diff --git a/container-selinux.tgz b/container-selinux.tgz index b3dd705..7e7df53 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e04a90c..9f3f960 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1,5 +1,5 @@ diff --git a/.gitmodules b/.gitmodules -index 360bd03..e794aa3 100644 +index 360bd0388..e794aa369 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,4 @@ @@ -9,7 +9,7 @@ index 360bd03..e794aa3 100644 + url = https://github.com/fedora-selinux/selinux-policy-contrib + branch = rawhide diff --git a/Makefile b/Makefile -index ec7b5cb..e2936c6 100644 +index ec7b5cba8..673db6491 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -29,6 +29,15 @@ index ec7b5cb..e2936c6 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -365,7 +366,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke + @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ + @echo "#" >> $@ + $(verbose) cat $@.in >> $@ +- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ ++ $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ + | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ + | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + @@ -609,15 +610,16 @@ resetlabels: # Clean everything # @@ -56,7 +65,7 @@ index ec7b5cb..e2936c6 100644 ifndef LOCAL_ROOT rm -f $(fcsort) diff --git a/Rules.modular b/Rules.modular -index 313d837..4f261a9 100644 +index 313d8375b..1e92c7d5d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp @@ -68,7 +77,16 @@ index 313d837..4f261a9 100644 @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ -@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs) +@@ -168,6 +168,8 @@ $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.c + $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf ++ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true ++ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true + + ######################################## + # +@@ -201,6 +203,7 @@ validate: $(base_pkg) $(mod_pkgs) @echo "Validating policy linking." $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin @@ -76,8 +94,21 @@ index 313d837..4f261a9 100644 @echo "Success." ######################################## +diff --git a/Rules.monolithic b/Rules.monolithic +index 808a5398a..77f71cd95 100644 +--- a/Rules.monolithic ++++ b/Rules.monolithic +@@ -155,6 +155,8 @@ $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.c + $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf ++ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true ++ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true + + ######################################## + # diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts -index 801d97b..698d54c 100644 +index 801d97b6f..698d54ce8 100644 --- a/config/appconfig-mcs/default_contexts +++ b/config/appconfig-mcs/default_contexts @@ -1,4 +1,4 @@ @@ -88,13 +119,13 @@ index 801d97b..698d54c 100644 system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mcs/openssh_contexts b/config/appconfig-mcs/openssh_contexts new file mode 100644 -index 0000000..6de0b01 +index 000000000..6de0b016d --- /dev/null +++ b/config/appconfig-mcs/openssh_contexts @@ -0,0 +1 @@ +privsep_preauth=sshd_net_t diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts -index 881a292..5606c4e 100644 +index 881a292e3..5606c4ea6 100644 --- a/config/appconfig-mcs/staff_u_default_contexts +++ b/config/appconfig-mcs/staff_u_default_contexts @@ -1,7 +1,7 @@ @@ -108,7 +139,7 @@ index 881a292..5606c4e 100644 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts new file mode 100644 -index 0000000..b8fda95 +index 000000000..b8fda9543 --- /dev/null +++ b/config/appconfig-mcs/sysadm_u_default_contexts @@ -0,0 +1,12 @@ @@ -126,13 +157,13 @@ index 0000000..b8fda95 + diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts new file mode 100644 -index 0000000..ff32acc +index 000000000..ff32accd1 --- /dev/null +++ b/config/appconfig-mcs/systemd_contexts @@ -0,0 +1 @@ +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts -index cacbc93..56d6071 100644 +index cacbc939f..56d6071c2 100644 --- a/config/appconfig-mcs/user_u_default_contexts +++ b/config/appconfig-mcs/user_u_default_contexts @@ -1,7 +1,7 @@ @@ -145,14 +176,14 @@ index cacbc93..56d6071 100644 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context -index d387b42..150f281 100644 +index d387b428b..150f281d1 100644 --- a/config/appconfig-mcs/virtual_domain_context +++ b/config/appconfig-mcs/virtual_domain_context @@ -1 +1,2 @@ system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts -index 801d97b..698d54c 100644 +index 801d97b6f..698d54ce8 100644 --- a/config/appconfig-mls/default_contexts +++ b/config/appconfig-mls/default_contexts @@ -1,4 +1,4 @@ @@ -163,13 +194,13 @@ index 801d97b..698d54c 100644 system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 diff --git a/config/appconfig-mls/openssh_contexts b/config/appconfig-mls/openssh_contexts new file mode 100644 -index 0000000..6de0b01 +index 000000000..6de0b016d --- /dev/null +++ b/config/appconfig-mls/openssh_contexts @@ -0,0 +1 @@ +privsep_preauth=sshd_net_t diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts -index 881a292..5606c4e 100644 +index 881a292e3..5606c4ea6 100644 --- a/config/appconfig-mls/staff_u_default_contexts +++ b/config/appconfig-mls/staff_u_default_contexts @@ -1,7 +1,7 @@ @@ -183,13 +214,13 @@ index 881a292..5606c4e 100644 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts new file mode 100644 -index 0000000..ff32acc +index 000000000..ff32accd1 --- /dev/null +++ b/config/appconfig-mls/systemd_contexts @@ -0,0 +1 @@ +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts -index cacbc93..56d6071 100644 +index cacbc939f..56d6071c2 100644 --- a/config/appconfig-mls/user_u_default_contexts +++ b/config/appconfig-mls/user_u_default_contexts @@ -1,7 +1,7 @@ @@ -202,7 +233,7 @@ index cacbc93..56d6071 100644 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts -index 64a0a90..25ee341 100644 +index 64a0a90c3..25ee341c1 