+##
+## Create an object in the process ID directory (e.g., /var/run)
@@ -14332,12 +14359,10 @@ index 64ff4d7..2dd815a 100644
+##
+#
+interface(`files_exec_generic_pid_files',`
- gen_require(`
- type var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ gen_require(`
++ type var_run_t;
++ ')
++
+ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
@@ -14548,11 +14573,10 @@ index 64ff4d7..2dd815a 100644
+ ')
+
+ search_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
++')
++
++########################################
++##
+## Do not audit attempts to search generic
+## spool directories.
+##
@@ -14574,33 +14598,7 @@ index 64ff4d7..2dd815a 100644
+##
+## List the contents of generic spool
+## (/var/spool) directories.
- ##
--##
--##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
--##
--##
++##
##
##
## Domain allowed access.
@@ -14700,7 +14698,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6114,44 +8022,165 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6114,44 +8040,165 @@ interface(`files_write_generic_pid_pipes',`
## The name of the object being created.
##
##
@@ -14885,7 +14883,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6159,20 +8188,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +8206,18 @@ interface(`files_pid_filetrans_lock_dir',`
##
##
#
@@ -14911,7 +14909,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6180,19 +8207,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +8225,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -14935,7 +14933,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6200,18 +8225,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +8243,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -14958,7 +14956,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6219,41 +8243,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +8261,43 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -15016,7 +15014,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6262,67 +8288,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +8306,55 @@ interface(`files_read_all_pids',`
##
##
#
@@ -15101,7 +15099,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6330,37 +8344,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +8362,37 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -15150,7 +15148,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6368,132 +8382,206 @@ interface(`files_search_spool',`
+@@ -6368,132 +8400,206 @@ interface(`files_search_spool',`
##
##
#
@@ -15408,7 +15406,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6501,53 +8589,17 @@ interface(`files_spool_filetrans',`
+@@ -6501,53 +8607,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -15466,7 +15464,7 @@ index 64ff4d7..2dd815a 100644
##
##
##
-@@ -6555,10 +8607,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8625,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -27954,14 +27952,14 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..a1a917c 100644
+index 28ad538..ed25543 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
@@ -31489,7 +31487,7 @@ index 24e7804..2863546 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..6d72189 100644
+index dd3be8d..d76c572 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31751,7 +31749,7 @@ index dd3be8d..6d72189 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +300,231 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +300,232 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -31786,6 +31784,7 @@ index dd3be8d..6d72189 100644
optional_policy(`
- auth_rw_login_records(init_t)
+ kdump_read_crash(init_t)
++ kdump_read_config(init_t)
')
optional_policy(`
@@ -31991,7 +31990,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -216,7 +532,30 @@ optional_policy(`
+@@ -216,7 +533,30 @@ optional_policy(`
')
optional_policy(`
@@ -32022,7 +32021,7 @@ index dd3be8d..6d72189 100644
')
########################################
-@@ -225,8 +564,9 @@ optional_policy(`
+@@ -225,8 +565,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -32034,7 +32033,7 @@ index dd3be8d..6d72189 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -32051,7 +32050,7 @@ index dd3be8d..6d72189 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -32094,7 +32093,7 @@ index dd3be8d..6d72189 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -32106,7 +32105,7 @@ index dd3be8d..6d72189 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +671,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +672,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -32117,7 +32116,7 @@ index dd3be8d..6d72189 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +682,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +683,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -32127,7 +32126,7 @@ index dd3be8d..6d72189 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +691,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -32135,7 +32134,7 @@ index dd3be8d..6d72189 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32143,7 +32142,7 @@ index dd3be8d..6d72189 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +706,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -32161,7 +32160,7 @@ index dd3be8d..6d72189 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +724,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -32175,7 +32174,7 @@ index dd3be8d..6d72189 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +739,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +740,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -32189,7 +32188,7 @@ index dd3be8d..6d72189 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +752,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +753,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -32197,7 +32196,7 @@ index dd3be8d..6d72189 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +764,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +765,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -32205,7 +32204,7 @@ index dd3be8d..6d72189 