++##
++## Allow epylog to send mail
++##
++##
++gen_tunable(logwatch_can_sendmail, false)
++
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
@@ -35357,7 +35564,7 @@ index 4256a4c..a8dde53 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -35367,7 +35574,7 @@ index 4256a4c..a8dde53 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +69,11 @@ files_list_var(logwatch_t)
+@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -35380,7 +35587,7 @@ index 4256a4c..a8dde53 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -35395,7 +35602,7 @@ index 4256a4c..a8dde53 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +139,11 @@ optional_policy(`
+@@ -137,6 +146,11 @@ optional_policy(`
')
optional_policy(`
@@ -35407,7 +35614,21 @@ index 4256a4c..a8dde53 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -145,6 +159,13 @@ optional_policy(`
+ samba_read_share_files(logwatch_t)
+ ')
+
++tunable_policy(`logwatch_can_sendmail',`
++ corenet_tcp_connect_smtp_port(logwatch_t)
++ corenet_sendrecv_smtp_client_packets(logwatch_t)
++ corenet_tcp_connect_pop_port(logwatch_t)
++ corenet_sendrecv_pop_client_packets(logwatch_t)
++')
++
+ ########################################
+ #
+ # Mail local policy
+@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -35774,7 +35995,7 @@ index 0000000..711c04b
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
-index 0000000..aaf4080
+index 0000000..52d5956
--- /dev/null
+++ b/lsm.if
@@ -0,0 +1,103 @@
@@ -35835,7 +36056,7 @@ index 0000000..aaf4080
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
@@ -35883,10 +36104,10 @@ index 0000000..aaf4080
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..14fe4d7
+index 0000000..fc42149
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,31 @@
+@@ -0,0 +1,32 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -35916,6 +36137,7 @@ index 0000000..14fe4d7
+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+
+logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc
@@ -42853,10 +43075,17 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..92138ca 100644
+index 97370e4..3549b8f 100644
--- a/munin.te
+++ b/munin.te
-@@ -40,12 +40,15 @@ munin_plugin_template(services)
+@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+ munin_plugin_template(mail)
+ munin_plugin_template(selinux)
+ munin_plugin_template(services)
++
++type services_munin_plugin_tmpfs_t;
++files_tmpfs_file(services_munin_plugin_tmpfs_t)
++
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -42873,7 +43102,7 @@ index 97370e4..92138ca 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -42898,7 +43127,7 @@ index 97370e4..92138ca 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42907,7 +43136,7 @@ index 97370e4..92138ca 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -42915,7 +43144,7 @@ index 97370e4..92138ca 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -42923,7 +43152,7 @@ index 97370e4..92138ca 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -42931,7 +43160,7 @@ index 97370e4..92138ca 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -42945,7 +43174,7 @@ index 97370e4..92138ca 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +200,6 @@ optional_policy(`
+@@ -213,7 +204,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -42953,7 +43182,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42981,7 +43210,7 @@ index 97370e4..92138ca 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +256,10 @@ optional_policy(`
+@@ -268,6 +260,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -42992,7 +43221,7 @@ index 97370e4..92138ca 100644
####################################
#
# Mail local policy
-@@ -275,27 +267,36 @@ optional_policy(`
+@@ -275,27 +271,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -43033,7 +43262,17 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++
+ corenet_sendrecv_all_client_packets(services_munin_plugin_t)
+ corenet_tcp_connect_all_ports(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -43042,7 +43281,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -353,7 +354,11 @@ optional_policy(`
+@@ -353,7 +361,11 @@ optional_policy(`
')
optional_policy(`
@@ -43055,7 +43294,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -43063,7 +43302,7 @@ index 97370e4..92138ca 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +419,31 @@ optional_policy(`
+@@ -413,3 +426,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -43688,7 +43927,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..94457fe 100644
+index 9f6179e..3c7bbd8 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43861,7 +44100,7 @@ index 9f6179e..94457fe 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,23 @@ optional_policy(`
+@@ -153,29 +160,24 @@ optional_policy(`
#######################################
#
@@ -43888,6 +44127,7 @@ index 9f6179e..94457fe 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -43898,7 +44138,7 @@ index 9f6179e..94457fe 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -43926,7 +44166,7 @@ index 9f6179e..94457fe 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +210,7 @@ optional_policy(`
+@@ -205,7 +211,7 @@ optional_policy(`
