++## Allow mozilla_plugins to create random content in the users home directory ++##
++##++## Allow HTTPD to connect to port 80 for graceful shutdown ++##
++##+## Allow HTTPD scripts and modules to connect to databases over the network. +##
##+-## Allow Apache to communicate with avahi service via dbus +-##
+##+## Allow http daemon to check spam +##
+##--## Allow Apache to communicate with avahi service via dbus --##
++##+## Allow Apache to communicate with avahi service via dbus +##
@@ -86135,7 +86163,7 @@ index 3136c6a..3ee87ed 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -166,7 +291,7 @@ files_type(httpd_cache_t) +@@ -166,7 +298,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -86144,7 +86172,7 @@ index 3136c6a..3ee87ed 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +302,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +309,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -86154,7 +86182,7 @@ index 3136c6a..3ee87ed 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +344,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +351,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -86177,7 +86205,7 @@ index 3136c6a..3ee87ed 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +368,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +375,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -86188,7 +86216,7 @@ index 3136c6a..3ee87ed 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +379,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -86196,7 +86224,7 @@ index 3136c6a..3ee87ed 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +401,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +408,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -86220,7 +86248,7 @@ index 3136c6a..3ee87ed 100644 ######################################## # # Apache server local policy -@@ -281,11 +437,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -86234,7 +86262,7 @@ index 3136c6a..3ee87ed 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +487,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -86245,7 +86273,7 @@ index 3136c6a..3ee87ed 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +498,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -86256,7 +86284,7 @@ index 3136c6a..3ee87ed 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +515,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -86266,7 +86294,7 @@ index 3136c6a..3ee87ed 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +528,17 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -86281,11 +86309,13 @@ index 3136c6a..3ee87ed 100644 +corenet_tcp_bind_puppet_port(httpd_t) # Signal self for shutdown -corenet_tcp_connect_http_port(httpd_t) -+#corenet_tcp_connect_http_port(httpd_t) ++tunable_policy(`httpd_graceful_shutdown',` ++ corenet_tcp_connect_http_port(httpd_t) ++') dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +547,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +556,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -86301,7 +86331,7 @@ index 3136c6a..3ee87ed 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +560,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +569,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -86309,7 +86339,7 @@ index 3136c6a..3ee87ed 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +572,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +581,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -86413,7 +86443,7 @@ index 3136c6a..3ee87ed 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -454,27 +677,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +686,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -86477,7 +86507,7 @@ index 3136c6a..3ee87ed 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +741,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +750,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -86500,7 +86530,7 @@ index 3136c6a..3ee87ed 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +771,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +780,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -86521,7 +86551,7 @@ index 3136c6a..3ee87ed 100644 ') optional_policy(` -@@ -513,7 +795,13 @@ optional_policy(` +@@ -513,7 +804,13 @@ optional_policy(` ') optional_policy(` @@ -86536,7 +86566,7 @@ index 3136c6a..3ee87ed 100644 ') optional_policy(` -@@ -528,7 +816,19 @@ optional_policy(` +@@ -528,7 +825,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -86557,7 +86587,7 @@ index 3136c6a..3ee87ed 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +837,13 @@ optional_policy(` +@@ -537,8 +846,13 @@ optional_policy(` ') optional_policy(` @@ -86572,7 +86602,7 @@ index 3136c6a..3ee87ed 100644 ') ') -@@ -556,7 +861,21 @@ optional_policy(` +@@ -556,7 +870,21 @@ optional_policy(` ') optional_policy(` @@ -86594,7 +86624,7 @@ index 3136c6a..3ee87ed 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +886,7 @@ optional_policy(` +@@ -567,6 +895,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -86602,7 +86632,7 @@ index 3136c6a..3ee87ed 100644 ') optional_policy(` -@@ -577,6 +897,29 @@ optional_policy(` +@@ -577,6 +906,29 @@ optional_policy(` ') optional_policy(` @@ -86632,7 +86662,7 @@ index 3136c6a..3ee87ed 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +934,11 @@ optional_policy(` +@@ -591,6 +943,11 @@ optional_policy(` ') optional_policy(` @@ -86644,7 +86674,7 @@ index 3136c6a..3ee87ed 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +951,12 @@ optional_policy(` +@@ -603,6 +960,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -86657,7 +86687,7 @@ index 3136c6a..3ee87ed 100644 ######################################## # # Apache helper local policy -@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +979,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -86670,7 +86700,7 @@ index 3136c6a..3ee87ed 100644 ######################################## # -@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1021,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -86714,7 +86744,7 @@ index 3136c6a..3ee87ed 100644 ') ######################################## -@@ -685,6 +1045,8 @@ optional_policy(` +@@ -685,6 +1054,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -86723,7 +86753,7 @@ index 3136c6a..3ee87ed 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1070,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -86749,7 +86779,7 @@ index 3136c6a..3ee87ed 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1116,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -86782,7 +86812,7 @@ index 3136c6a..3ee87ed 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1154,25 @@ optional_policy(` +@@ -769,6 +1163,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -86808,7 +86838,7 @@ index 3136c6a..3ee87ed 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1202,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -86826,7 +86856,7 @@ index 3136c6a..3ee87ed 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1221,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -86883,7 +86913,7 @@ index 3136c6a..3ee87ed 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1272,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -86924,7 +86954,7 @@ index 3136c6a..3ee87ed 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1308,20 @@ optional_policy(` +@@ -842,10 +1317,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -86945,7 +86975,7 @@ index 3136c6a..3ee87ed 100644 ') ######################################## -@@ -891,11 +1367,142 @@ optional_policy(` +@@ -891,11 +1376,142 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -86969,7 +86999,7 @@ index 3136c6a..3ee87ed 100644 + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) - ') ++') + +######################################## +# @@ -87068,7 +87098,7 @@ index 3136c6a..3ee87ed 100644 + +optional_policy(` + nscd_socket_use(httpd_script_type) -+') + ') + +read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) + @@ -88766,10 +88796,10 @@ index 0000000..d694c0a +') diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te new file mode 100644 -index 0000000..bccefc9 +index 0000000..4b22dcf --- /dev/null +++ b/policy/modules/services/blueman.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,43 @@ +policy_module(blueman, 1.0.0) + +######################################## @@ -88780,6 +88810,7 @@ index 0000000..bccefc9 +type blueman_t; +type blueman_exec_t; +dbus_system_domain(blueman_t, blueman_exec_t) ++init_daemon_domain(blueman_t, blueman_exec_t) + +######################################## +# @@ -91242,7 +91273,7 @@ index 9a0da94..113eae2 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te -index fa82327..025e26f 100644 +index fa82327..898d0db 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t) @@ -91258,7 +91289,12 @@ index fa82327..025e26f 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit }; +@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t) + # + + allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +-allow chronyd_t self:process { getcap setcap setrlimit }; ++allow chronyd_t self:process { getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; allow chronyd_t self:udp_socket create_socket_perms; allow chronyd_t self:unix_dgram_socket create_socket_perms; @@ -91456,10 +91492,10 @@ index 1f11572..87840b4 100644 + ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..b817047 100644 +index f758323..ced0ce2 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te -@@ -1,9 +1,16 @@ +@@ -1,9 +1,23 @@ policy_module(clamav, 1.9.0) ##++## Allow clamscan to non security files on a system ++##
++##+## Allow clamd to use JIT compiler +##
##
-@@ -1441,6 +1850,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1853,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -149252,7 +149758,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1456,9 +1873,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1876,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -149264,7 +149770,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1515,6 +1934,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1937,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -149307,7 +149813,7 @@ index 4b2878a..730b0d4 100644
########################################
##