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +783,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +784,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -32229,7 +32228,7 @@ index dd3be8d..6d72189 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +816,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +817,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -32237,7 +32236,7 @@ index dd3be8d..6d72189 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +850,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +851,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -32248,7 +32247,7 @@ index dd3be8d..6d72189 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +874,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +875,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -32257,7 +32256,7 @@ index dd3be8d..6d72189 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +889,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +890,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -32265,7 +32264,7 @@ index dd3be8d..6d72189 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +910,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +911,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -32273,7 +32272,7 @@ index dd3be8d..6d72189 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +920,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +921,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -32318,7 +32317,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -558,14 +965,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +966,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -32350,7 +32349,7 @@ index dd3be8d..6d72189 100644
')
')
-@@ -576,6 +1000,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1001,39 @@ ifdef(`distro_suse',`
')
')
@@ -32390,7 +32389,7 @@ index dd3be8d..6d72189 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1045,8 @@ optional_policy(`
+@@ -588,6 +1046,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -32399,7 +32398,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -609,6 +1068,7 @@ optional_policy(`
+@@ -609,6 +1069,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -32407,7 +32406,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -625,6 +1085,17 @@ optional_policy(`
+@@ -625,6 +1086,17 @@ optional_policy(`
')
optional_policy(`
@@ -32425,7 +32424,7 @@ index dd3be8d..6d72189 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1112,13 @@ optional_policy(`
+@@ -641,9 +1113,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -32439,7 +32438,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -656,15 +1131,11 @@ optional_policy(`
+@@ -656,15 +1132,11 @@ optional_policy(`
')
optional_policy(`
@@ -32457,7 +32456,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -685,6 +1156,15 @@ optional_policy(`
+@@ -685,6 +1157,15 @@ optional_policy(`
')
optional_policy(`
@@ -32473,7 +32472,7 @@ index dd3be8d..6d72189 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1205,7 @@ optional_policy(`
+@@ -725,6 +1206,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -32481,7 +32480,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -742,7 +1223,13 @@ optional_policy(`
+@@ -742,7 +1224,13 @@ optional_policy(`
')
optional_policy(`
@@ -32496,7 +32495,7 @@ index dd3be8d..6d72189 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1252,10 @@ optional_policy(`
+@@ -765,6 +1253,10 @@ optional_policy(`
')
optional_policy(`
@@ -32507,7 +32506,7 @@ index dd3be8d..6d72189 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1265,20 @@ optional_policy(`
+@@ -774,10 +1266,20 @@ optional_policy(`
')
optional_policy(`
@@ -32528,7 +32527,7 @@ index dd3be8d..6d72189 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1287,10 @@ optional_policy(`
+@@ -786,6 +1288,10 @@ optional_policy(`
')
optional_policy(`
@@ -32539,7 +32538,7 @@ index dd3be8d..6d72189 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1312,6 @@ optional_policy(`
+@@ -807,8 +1313,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -32548,7 +32547,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -817,6 +1320,10 @@ optional_policy(`
+@@ -817,6 +1321,10 @@ optional_policy(`
')
optional_policy(`
@@ -32559,7 +32558,7 @@ index dd3be8d..6d72189 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1333,12 @@ optional_policy(`
+@@ -826,10 +1334,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -32572,7 +32571,7 @@ index dd3be8d..6d72189 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1365,35 @@ optional_policy(`
+@@ -856,12 +1366,35 @@ optional_policy(`
')
optional_policy(`
@@ -32609,7 +32608,7 @@ index dd3be8d..6d72189 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1403,18 @@ optional_policy(`
+@@ -871,6 +1404,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -32628,7 +32627,7 @@ index dd3be8d..6d72189 100644
')
optional_policy(`
-@@ -886,6 +1430,10 @@ optional_policy(`
+@@ -886,6 +1431,10 @@ optional_policy(`
')
optional_policy(`
@@ -32639,7 +32638,7 @@ index dd3be8d..6d72189 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1444,218 @@ optional_policy(`
+@@ -896,3 +1445,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c36d9a5..3cd488e 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -3562,7 +3562,7 @@ index 550a69e..43bb1c9 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..64beed7 100644
+index 83e899c..9426db5 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3578,7 +3578,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -13,118 +13,101 @@
+@@ -13,118 +13,103 @@
#
template(`apache_content_template',`
gen_require(`
@@ -3681,10 +3681,11 @@ index 83e899c..64beed7 100644
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
--
+
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
++ allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
@@ -3744,7 +3745,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -133,47 +116,61 @@ template(`apache_content_template',`
+@@ -133,47 +118,61 @@ template(`apache_content_template',`
