@ index 1f22fba..2361150 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93200,7 +93399,7 @@ index 1f22fba..2361150 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93215,7 +93414,7 @@ index 1f22fba..2361150 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1335,8 @@ optional_policy(`
+@@ -1183,9 +1336,8 @@ optional_policy(`
########################################
#
@@ -93226,7 +93425,7 @@ index 1f22fba..2361150 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dd481a5..8e60b16 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.1%{?dist}
+Release: 74.2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,45 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Sep 06 2013 Lukas Vrabec 3.12.1-74.2
+- Fix lsm.fc for pid files
+- Allow init_t to transition to all inetd domains
+- Allow tgtd_t to connect to isns ports
+- Lots of new access required for sosreport
+- svirt domains neeed to create kobject_uevint_sockets
+- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
+- Cleanup related to init_domain()+inetd_domain fixes
+- Allow cvs to bind to the cvs_port
+- Allow ktalkd to bind to the ktalkd_port
+- Allow telnetd to bind to the telnetd_port
+- Allow rlogind to bind to the rlogin_port
+- Allow apache domain to connect to gssproxy socket
+- Dontaudit attempts to bind to ports < 1024 when nis is turned on
+- Allow cupsd_lpd_t to bind to the printer port
+- Allow a confined domain to executes mozilla_exec_t via dbus
+- Allow mdadm to getattr any file system
+- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work
+- Allow all domains that can read gnome_config to read kde config
+- Call the correct interface - corenet_udp_bind_ktalkd_port()
+- Fix mozilla_plugin_rw_tmpfs_files()
+- Allow systemd running as git_systemd to bind git port
+- Allow firewalld to read NM state
+- Add interface couchdb_search_pid_dirs
+- Add support for couchdb in rabbitmq policy
+- Add boolean boinc_execmem
+- Add interface netowrkmanager_initrc_domtrans
+- Dontaudit leaks into ldconfig_t
+- Dontaudit inherited lock files in ifconfig o dhcpc_t
+- Move kernel_stream_connect into all Xwindow using users
+- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
+- Add interface to read authorization data in the users homedir
+- Allow ipsec_t to read .google authenticator data
+- Allow staff_t to read login config
+- Treat files labeld as usr_t like bin_t when it comes to transitions
+- Split out rlogin ports from inetd
+- Add interface seutil_dbus_chat_semanage
+- Fix selinuxutil.if
+
* Tue Sep 03 2013 Lukas Vrabec 3.12.1-74.1
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Fix polipo.te