100644 --- a/config/appconfig-standard/default_contexts +++ b/config/appconfig-standard/default_contexts @@ -1,4 +1,4 @@ @@ -213,13 +244,13 @@ index 64a0a90..25ee341 100644 system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t diff --git a/config/appconfig-standard/openssh_contexts b/config/appconfig-standard/openssh_contexts new file mode 100644 -index 0000000..6de0b01 +index 000000000..6de0b016d --- /dev/null +++ b/config/appconfig-standard/openssh_contexts @@ -0,0 +1 @@ +privsep_preauth=sshd_net_t diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts -index c2a5ea8..300694c 100644 +index c2a5ea871..300694ce8 100644 --- a/config/appconfig-standard/staff_u_default_contexts +++ b/config/appconfig-standard/staff_u_default_contexts @@ -1,7 +1,7 @@ @@ -233,7 +264,7 @@ index c2a5ea8..300694c 100644 staff_r:staff_sudo_t staff_r:staff_t diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts new file mode 100644 -index 0000000..b8fda95 +index 000000000..b8fda9543 --- /dev/null +++ b/config/appconfig-standard/sysadm_u_default_contexts @@ -0,0 +1,12 @@ @@ -251,13 +282,13 @@ index 0000000..b8fda95 + diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts new file mode 100644 -index 0000000..ff32acc +index 000000000..ff32accd1 --- /dev/null +++ b/config/appconfig-standard/systemd_contexts @@ -0,0 +1 @@ +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts -index f5bfac3..63b7eec 100644 +index f5bfac34a..63b7eecd1 100644 --- a/config/appconfig-standard/user_u_default_contexts +++ b/config/appconfig-standard/user_u_default_contexts @@ -1,7 +1,7 @@ @@ -270,7 +301,7 @@ index f5bfac3..63b7eec 100644 user_r:user_su_t user_r:user_t user_r:user_sudo_t user_r:user_t diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context -index c049e10..150f281 100644 +index c049e104b..150f281d1 100644 --- a/config/appconfig-standard/virtual_domain_context +++ b/config/appconfig-standard/virtual_domain_context @@ -1 +1,2 @@ @@ -278,7 +309,7 @@ index c049e10..150f281 100644 +system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index d392dec..4565e9b 100644 +index d392decfe..4565e9b87 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist @@ -19,3 +19,4 @@ @@ -288,7 +319,7 @@ index d392dec..4565e9b 100644 +/sbin /usr/sbin diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 deleted file mode 100644 -index 5bebd82..0000000 +index 5bebd82d4..000000000 --- a/man/man8/ftpd_selinux.8 +++ /dev/null @@ -1,65 +0,0 @@ @@ -359,7 +390,7 @@ index 5bebd82..0000000 -selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8 deleted file mode 100644 -index e9c43b1..0000000 +index e9c43b190..000000000 --- a/man/man8/git_selinux.8 +++ /dev/null @@ -1,109 +0,0 @@ @@ -474,7 +505,7 @@ index e9c43b1..0000000 -selinux(8), git(8), chcon(1), semodule(8), setsebool(8) diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 deleted file mode 100644 -index 16e8b13..0000000 +index 16e8b1323..000000000 --- a/man/man8/httpd_selinux.8 +++ /dev/null @@ -1,120 +0,0 @@ @@ -600,7 +631,7 @@ index 16e8b13..0000000 - diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 deleted file mode 100644 -index a8f81c8..0000000 +index a8f81c8e7..000000000 --- a/man/man8/kerberos_selinux.8 +++ /dev/null @@ -1,28 +0,0 @@ @@ -634,7 +665,7 @@ index a8f81c8..0000000 -selinux(8), kerberos(1), chcon(1), setsebool(8) diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 deleted file mode 100644 -index fce0b48..0000000 +index fce0b4815..000000000 --- a/man/man8/named_selinux.8 +++ /dev/null @@ -1,30 +0,0 @@ @@ -670,7 +701,7 @@ index fce0b48..0000000 - diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8 deleted file mode 100644 -index 8e30c4c..0000000 +index 8e30c4c65..000000000 --- a/man/man8/nfs_selinux.8 +++ /dev/null @@ -1,31 +0,0 @@ @@ -707,14 +738,14 @@ index 8e30c4c..0000000 -selinux(8), chcon(1), setsebool(8) diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8 deleted file mode 100644 -index 6271c95..0000000 +index 6271c951f..000000000 --- a/man/man8/nis_selinux.8 +++ /dev/null @@ -1 +0,0 @@ -.so man8/ypbind_selinux.8 diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 deleted file mode 100644 -index ad9ccf5..0000000 +index ad9ccf5cd..000000000 --- a/man/man8/rsync_selinux.8 +++ /dev/null @@ -1,52 +0,0 @@ @@ -772,7 +803,7 @@ index ad9ccf5..0000000 -selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8) diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 deleted file mode 100644 -index ca702c7..0000000 +index ca702c799..000000000 --- a/man/man8/samba_selinux.8 +++ /dev/null @@ -1,56 +0,0 @@ @@ -834,7 +865,7 @@ index ca702c7..0000000 -selinux(8), samba(7), chcon(1), setsebool(8), semanage(8) diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 deleted file mode 100644 -index 5061a5f..0000000 +index 5061a5f04..000000000 --- a/man/man8/ypbind_selinux.8 +++ /dev/null @@ -1,19 +0,0 @@ @@ -858,7 +889,7 @@ index 5061a5f..0000000 -.SH "SEE ALSO" -selinux(8), ypbind(8), chcon(1), setsebool(8) diff --git a/policy/constraints b/policy/constraints -index 3a45f23..ee7d7b3 100644 +index 3a45f236b..ee7d7b392 100644 --- a/policy/constraints +++ b/policy/constraints @@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } @@ -896,7 +927,7 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..536babe 100644 +index a94b16980..1c258d804 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -20,6 +20,7 @@ common file @@ -1124,7 +1155,23 @@ index a94b169..536babe 100644 class x_pointer inherits x_device -@@ -865,3 +931,28 @@ inherits database +@@ -859,9 +925,44 @@ inherits database + set_value + } + ++class infiniband_pkey ++{ ++ access ++} ++ ++class infiniband_endport ++{ ++ manage_subnet ++} ++ + class db_language + inherits database + { implement execute } @@ -1154,10 +1201,10 @@ index a94b169..536babe 100644 +class cap2_userns +inherits cap2 diff --git a/policy/flask/security_classes b/policy/flask/security_classes -index 14a4799..3bd5d69 100644 +index 14a479911..1ffbfa3e8 