##
##
##
@@ -3835,7 +3836,7 @@ index 83e899c..64beed7 100644
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
-@@ -184,7 +181,7 @@ interface(`apache_role',`
+@@ -184,7 +183,7 @@ interface(`apache_role',`
########################################
##
@@ -3844,7 +3845,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +203,7 @@ interface(`apache_read_user_scripts',`
########################################
##
@@ -3853,7 +3854,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +223,7 @@ interface(`apache_read_user_content',`
########################################
##
@@ -3862,7 +3863,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +240,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -3917,7 +3918,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -279,7 +296,7 @@ interface(`apache_signal',`
+@@ -279,7 +298,7 @@ interface(`apache_signal',`
########################################
##
@@ -3926,7 +3927,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -297,7 +314,7 @@ interface(`apache_signull',`
+@@ -297,7 +316,7 @@ interface(`apache_signull',`
########################################
##
@@ -3935,7 +3936,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +334,7 @@ interface(`apache_sigchld',`
########################################
##
@@ -3945,7 +3946,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +352,8 @@ interface(`apache_use_fds',`
########################################
##
@@ -3956,7 +3957,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +366,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -3973,7 +3974,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +390,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
##
@@ -3984,7 +3985,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +409,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
##
@@ -3994,7 +3995,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +434,8 @@ interface(`apache_manage_all_content',`
########################################
##
@@ -4004,7 +4005,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +453,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
##
@@ -4014,7 +4015,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +472,8 @@ interface(`apache_list_cache',`
########################################
##
@@ -4024,7 +4025,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +491,8 @@ interface(`apache_rw_cache_files',`
########################################
##
@@ -4034,7 +4035,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +510,8 @@ interface(`apache_delete_cache_dirs',`
########################################
##
@@ -4044,7 +4045,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +529,51 @@ interface(`apache_delete_cache_files',`
########################################
##
@@ -4107,7 +4108,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +594,8 @@ interface(`apache_manage_config',`
########################################
##
@@ -4118,7 +4119,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +632,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@@ -4160,7 +4161,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -639,7 +683,8 @@ interface(`apache_read_log',`
+@@ -639,7 +685,8 @@ interface(`apache_read_log',`
########################################
##
@@ -4170,7 +4171,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -657,10 +702,29 @@ interface(`apache_append_log',`
+@@ -657,10 +704,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -4202,7 +4203,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +744,8 @@ interface(`apache_dontaudit_append_log',`
########################################
##
@@ -4213,7 +4214,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -687,20 +751,21 @@ interface(`apache_dontaudit_append_log',`
+@@ -687,20 +753,21 @@ interface(`apache_dontaudit_append_log',`
##
##
#
@@ -4243,7 +4244,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -708,19 +773,21 @@ interface(`apache_manage_log',`
+@@ -708,19 +775,21 @@ interface(`apache_manage_log',`
##
##
#
@@ -4269,7 +4270,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -738,7 +805,8 @@ interface(`apache_dontaudit_search_modules',`
+@@ -738,7 +807,8 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
@@ -4279,7 +4280,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -746,17 +814,19 @@ interface(`apache_dontaudit_search_modules',`
+@@ -746,17 +816,19 @@ interface(`apache_dontaudit_search_modules',`
##
##
#
@@ -4302,7 +4303,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -764,19 +834,19 @@ interface(`apache_list_modules',`
+@@ -764,19 +836,19 @@ interface(`apache_list_modules',`
##
##
#
@@ -4326,7 +4327,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -784,19 +854,19 @@ interface(`apache_exec_modules',`
+@@ -784,19 +856,19 @@ interface(`apache_exec_modules',`
##
##
#
@@ -4351,7 +4352,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -809,13 +879,50 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -809,13 +881,50 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
@@ -4404,7 +4405,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -829,13 +936,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +938,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4421,7 +4422,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -844,6 +952,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +954,7 @@ interface(`apache_list_sys_content',`
##
##
#
@@ -4429,7 +4430,7 @@ index 83e899c..64beed7 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +964,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +966,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -4455,11 +4456,31 @@ index 83e899c..64beed7 100644
+')
+
+######################################
++##
++## Allow the specified domain to read
++## apache system content rw dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_dirs',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
##
-## Create, read, write, and delete
-## httpd system rw content.