########################################
#
@@ -43935,7 +44175,7 @@ index 9f6179e..94457fe 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -43953,7 +44193,7 @@ index 9f6179e..94457fe 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -45532,7 +45772,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2de59df 100644
+index 0b48a30..2b6c69a 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -45572,7 +45812,7 @@ index 0b48a30..2de59df 100644
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -50411,10 +50651,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..be2a88d
+index 0000000..51acfae
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,47 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -50441,7 +50681,7 @@ index 0000000..be2a88d
+#
+
+allow openhpid_t self:capability { kill };
-+allow openhpid_t self:process { fork signal };
++allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
@@ -50459,11 +50699,8 @@ index 0000000..be2a88d
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
-+domain_use_interactive_fds(openhpid_t)
-+
+dev_read_urand(openhpid_t)
+
-+
+logging_send_syslog_msg(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
@@ -52321,7 +52558,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..f025b03 100644
+index 508fedf..a499612 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -52344,7 +52581,13 @@ index 508fedf..f025b03 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t)
+@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+ type openvswitch_log_t;
+ logging_log_file(openvswitch_log_t)
+
++type openvswitch_tmp_t;
++files_tmp_file(openvswitch_tmp_t)
++
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -52368,19 +52611,19 @@ index 508fedf..f025b03 100644
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
++can_exec(openvswitch_t, openvswitch_exec_t)
++
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -52391,7 +52634,14 @@ index 508fedf..f025b03 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -56866,7 +57116,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..79b5c4f 100644
+index 316d53a..388d659 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -56980,10 +57230,14 @@ index 316d53a..79b5c4f 100644
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
+-
+-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
--userdom_use_user_terminals(polipo_session_t)
+-tunable_policy(`polipo_session_send_syslog_msg',`
+- logging_send_syslog_msg(polipo_session_t)
+-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
@@ -56991,10 +57245,7 @@ index 316d53a..79b5c4f 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
-
--tunable_policy(`polipo_session_send_syslog_msg',`
-- logging_send_syslog_msg(polipo_session_t)
--')
++corenet_tcp_connect_tor_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
@@ -71108,10 +71359,18 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d34cdec..f41c9c5 100644
+index d34cdec..eeeee9b 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -9,6 +9,7 @@ type rlogind_t;
+ type rlogind_exec_t;
+ auth_login_pgm_domain(rlogind_t)
+ inetd_service_domain(rlogind_t, rlogind_exec_t)
++init_daemon_domain(rlogind_t, rlogind_exec_t)
+
+ type rlogind_devpts_t;
+ term_login_pty(rlogind_devpts_t)
+@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -71122,7 +71381,7 @@ index d34cdec..f41c9c5 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -71130,7 +71389,7 @@ index d34cdec..f41c9c5 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
@@ -71138,7 +71397,7 @@ index d34cdec..f41c9c5 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -71146,7 +71405,7 @@ index d34cdec..f41c9c5 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -72516,7 +72775,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..3031a82 100644
+index 0628d50..39e36fb 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -72665,7 +72924,7 @@ index 0628d50..3031a82 100644
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
-+ type rpm_t;
++ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
@@ -81474,18 +81733,19 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..7779402 100644
+index 703efa3..e3580b2 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -33,6 +33,7 @@ allow sosreport_t self:process { setsched signull };
+@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
++allow sosreport_t self:rawip_socket create_socket_perms;
+allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -58,6 +59,8 @@ dev_read_rand(sosreport_t)
+@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
@@ -81494,7 +81754,7 @@ index 703efa3..7779402 100644
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -70,7 +73,6 @@ files_list_all(sosreport_t)
+@@ -70,7 +74,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -81502,7 +81762,7 @@ index 703efa3..7779402 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,11 +81,18 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -81513,6 +81773,7 @@ index 703efa3..7779402 100644
storage_dontaudit_read_removable_device(sosreport_t)
+term_getattr_pty_fs(sosreport_t)
++term_getattr_all_ptys(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