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes -@@ -121,6 +121,18 @@ class kernel_service +@@ -121,14 +121,43 @@ class kernel_service class tun_socket @@ -1176,7 +1223,14 @@ index 14a4799..3bd5d69 100644 # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace -@@ -131,4 +143,17 @@ class db_view # userspace + ++# Infiniband ++class infiniband_pkey ++class infiniband_endport ++ + # More Database stuff + class db_schema # userspace + class db_view # userspace class db_sequence # userspace class db_language # userspace @@ -1195,7 +1249,7 @@ index 14a4799..3bd5d69 100644 + # FLASK diff --git a/policy/global_booleans b/policy/global_booleans -index 66e85ea..d02654d 100644 +index 66e85ea54..d02654d7f 100644 --- a/policy/global_booleans +++ b/policy/global_booleans @@ -6,7 +6,7 @@ @@ -1208,7 +1262,7 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..b82865c 100644 +index 4705ab618..b82865c43 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,52 +6,59 @@ @@ -1339,7 +1393,7 @@ index 4705ab6..b82865c 100644 +## +gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs -index 216b3d1..064ec83 100644 +index 216b3d125..064ec83b6 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -1461,7 +1515,7 @@ index 216b3d1..064ec83 100644 + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls -index f11e5e2..c67dbb9 100644 +index f11e5e2b7..c67dbb976 100644 --- a/policy/mls +++ b/policy/mls @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } @@ -1565,7 +1619,7 @@ index f11e5e2..c67dbb9 100644 (( l1 eq l2 ) or (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 2626ebf..5745bb2 100644 +index 2626ebf95..5745bb240 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,11 +1,16 @@ @@ -1593,7 +1647,7 @@ index 2626ebf..5745bb2 100644 -/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index cc8df9d..90467f3 100644 +index cc8df9d7d..90467f3af 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -1737,7 +1791,7 @@ index cc8df9d..90467f3 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 0fd5c5f..a14addb 100644 +index 0fd5c5f2e..a14addb41 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -20,13 +20,20 @@ type bootloader_t; @@ -1908,7 +1962,7 @@ index 0fd5c5f..a14addb 100644 + udev_read_pid_files(bootloader_t) ') diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc -index b7f053b..5d4fc31 100644 +index b7f053bf6..5d4fc3188 100644 --- a/policy/modules/admin/consoletype.fc +++ b/policy/modules/admin/consoletype.fc @@ -1,2 +1,4 @@ @@ -1917,7 +1971,7 @@ index b7f053b..5d4fc31 100644 + +/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if -index 0f57d3b..655d07f 100644 +index 0f57d3bc0..655d07f01 100644 --- a/policy/modules/admin/consoletype.if +++ b/policy/modules/admin/consoletype.if @@ -19,10 +19,6 @@ interface(`consoletype_domtrans',` @@ -1932,7 +1986,7 @@ index 0f57d3b..655d07f 100644 ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index cd5e005..247259a 100644 +index cd5e005ce..247259ac4 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0) @@ -1996,7 +2050,7 @@ index cd5e005..247259a 100644 optional_policy(` diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index d6cc2d9..0685b19 100644 +index d6cc2d970..0685b190d 100644 --- a/policy/modules/admin/dmesg.fc +++ b/policy/modules/admin/dmesg.fc @@ -1,2 +1,4 @@ @@ -2005,7 +2059,7 @@ index d6cc2d9..0685b19 100644 + +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..bb4a6f0 100644 +index 72bc6d815..bb4a6f0d7 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -9,6 +9,10 @@ type dmesg_t; @@ -2056,7 +2110,7 @@ index 72bc6d8..bb4a6f0 100644 optional_policy(` seutil_sigchld_newrole(dmesg_t) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc -index 407078f..1a09bea 100644 +index 407078f4b..1a09bead7 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -1,15 +1,22 @@ @@ -2085,7 +2139,7 @@ index 407078f..1a09bea 100644 /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if -index c6ca761..0c86bfd 100644 +index c6ca761c9..0c86bfd54 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -42,6 +42,7 @@ interface(`netutils_run',` @@ -2147,7 +2201,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..5038ed0 100644 +index c44c3592a..5038ed0d5 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2349,7 +2403,7 @@ index c44c359..5038ed0 100644 + term_dontaudit_use_all_ptys(traceroute_t) +') diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 688abc2..3d89250 100644 +index 688abc2ae..3d89250a6 100644 --- a/policy/modules/admin/su.fc +++ b/policy/modules/admin/su.fc @@ -3,3 +3,4 @@ @@ -2358,7 +2412,7 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..1e3ace4 100644 +index 03ec5cafe..1e3ace4cf 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -41,13 +41,14 @@ template(`su_restricted_domain_template', ` @@ -2554,7 +2608,7 @@ index 03ec5ca..1e3ace4 100644 ####################################### diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te -index 85bb77e..a430233 100644 +index 85bb77e05..a4302332a 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -9,3 +9,82 @@ attribute su_domain_type; @@ -2641,7 +2695,7 @@ index 85bb77e..a430233 100644 + xserver_domtrans_xauth(su_domain_type) +') diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc -index 7bddc02..2b59ed0 100644 +index 7bddc02a4..2b59ed0a0 100644 --- a/policy/modules/admin/sudo.fc +++ b/policy/modules/admin/sudo.fc @@ -1,2 +1,4 @@ @@ -2650,7 +2704,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 0960199..2e75ec7 100644 +index 096019932..2e75ec7de 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -2835,7 +2889,7 @@ index 0960199..2e75ec7 100644 + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..174f893 100644 +index d9fce57ab..174f89336 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,111 @@ attribute sudodomain; @@ -2951,7 +3005,7 @@ index d9fce57..174f893 100644 + fprintd_dbus_chat(sudodomain) +') diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index f82f0ce..7b8915d 100644 +index f82f0ce0a..7b8915d47 