-+## Allow the specified domain to read
-+## apache system content rw dirs.
++## Allow the specified domain to manage
++## apache system content rw files.
##
##
##
@@ -4469,32 +4490,12 @@ index 83e899c..64beed7 100644
+##
#
-interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_dirs',`
++interface(`apache_manage_sys_content_rw',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
-+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to manage
-+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_manage_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4536,7 +4537,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -888,10 +1063,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1065,17 @@ interface(`apache_manage_sys_rw_content',`
##
##
#
@@ -4555,7 +4556,7 @@ index 83e899c..64beed7 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1083,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1085,8 @@ interface(`apache_domtrans_sys_script',`
########################################
##
@@ -4567,7 +4568,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -941,7 +1122,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1124,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
##
## Execute all user scripts in the user
@@ -4576,7 +4577,7 @@ index 83e899c..64beed7 100644
## to the specified role.
##
##
-@@ -954,6 +1135,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1137,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
##
##
@@ -4584,7 +4585,7 @@ index 83e899c..64beed7 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1148,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1150,8 @@ interface(`apache_run_all_scripts',`
########################################
##
@@ -4594,7 +4595,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -979,12 +1162,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1164,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4610,7 +4611,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1002,7 +1186,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1188,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
##
@@ -4619,7 +4620,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1015,13 +1199,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1201,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4634,7 +4635,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1041,7 +1224,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1226,7 @@ interface(`apache_read_sys_content',`
########################################
##
@@ -4643,7 +4644,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1059,8 +1242,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1244,7 @@ interface(`apache_search_sys_scripts',`
########################################
##
@@ -4653,7 +4654,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1070,13 +1252,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1254,22 @@ interface(`apache_search_sys_scripts',`
##
#
interface(`apache_manage_all_user_content',`
@@ -4679,7 +4680,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1094,7 +1285,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1287,8 @@ interface(`apache_search_sys_script_state',`
########################################
##
@@ -4689,7 +4690,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1111,10 +1303,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1305,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4721,7 +4722,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1127,7 +1338,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1340,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4730,7 +4731,7 @@ index 83e899c..64beed7 100644
')
########################################
-@@ -1136,6 +1347,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1349,9 @@ interface(`apache_dontaudit_write_tmp_files',`
##
##
##
@@ -4740,7 +4741,7 @@ index 83e899c..64beed7 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1381,30 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -4773,7 +4774,7 @@ index 83e899c..64beed7 100644