@@ -81521,7 +81782,10 @@ index 703efa3..7779402 100644
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -93,9 +102,8 @@ libs_domtrans_ldconfig(sosreport_t)
++init_getattr_initctl(sosreport_t)
+
+ libs_domtrans_ldconfig(sosreport_t)
+
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
@@ -81532,7 +81796,18 @@ index 703efa3..7779402 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +119,11 @@ optional_policy(`
+@@ -103,6 +114,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ brctl_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ cups_stream_connect(sosreport_t)
+ ')
+
+@@ -111,6 +126,11 @@ optional_policy(`
')
optional_policy(`
@@ -85224,7 +85499,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..91c1898 100644
+index e9c0964..ff77783 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -85725,7 +86000,7 @@ index e9c0964..91c1898 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,40 @@ optional_policy(`
+@@ -452,31 +382,43 @@ optional_policy(`
#######################################
#
@@ -85753,10 +86028,12 @@ index e9c0964..91c1898 100644
fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
--
--miscfiles_read_localization(telepathy_domain)
+fs_rw_inherited_tmpfs_files(telepathy_domain)
+-miscfiles_read_localization(telepathy_domain)
++userdom_search_user_tmp_dirs(telepathy_domain)
++userdom_search_user_home_dirs(telepathy_domain)
+
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
')
@@ -85764,7 +86041,7 @@ index e9c0964..91c1898 100644
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
-+ gnome_filetrans_config_home_content(telepathy_domain)
++ gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
@@ -91193,7 +91470,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..8757277 100644
+index 1f22fba..2361150 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -91775,7 +92052,7 @@ index 1f22fba..8757277 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -91799,6 +92076,7 @@ index 1f22fba..8757277 100644
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-
++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -91821,7 +92099,7 @@ index 1f22fba..8757277 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -91842,7 +92120,7 @@ index 1f22fba..8757277 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -91850,7 +92128,7 @@ index 1f22fba..8757277 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -91878,7 +92156,7 @@ index 1f22fba..8757277 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -91907,7 +92185,7 @@ index 1f22fba..8757277 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -91927,7 +92205,7 @@ index 1f22fba..8757277 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -91964,7 +92242,7 @@ index 1f22fba..8757277 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -91973,7 +92251,7 @@ index 1f22fba..8757277 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +504,12 @@ optional_policy(`
+@@ -658,20 +505,12 @@ optional_policy(`
')
optional_policy(`
@@ -91994,7 +92272,7 @@ index 1f22fba..8757277 100644
')
optional_policy(`
-@@ -684,14 +522,20 @@ optional_policy(`
+@@ -684,14 +523,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -92017,7 +92295,7 @@ index 1f22fba..8757277 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +548,13 @@ optional_policy(`
+@@ -704,11 +549,13 @@ optional_policy(`
')
optional_policy(`
@@ -92031,7 +92309,7 @@ index 1f22fba..8757277 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +565,18 @@ optional_policy(`
+@@ -719,10 +566,18 @@ optional_policy(`
')
optional_policy(`
@@ -92050,7 +92328,7 @@ index 1f22fba..8757277 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +591,261 @@ optional_policy(`
+@@ -737,44 +592,261 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -92335,7 +92613,7 @@ index 1f22fba..8757277 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92362,7 +92640,7 @@ index 1f22fba..8757277 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92394,7 +92672,7 @@ index 1f22fba..8757277 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +909,20 @@ optional_policy(`
+@@ -847,14 +910,20 @@ optional_policy(`
')
optional_policy(`
@@ -92416,7 +92694,7 @@ index 1f22fba..8757277 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +947,65 @@ optional_policy(`
+@@ -879,49 +948,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -92500,7 +92778,7 @@ index 1f22fba..8757277 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -92520,7 +92798,7 @@ index 1f22fba..8757277 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -92544,7 +92822,7 @@ index 1f22fba..8757277 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -92922,7 +93200,7 @@ index 1f22fba..8757277 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92937,7 +93215,7 @@ index 1f22fba..8757277 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1334,8 @@ optional_policy(`
+@@ -1183,9 +1335,8 @@ optional_policy(`
########################################
#
@@ -92948,7 +93226,7 @@ index 1f22fba..8757277 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 353f035..dd481a5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -539,6 +539,34 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 03 2013 Lukas Vrabec