100644 --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc @@ -20,6 +20,7 @@ ifdef(`distro_gentoo',` @@ -2971,7 +3025,7 @@ index f82f0ce..7b8915d 100644 /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 99e3903..fa68362 100644 +index 99e3903ea..fa68362ea 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` @@ -3128,7 +3182,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..121ace8 100644 +index 1d732f1e7..121ace88e 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3611,7 +3665,7 @@ index 1d732f1..121ace8 100644 + stapserver_manage_lib(useradd_t) +') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..e4f6fc2 100644 +index 1dc7a85d3..e4f6fc227 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -43,18 +43,18 @@ interface(`seunshare_run',` @@ -3695,7 +3749,7 @@ index 1dc7a85..e4f6fc2 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..f50f799 100644 +index 759016583..f50f79935 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) @@ -3785,7 +3839,7 @@ index 7590165..f50f799 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..1b07806 100644 +index 33e0f8dad..1b078065a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -4171,7 +4225,7 @@ index 33e0f8d..1b07806 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..cb42593 100644 +index 9e9263a68..cb425934b 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -4481,7 +4535,7 @@ index 9e9263a..cb42593 100644 + filetrans_pattern($1, bin_t, $2, $3, $4) +') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 20c76cf..cc63dcc 100644 +index 20c76cff9..cc63dcc9c 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -13,7 +13,8 @@ attribute exec_type; @@ -4503,7 +4557,7 @@ index 20c76cf..cc63dcc 100644 type chroot_exec_t; diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc -index f9b25c1..9af1f7a 100644 +index f9b25c12f..9af1f7a61 100644 --- a/policy/modules/kernel/corenetwork.fc +++ b/policy/modules/kernel/corenetwork.fc @@ -8,3 +8,6 @@ @@ -4514,7 +4568,7 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..04cf2da 100644 +index 07126bdcc..379aac1bb 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` @@ -5152,18 +5206,10 @@ index 07126bd..04cf2da 100644 ## Bind TCP sockets to all reserved ports. ## ## -@@ -1785,31 +2176,284 @@ interface(`corenet_tcp_bind_all_reserved_ports',` - attribute reserved_port_type; - ') +@@ -1791,6 +2182,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',` -- allow $1 reserved_port_type:tcp_socket name_bind; -- allow $1 self:capability net_bind_service; -+ allow $1 reserved_port_type:tcp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## + ######################################## + ## +## Do not audit attempts to bind DCCP sockets to all reserved ports. +## +## @@ -5182,25 +5228,39 @@ index 07126bd..04cf2da 100644 + +######################################## +## -+## Do not audit attempts to bind TCP sockets to all reserved ports. + ## Do not audit attempts to bind TCP sockets to all reserved ports. + ## + ## +@@ -1846,6 +2255,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` + + ######################################## + ## ++## Bind DCCP sockets to all ports > 1024. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ++interface(`corenet_dccp_bind_all_unreserved_ports',` + gen_require(` -+ attribute reserved_port_type; ++ attribute unreserved_port_type; + ') + -+ dontaudit $1 reserved_port_type:tcp_socket name_bind; ++ allow $1 unreserved_port_type:dccp_socket name_bind; +') + +######################################## +## -+## Bind UDP sockets to all reserved ports. + ## Bind TCP sockets to all ports > 1024. + ## + ## +@@ -1864,6 +2291,24 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` + + ######################################## + ## ++## Bind TCP sockets to all ports > 1024. +## +## +## @@ -5208,36 +5268,42 @@ index 07126bd..04cf2da 100644 +## +## +# -+interface(`corenet_udp_bind_all_reserved_ports',` ++interface(`corenet_tcp_bind_unreserved_ports',` + gen_require(` -+ attribute reserved_port_type; ++ attribute unreserved_port_type; + ') + -+ allow $1 reserved_port_type:udp_socket name_bind; -+ allow $1 self:capability net_bind_service; ++ allow $1 unreserved_port_type:tcp_socket name_bind; +') + +######################################## +## -+## Do not audit attempts to bind UDP sockets to all reserved ports. + ## Bind UDP sockets to all ports > 1024. + ## + ## +@@ -1882,6 +2327,60 @@ interface(`corenet_udp_bind_all_unreserved_ports',` + + ######################################## + ## ++## Bind TCP sockets to all ports > 32768. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ++interface(`corenet_tcp_bind_all_ephemeral_ports',` + gen_require(` -+ attribute reserved_port_type; ++ attribute ephemeral_port_type; + ') + -+ dontaudit $1 reserved_port_type:udp_socket name_bind; ++ allow $1 ephemeral_port_type:tcp_socket name_bind; +') + +######################################## +## -+## Bind DCCP sockets to all ports > 1024. ++## Bind UDP sockets to all ports > 32768. +## +## +## @@ -5245,17 +5311,17 @@ index 07126bd..04cf2da 100644 +## +## +# -+interface(`corenet_dccp_bind_all_unreserved_ports',` ++interface(`corenet_udp_bind_all_ephemeral_ports',` + gen_require(` -+ attribute unreserved_port_type; ++ attribute ephemeral_port_type; + ') + -+ allow $1 unreserved_port_type:dccp_socket name_bind; ++ allow $1 ephemeral_port_type:udp_socket name_bind; +') + +######################################## +## -+## Bind TCP sockets to all ports > 1024. ++## Connect DCCP sockets to reserved ports. +## +## +## @@ -5263,17 +5329,24 @@ index 07126bd..04cf2da 100644 +## +## +# -+interface(`corenet_tcp_bind_all_unreserved_ports',` ++interface(`corenet_dccp_connect_all_reserved_ports',` + gen_require(` -+ attribute unreserved_port_type; ++ attribute reserved_port_type; + ') + -+ allow $1 unreserved_port_type:tcp_socket name_bind; ++ allow $1 reserved_port_type:dccp_socket name_connect; +') + +######################################## +## -+## Bind TCP sockets to all ports > 1024. + ## Connect TCP sockets to reserved ports. + ## + ## +@@ -1900,6 +2399,42 @@ interface(`corenet_tcp_connect_all_reserved_ports',` + + ######################################## + ## ++## Connect DCCP sockets to all ports > 1024. +## +## +## @@ -5281,35 +5354,42 @@ index 07126bd..04cf2da 100644 +## +## +# -+interface(`corenet_tcp_bind_unreserved_ports',` ++interface(`corenet_dccp_connect_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + -+ allow $1 unreserved_port_type:tcp_socket name_bind; ++ allow $1 unreserved_port_type:dccp_socket name_connect; +') + -+######################################## ++####################################### +## -+## Bind UDP sockets to all ports > 1024. ++## Connect TCP sockets to ports > 1024. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`corenet_udp_bind_all_unreserved_ports',` -+ gen_require(` -+ attribute unreserved_port_type; -+ ') ++interface(`corenet_tcp_connect_unreserved_ports',` ++ gen_require(` ++ type unreserved_port_t; ++ ') + -+ allow $1 unreserved_port_type:udp_socket name_bind; ++ allow $1 unreserved_port_t:tcp_socket name_connect; +') + +######################################## +## -+## Bind TCP sockets to all ports > 32768. + ## Connect TCP sockets to all ports > 1024. + ## + ## +@@ -1918,6 +2453,43 @@ interface(`corenet_tcp_connect_all_unreserved_ports',` + + ######################################## + ## ++## Connect TCP sockets to all ports > 32768. +## +## +## @@ -5317,35 +5397,43 @@ index 07126bd..04cf2da 100644 +## +## +# -+interface(`corenet_tcp_bind_all_ephemeral_ports',` ++interface(`corenet_tcp_connect_all_ephemeral_ports',` + gen_require(` + attribute ephemeral_port_type; + ') + -+ allow $1 ephemeral_port_type:tcp_socket name_bind; ++ allow $1 ephemeral_port_type:tcp_socket name_connect; +') + +######################################## +## -+## Bind UDP sockets to all ports > 32768. ++## Do not audit attempts to connect DCCP sockets ++## all reserved ports. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`corenet_udp_bind_all_ephemeral_ports',` ++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` + gen_require(` -+ attribute ephemeral_port_type; ++ attribute reserved_port_type; + ') + -+ allow $1 ephemeral_port_type:udp_socket name_bind; ++ dontaudit $1 reserved_port_type:dccp_socket name_connect; +') + +######################################## +## -+## Connect DCCP sockets to reserved ports. + ## Do not audit attempts to connect TCP sockets + ## all reserved ports. + ## +@@ -1937,6 +2509,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` + + ######################################## + ## ++## Connect DCCP sockets to rpc ports. +## +## +## @@ -5353,348 +5441,147 @@ index 07126bd..04cf2da 100644 +## +## +# -+interface(`corenet_dccp_connect_all_reserved_ports',` ++interface(`corenet_dccp_connect_all_rpc_ports',` + gen_require(` -+ attribute reserved_port_type; ++ attribute rpc_port_type; + ') + -+ allow $1 reserved_port_type:dccp_socket name_connect; ++ allow $1 rpc_port_type:dccp_socket name_connect; +') + +######################################## +## -+## Connect TCP sockets to reserved ports. + ## Connect TCP sockets to rpc ports. + ## + ## +@@ -1955,6 +2545,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` + + ######################################## + ## ++## Do not audit attempts to connect DCCP sockets ++## all rpc ports. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`corenet_tcp_connect_all_reserved_ports',` ++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` + gen_require(` -+ attribute reserved_port_type; ++ attribute rpc_port_type; + ') + -+ allow $1 reserved_port_type:tcp_socket name_connect; ++ dontaudit $1 rpc_port_type:dccp_socket name_connect; +') + +######################################## +## -+## Connect DCCP sockets to all ports > 1024. + ## Do not audit attempts to connect TCP sockets + ## all rpc ports. + ## +@@ -1993,6 +2602,42 @@ interface(`corenet_rw_tun_tap_dev',` + + ######################################## + ## ++## Relabel to and from the TUN/TAP virtual network device. +## +## +## -+## Domain allowed access. ++## The domain allowed access. +## +## +# -+interface(`corenet_dccp_connect_all_unreserved_ports',` ++interface(`corenet_relabel_tun_tap_dev',` + gen_require(` -+ attribute unreserved_port_type; ++ type tun_tap_device_t; + ') + -+ allow $1 unreserved_port_type:dccp_socket name_connect; ++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) +') + -+####################################### ++######################################## +## -+## Connect TCP sockets to ports > 1024. ++## Read and write inherited TUN/TAP virtual network device. +## +## -+## -+## Domain allowed access. -+## ++## ++## The domain allowed access. ++## +## +# -+interface(`corenet_tcp_connect_unreserved_ports',` -+ gen_require(` -+ type unreserved_port_t; -+ ') ++interface(`corenet_rw_inherited_tun_tap_dev',` ++ gen_require(` ++ type tun_tap_device_t; ++ ') + -+ allow $1 unreserved_port_t:tcp_socket name_connect; - ') - - ######################################## - ## --## Do not audit attempts to bind TCP sockets to all reserved ports. -+## Connect TCP sockets to all ports > 1024. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_unreserved_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute unreserved_port_type; - ') - -- dontaudit $1 reserved_port_type:tcp_socket name_bind; -+ allow $1 unreserved_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Bind UDP sockets to all reserved ports. -+## Connect TCP sockets to all ports > 32768. - ## - ## - ## -@@ -1817,18 +2461,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` - ## - ## - # --interface(`corenet_udp_bind_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_ephemeral_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute ephemeral_port_type; - ') - -- allow $1 reserved_port_type:udp_socket name_bind; -- allow $1 self:capability net_bind_service; -+ allow $1 ephemeral_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Do not audit attempts to bind UDP sockets to all reserved ports. -+## Do not audit attempts to connect DCCP sockets -+## all reserved ports. - ## - ## - ## -@@ -1836,35 +2480,36 @@ interface(`corenet_udp_bind_all_reserved_ports',` - ## - ## - # --interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` -+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - -- dontaudit $1 reserved_port_type:udp_socket name_bind; -+ dontaudit $1 reserved_port_type:dccp_socket name_connect; - ') - - ######################################## - ## --## Bind TCP sockets to all ports > 1024. -+## Do not audit attempts to connect TCP sockets -+## all reserved ports. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`corenet_tcp_bind_all_unreserved_ports',` -+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` - gen_require(` -- attribute unreserved_port_type; -+ attribute reserved_port_type; - ') - -- allow $1 unreserved_port_type:tcp_socket name_bind; -+ dontaudit $1 reserved_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Bind UDP sockets to all ports > 1024. -+## Connect DCCP sockets to rpc ports. - ## - ## - ## -@@ -1872,17 +2517,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` - ## - ## - # --interface(`corenet_udp_bind_all_unreserved_ports',` -+interface(`corenet_dccp_connect_all_rpc_ports',` - gen_require(` -- attribute unreserved_port_type; -+ attribute rpc_port_type; - ') - -- allow $1 unreserved_port_type:udp_socket name_bind; -+ allow $1 rpc_port_type:dccp_socket name_connect; - ') - - ######################################## - ## --## Connect TCP sockets to reserved ports. -+## Connect TCP sockets to rpc ports. - ## - ## - ## -@@ -1890,36 +2535,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',` - ## - ## - # --interface(`corenet_tcp_connect_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_rpc_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute rpc_port_type; - ') - -- allow $1 reserved_port_type:tcp_socket name_connect; -+ allow $1 rpc_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Connect TCP sockets to all ports > 1024. -+## Do not audit attempts to connect DCCP sockets -+## all rpc ports. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`corenet_tcp_connect_all_unreserved_ports',` -+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` - gen_require(` -- attribute unreserved_port_type; -+ attribute rpc_port_type; - ') - -- allow $1 unreserved_port_type:tcp_socket name_connect; -+ dontaudit $1 rpc_port_type:dccp_socket name_connect; - ') - - ######################################## - ## - ## Do not audit attempts to connect TCP sockets --## all reserved ports. -+## all rpc ports. ++ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read or write the TUN/TAP + ## virtual network device. ## - ## - ## -@@ -1927,54 +2573,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',` +@@ -2020,31 +2665,50 @@ interface(`corenet_dontaudit_rw_tun_tap_dev',` ## ## # --interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` -+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute rpc_port_type; - ') - -- dontaudit $1 reserved_port_type:tcp_socket name_connect; -+ dontaudit $1 rpc_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Connect TCP sockets to rpc ports. -+## Read and write the TUN/TAP virtual network device. - ## - ## - ## --## Domain allowed access. +-interface(`corenet_getattr_ppp_dev',` ++interface(`corenet_getattr_ppp_dev',` ++ gen_require(` ++ type ppp_device_t; ++ ') ++ ++ allow $1 ppp_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Read and write the point-to-point device. ++## ++## ++## +## The domain allowed access. - ## - ## - # --interface(`corenet_tcp_connect_all_rpc_ports',` -+interface(`corenet_rw_tun_tap_dev',` ++## ++## ++# ++interface(`corenet_rw_ppp_dev',` gen_require(` -- attribute rpc_port_type; -+ type tun_tap_device_t; + type ppp_device_t; ') -- allow $1 rpc_port_type:tcp_socket name_connect; +- allow $1 ppp_device_t:chr_file getattr; + dev_list_all_dev_nodes($1) -+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ++ allow $1 ppp_device_t:chr_file rw_chr_file_perms; ') ######################################## ## --## Do not audit attempts to connect TCP sockets --## all rpc ports. -+## Relabel to and from the TUN/TAP virtual network device. - ## - ## - ## --## Domain to not audit. -+## The domain allowed access. - ## - ## - # --interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` -+interface(`corenet_relabel_tun_tap_dev',` - gen_require(` -- attribute rpc_port_type; -+ type tun_tap_device_t; - ') - -- dontaudit $1 rpc_port_type:tcp_socket name_connect; -+ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) - ') - - ######################################## - ## --## Read and write the TUN/TAP virtual network device. -+## Read and write inherited TUN/TAP virtual network device. +-## Read and write the point-to-point device. ++## Bind DCCP sockets to all RPC ports. ## ## ## -@@ -1982,13 +2628,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` +-## The domain allowed access. ++## Domain allowed access. ## ## # --interface(`corenet_rw_tun_tap_dev',` -+interface(`corenet_rw_inherited_tun_tap_dev',` +-interface(`corenet_rw_ppp_dev',` ++interface(`corenet_dccp_bind_all_rpc_ports',` gen_require(` - type tun_tap_device_t; +- type ppp_device_t; ++ attribute rpc_port_type; ') - dev_list_all_dev_nodes($1) -- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; -+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; +- allow $1 ppp_device_t:chr_file rw_chr_file_perms; ++ allow $1 rpc_port_type:dccp_socket name_bind; ++ allow $1 self:capability net_bind_service; ') ######################################## -@@ -2049,6 +2694,25 @@ interface(`corenet_rw_ppp_dev',` - - ######################################## - ## -+## Bind DCCP sockets to all RPC ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_all_rpc_ports',` -+ gen_require(` -+ attribute rpc_port_type; -+ ') -+ -+ allow $1 rpc_port_type:dccp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## - ## Bind TCP sockets to all RPC ports. - ## - ## @@ -2068,6 +2732,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## @@ -5939,7 +5826,7 @@ index 07126bd..04cf2da 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3929,70 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3929,188 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -6010,8 +5897,126 @@ index 07126bd..04cf2da 100644 + dev_filetrans($1, tun_tap_device_t, chr_file, "tap29") + dev_filetrans($1, ppp_device_t, chr_file, "ppp") +') ++ ++######################################## ++## ++## Define type to be an infiniband pkey type ++## ++## ++##