##
##
##
-@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1421,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4802,7 +4803,7 @@ index 83e899c..64beed7 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1443,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4816,7 +4817,7 @@ index 83e899c..64beed7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
+@@ -1218,9 +1457,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4963,7 +4964,7 @@ index 83e899c..64beed7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..0dbb289 100644
+index 1a82e29..bce7760 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
@@ -6281,7 +6282,7 @@ index 1a82e29..0dbb289 100644
')
optional_policy(`
-@@ -836,20 +1029,39 @@ optional_policy(`
+@@ -836,20 +1029,40 @@ optional_policy(`
')
optional_policy(`
@@ -6292,6 +6293,7 @@ index 1a82e29..0dbb289 100644
+
+optional_policy(`
+ passenger_exec(httpd_t)
++ passenger_kill(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
+
@@ -6327,7 +6329,7 @@ index 1a82e29..0dbb289 100644
')
optional_policy(`
-@@ -857,19 +1069,35 @@ optional_policy(`
+@@ -857,19 +1070,35 @@ optional_policy(`
')
optional_policy(`
@@ -6363,7 +6365,7 @@ index 1a82e29..0dbb289 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1105,173 @@ optional_policy(`
+@@ -877,65 +1106,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6559,7 +6561,7 @@ index 1a82e29..0dbb289 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1280,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1281,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6714,7 +6716,7 @@ index 1a82e29..0dbb289 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1364,106 @@ optional_policy(`
+@@ -1077,172 +1365,106 @@ optional_policy(`
')
')
@@ -6951,7 +6953,7 @@ index 1a82e29..0dbb289 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1471,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1472,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7048,7 +7050,7 @@ index 1a82e29..0dbb289 100644
########################################
#
-@@ -1315,8 +1546,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1547,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7065,7 +7067,7 @@ index 1a82e29..0dbb289 100644
')
########################################
-@@ -1324,49 +1562,38 @@ optional_policy(`
+@@ -1324,49 +1563,38 @@ optional_policy(`
# User content local policy
#
@@ -7130,7 +7132,7 @@ index 1a82e29..0dbb289 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1603,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1604,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -25532,8 +25534,21 @@ index 94fb625..3742ee1 100644
fs_search_auto_mountpoints(evolution_server_t)
+diff --git a/exim.fc b/exim.fc
+index dc0254b..9df498d 100644
+--- a/exim.fc
++++ b/exim.fc
+@@ -3,6 +3,8 @@
+ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+ /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+
++/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
++
+ /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+
+ /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/exim.if b/exim.if
-index 6041113..ef3b449 100644
+index 6041113..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
@@ -25658,18 +25673,52 @@ index 6041113..ef3b449 100644
##
##
##
-@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',`
+@@ -225,6 +241,44 @@ interface(`exim_manage_spool_files',`
########################################
##
--## All of the rules required to
--## administrate an exim environment.
-+## All of the rules required to administrate
-+## an exim environment.
++## Read exim var lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_read_var_lib_files',`
++ gen_require(`
++ type exim_var_lib_t;
++ ')
++
++ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Create, read, and write exim var lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_manage_var_lib_files',`
++ gen_require(`
++ type exim_var_lib_t;
++ ')
++
++ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an exim environment.
##
- ##
- ##
-@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',`
+@@ -238,22 +292,29 @@ interface(`exim_manage_spool_files',`
## Role allowed access.
##
##
@@ -25677,10 +25726,9 @@ index 6041113..ef3b449 100644
#
interface(`exim_admin',`
gen_require(`
-- type exim_t, exim_spool_t, exim_log_t;
-- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
-+ type exim_t, exim_initrc_exec_t, exim_log_t;
-+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ type exim_t, exim_spool_t, exim_log_t;
+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++ type exim_keytab_t;
')
- allow $1 exim_t:process { ptrace signal_perms };
@@ -25696,11 +25744,31 @@ index 6041113..ef3b449 100644
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, exim_keytab_t)
++
+ files_search_spool($1)
+ admin_pattern($1, exim_spool_t)
+
diff --git a/exim.te b/exim.te
-index 19325ce..3e86b12 100644
+index 19325ce..5495c90 100644
--- a/exim.te
+++ b/exim.te
-@@ -49,7 +49,7 @@ type exim_log_t;
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.5.4)
++policy_module(exim, 1.6.1)
+
+ ########################################
+ #
+@@ -45,11 +45,14 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+
++type exim_var_lib_t;
++files_type(exim_var_lib_t)
++
+ type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
@@ -25709,8 +25777,31 @@ index 19325ce..3e86b12 100644
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
-@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t)
+@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
+ type exim_var_run_t;
+ files_pid_file(exim_var_run_t)
+
++ifdef(`distro_debian',`
++ init_daemon_run_dir(exim_var_run_t, "exim4")
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+
++manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -88,13 +97,13 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
+
+ can_exec(exim_t, exim_exec_t)
++kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
@@ -25722,7 +25813,19 @@ index 19325ce..3e86b12 100644
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
-@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t)
+@@ -123,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
+
+ dev_read_rand(exim_t)
+ dev_read_urand(exim_t)
++dev_read_sysfs(exim_t)
+
+ domain_use_interactive_fds(exim_t)
+
+@@ -135,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
+ fs_list_inotifyfs(exim_t)
+
+ auth_use_nsswitch(exim_t)
++auth_domtrans_chk_passwd(exim_t)
logging_send_syslog_msg(exim_t)
@@ -25730,7 +25833,7 @@ index 19325ce..3e86b12 100644
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',`
+@@ -154,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
@@ -25743,7 +25846,7 @@ index 19325ce..3e86b12 100644
')
tunable_policy(`exim_read_user_files',`
-@@ -170,8 +168,8 @@ tunable_policy(`exim_manage_user_files',`
+@@ -170,13 +180,14 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
@@ -25754,19 +25857,27 @@ index 19325ce..3e86b12 100644
')
optional_policy(`
-@@ -192,11 +190,6 @@ optional_policy(`
+ cron_read_pipes(exim_t)
+ cron_rw_system_job_pipes(exim_t)
++ cron_use_system_job_fds(exim_t)
')
optional_policy(`
-- mailman_read_data_files(exim_t)
-- mailman_domtrans(exim_t)
+@@ -188,12 +199,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(exim, exim_t)
-')
-
-optional_policy(`
- nagios_search_spool(exim_t)
+- mailman_read_data_files(exim_t)
+- mailman_domtrans(exim_t)
++ kerberos_keytab_template(exim, exim_t)
')
-@@ -218,6 +211,7 @@ optional_policy(`
+ optional_policy(`
+@@ -218,6 +224,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -45073,7 +45184,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..e76899c 100644
+index 6a306ee..39094ea 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -45519,7 +45630,7 @@ index 6a306ee..e76899c 100644
')
optional_policy(`
-@@ -300,259 +326,250 @@ optional_policy(`
+@@ -300,259 +326,251 @@ optional_policy(`
########################################
#
@@ -45735,6 +45846,7 @@ index 6a306ee..e76899c 100644
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
++dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -45917,7 +46029,7 @@ index 6a306ee..e76899c 100644
')
optional_policy(`
-@@ -560,7 +577,11 @@ optional_policy(`
+@@ -560,7 +578,11 @@ optional_policy(`
')
optional_policy(`
@@ -45930,7 +46042,7 @@ index 6a306ee..e76899c 100644
')
optional_policy(`
-@@ -568,108 +589,131 @@ optional_policy(`
+@@ -568,108 +590,131 @@ optional_policy(`
')
optional_policy(`
@@ -46512,10 +46624,10 @@ index c97c177..9411154 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..36b363c 100644
+index f42896c..1e1a679 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,34 +1,44 @@
+@@ -1,34 +1,45 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -46574,6 +46686,7 @@ index f42896c..36b363c 100644
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
++/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index ed81cac..8f217ea 100644
--- a/mta.if
@@ -49491,7 +49604,7 @@ index 687af38..a77dc09 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..699587e 100644
+index 9f6179e..6e73360 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -49581,7 +49694,7 @@ index 9f6179e..699587e 100644
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -93,50 +92,55 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -49638,6 +49751,7 @@ index 9f6179e..699587e 100644
-miscfiles_read_localization(mysqld_t)
+sysnet_read_config(mysqld_t)
++sysnet_exec_ifconfig(mysqld_t)
-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
@@ -49653,7 +49767,7 @@ index 9f6179e..699587e 100644
')
optional_policy(`
-@@ -144,6 +147,10 @@ optional_policy(`
+@@ -144,6 +148,10 @@ optional_policy(`
')
optional_policy(`
@@ -49664,7 +49778,7 @@ index 9f6179e..699587e 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,25 @@ optional_policy(`
+@@ -153,29 +161,25 @@ optional_policy(`
#######################################
#
@@ -49703,7 +49817,7 @@ index 9f6179e..699587e 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -49739,7 +49853,7 @@ index 9f6179e..699587e 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +216,7 @@ optional_policy(`
+@@ -205,7 +217,7 @@ optional_policy(`
########################################
#
@@ -49748,7 +49862,7 @@ index 9f6179e..699587e 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -49766,7 +49880,7 @@ index 9f6179e..699587e 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -59812,7 +59926,7 @@ index 2c389ea..9155bd0 100644
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
-index bf59ef7..0ec51d4 100644
+index bf59ef7..2d8335f 100644
--- a/passenger.if
+++ b/passenger.if
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
@@ -59868,7 +59982,7 @@ index bf59ef7..0ec51d4 100644
##
##
##
-@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
+@@ -53,6 +69,112 @@ interface(`passenger_read_lib_files',`
type passenger_var_lib_t;
')
@@ -59897,7 +60011,7 @@ index bf59ef7..0ec51d4 100644
+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
-+')
+ ')
+
+#####################################
+##
@@ -59962,7 +60076,26 @@ index bf59ef7..0ec51d4 100644
+ files_search_tmp($1)
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
- ')
++')
++
++########################################
++##
++## Send kill signals to passenger.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_kill',`
++ gen_require(`
++ type passenger_t;
++ ')
++
++ allow $1 passenger_t:process sigkill;
++')
++
diff --git a/passenger.te b/passenger.te
index 4e114ff..1b1cb71 100644
--- a/passenger.te
@@ -93942,10 +94075,10 @@ index 0000000..80c6480
+')
diff --git a/stapserver.te b/stapserver.te
new file mode 100644
-index 0000000..e472397
+index 0000000..6aeecac
--- /dev/null
+++ b/stapserver.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+policy_module(stapserver, 1.0.0)
+
+########################################
@@ -94020,6 +94153,7 @@ index 0000000..e472397
+files_search_kernel_modules(stapserver_t)
+
+fs_search_cgroup_dirs(stapserver_t)
++fs_getattr_all_fs(stapserver_t)
+
+auth_use_nsswitch(stapserver_t)
+
@@ -101594,7 +101728,7 @@ index 9dec06c..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..f618cd0 100644
+index 1f22fba..0fd2172 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,209 @@
@@ -103300,7 +103434,7 @@ index 1f22fba..f618cd0 100644
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(svirt_sandbox_domain)
-+ fs_manage_cifs_files(svirt_sandbox_domain)
++ fs_manage_cifs_dirs(svirt_sandbox_domain)
+ fs_read_cifs_symlinks(svirt_sandbox_domain)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f22b575..a7b9e03 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 159%{?dist}
+Release: 160%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 05 2014 Lukas Vrabec 3.12.1-160
+- Dontaudit leaked xserver_misc_device_t into plugins
+- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
+- Bootloader wants to look at init state
+- init reads kdbump etc files
+- userdom_search_admin_dir() calling needs to be optional in kernel.te
+- Fix labeling for /root/\.yubico
+- Allow httpd_t to kill passenger
+- Add new labeling for /var/spool/smtpd
+- Dontaudit leaked xserver_misc_device_t into plugins
+- Backport exim policy from rawhide to F20
+- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
+- Add back kerberos_keytab_template() for exim+f20.
+- ALlow stap-server to get attr on all fs
+- Allow mysql to execute ifconfig if Red Hat OpenStack
+- Fix virt_use_samba in virt.te
+
* Fri May 02 2014 Lukas Vrabec 3.12.1-159
- Add support for us_cli ports
- Fix labeling for /var/run/user//gvfs