++## Define type to be an infiniband pkey type ++##

++##

++## This is for supporting third party modules and its ++## use is not allowed in upstream reference policy. ++##

++## ++## ++## ++## Type to be used for infiniband pkeys. ++## ++## ++# ++interface(`corenet_ib_pkey',` ++ gen_require(` ++ attribute ibpkey_type; ++ ') ++ ++ typeattribute $1 ibpkey_type; ++') ++ ++######################################## ++## ++## Access unlabeled infiniband pkeys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_ib_access_unlabeled_pkeys',` ++ kernel_ib_access_unlabeled_pkeys($1) ++') ++ ++######################################## ++## ++## Access all labeled infiniband pkeys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_ib_access_all_pkeys',` ++ gen_require(` ++ attribute ibpkey_type; ++ ') ++ ++ allow $1 ibpkey_type:infiniband_pkey access; ++') ++ ++######################################## ++## ++## Define type to be an infiniband endport ++## ++## ++##

++## Define type to be an infiniband endport ++##

++##

++## This is for supporting third party modules and its ++## use is not allowed in upstream reference policy. ++##

++## ++## ++## ++## Type to be used for infiniband endports. ++## ++## ++# ++interface(`corenet_ib_endport',` ++ gen_require(` ++ attribute ibendport_type; ++ ') ++ ++ typeattribute $1 ibendport_type; ++') ++ ++######################################## ++## ++## Manage subnets on all labeled Infiniband endports ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_ib_manage_subnet_all_endports',` ++ gen_require(` ++ attribute ibendport_type; ++ ') ++ ++ allow $1 ibendport_type:infiniband_endport manage_subnet; ++') ++ ++######################################## ++## ++## Manage subnet on all unlabeled Infiniband endports ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_ib_manage_subnet_unlabeled_endports',` ++ kernel_ib_manage_subnet_unlabeled_endports($1) ++') diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 -index 8e0f9cd..b9f45b9 100644 +index 8e0f9cd14..2fe34db47 100644 --- a/policy/modules/kernel/corenetwork.if.m4 +++ b/policy/modules/kernel/corenetwork.if.m4 @@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',` @@ -6065,8 +6070,83 @@ index 8e0f9cd..b9f45b9 100644 '') dnl end create_port_interfaces define(`create_packet_interfaces',`` +@@ -776,6 +813,48 @@ interface(`corenet_relabelto_$1_packets',` + ') + '') dnl end create_port_interfaces + ++define(`create_ibpkey_interfaces',`` ++######################################## ++## ++## Access the infiniband fabric on the $1 ibpkey. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_ib_access_$1_pkey',` ++ gen_require(` ++ $3 $1_$2; ++ ') ++ ++ allow dollarsone $1_$2:infiniband_pkey access; ++') ++'') dnl end create_ibpkey_interfaces ++ ++define(`create_ibendport_interfaces',`` ++######################################## ++## ++## Manage the subnet on $1 ibendport. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_ib_manage_subnet_$1_endport',` ++ gen_require(` ++ $3 $1_$2; ++ ') ++ ++ allow dollarsone $1_$2:infiniband_endport manage_subnet; ++') ++'') dnl end create_ibendport_interfaces ++ + # + # create_netif_*_interfaces(linux_interfacename) + # +@@ -851,3 +930,25 @@ define(`network_packet',` + create_packet_interfaces($1_client) + create_packet_interfaces($1_server) + ') ++ ++# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity) ++# (these wrap create_port_interfaces to handle attributes and types) ++define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))') ++ ++# ++# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity) ++# ++define(`ib_pkey',` ++create_ibpkey_type_interfaces($*) ++') ++ ++# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity) ++# (these wrap create_port_interfaces to handle attributes and types) ++define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))') ++ ++# ++# ib_endport(name,device_name, portnum mls_sensitivity) ++# ++define(`ib_endport',` ++create_ibendport_type_interfaces($*) ++') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..61c55fd 100644 +index b191055f9..c3bbc8ea2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6077,13 +6157,15 @@ index b191055..61c55fd 100644 attribute client_packet_type; # This is an optimization for { port_type -port_t } attribute defined_port_type; -@@ -14,12 +15,14 @@ attribute node_type; +@@ -14,12 +15,16 @@ attribute node_type; attribute packet_type; attribute port_type; attribute reserved_port_type; +attribute ephemeral_port_type; attribute rpc_port_type; attribute server_packet_type; ++attribute ibpkey_type; ++attribute ibendport_type; # This is an optimization for { port_type -reserved_port_type } attribute unreserved_port_type; @@ -6092,7 +6174,7 @@ index b191055..61c55fd 100644 type ppp_device_t; dev_node(ppp_device_t) -@@ -29,6 +32,7 @@ dev_node(ppp_device_t) +@@ -29,6 +34,7 @@ dev_node(ppp_device_t) # type tun_tap_device_t; dev_node(tun_tap_device_t) @@ -6100,7 +6182,7 @@ index b191055..61c55fd 100644 ######################################## # -@@ -38,6 +42,18 @@ dev_node(tun_tap_device_t) +@@ -38,6 +44,18 @@ dev_node(tun_tap_device_t) # # client_packet_t is the default type of IPv4 and IPv6 client packets. # @@ -6119,7 +6201,7 @@ index b191055..61c55fd 100644 type client_packet_t, packet_type, client_packet_type; # -@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type; +@@ -46,6 +64,7 @@ type client_packet_t, packet_type, client_packet_type; # type netlabel_peer_t; sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) @@ -6127,7 +6209,7 @@ index b191055..61c55fd 100644 # # port_t is the default type of INET port numbers. -@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0) +@@ -59,6 +78,12 @@ sid port gen_context(system_u:object_r:port_t,s0) type unreserved_port_t, port_type, unreserved_port_type; # @@ -6140,7 +6222,7 @@ index b191055..61c55fd 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -76,63 +99,82 @@ type server_packet_t, packet_type, server_packet_type; +@@ -76,63 +101,82 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) @@ -6233,7 +6315,7 @@ index b191055..61c55fd 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +182,61 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +184,61 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -6311,7 +6393,7 @@ index b191055..61c55fd 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +244,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +246,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -6462,7 +6544,7 @@ index b191055..61c55fd 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +375,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +377,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6489,7 +6571,7 @@ index b191055..61c55fd 100644 ######################################## # -@@ -333,6 +424,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +426,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6498,7 +6580,7 @@ index b191055..61c55fd 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +438,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +440,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -6512,6 +6594,12 @@ index b191055..61c55fd 100644 +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; + ++# Infiniband ++corenet_ib_access_all_pkeys(corenet_unconfined_type) ++corenet_ib_manage_subnet_all_endports(corenet_unconfined_type) ++corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type) ++corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type) ++ +# +# Rules coverning the use of unlabeled types +# @@ -6530,7 +6618,7 @@ index b191055..61c55fd 100644 +typealias neutron_server_packet_t alias quantum_server_packet_t; +typealias neutron_client_packet_t alias quantum_client_packet_t; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 -index 3f6e168..340e49f 100644 +index 3f6e16889..abd046c56 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl @@ -6553,8 +6641,38 @@ index 3f6e168..340e49f 100644 ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl ') +@@ -111,3 +117,29 @@ define(`network_packet',` + type $1_client_packet_t, packet_type, client_packet_type; + type $1_server_packet_t, packet_type, server_packet_type; + ') ++ ++define(`declare_ibpkeycons',`dnl ++ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4) ++ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl ++') ++ ++# ++# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]]) ++# ++define(`ib_pkey',` ++type $1_ibpkey_t, ibpkey_type; ++ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl ++') ++ ++define(`declare_ibendportcons',`dnl ++ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4) ++ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl ++') ++ ++# ++# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]]) ++# ++define(`ib_endport',` ++type $1_ibendport_t, ibendport_type; ++ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl ++') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..3ad1127 100644 +index b31c05491..3ad1127cc 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6730,7 +6848,7 @@ index b31c054..3ad1127 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..732931f 100644 +index 76f285ea6..732931f47 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -9841,7 +9959,7 @@ index 76f285e..732931f 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..db382e7 100644 +index 0b1a8715a..db382e7c2 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -10036,7 +10154,7 @@ index 0b1a871..db382e7 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..4b87be8 100644 +index 6a1e4d156..4b87be8e4 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -10387,7 +10505,7 @@ index 6a1e4d1..4b87be8 100644 + allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..5831355 100644 +index cf04cb509..5831355b0 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,49 @@ policy_module(domain, 1.11.0) @@ -10951,7 +11069,7 @@ index cf04cb5..5831355 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..2e591a5 100644 +index b876c48ad..2e591a538 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -11222,7 +11340,7 @@ index b876c48..2e591a5 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..c1b46d8 100644 +index f962f76ad..c1b46d8f3 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -15365,7 +15483,7 @@ index f962f76..c1b46d8 100644 + allow $1 modules_object_t:dir mounton; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1a03abd..3221f80 100644 +index 1a03abdd7..3221f8018 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) @@ -15568,7 +15686,7 @@ index 1a03abd..3221f80 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..f521a50 100644 +index d7c11a0b3..f521a50f8 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,23 +1,28 @@ @@ -15611,7 +15729,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..b5b7a0a 100644 +index 8416beb43..b5b7a0ae8 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -19645,7 +19763,7 @@ index 8416beb..b5b7a0a 100644 + allow $1 tracefs_t:filesystem unmount; +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..b10afaf 100644 +index e7d173844..b10afaff0 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -19844,7 +19962,7 @@ index e7d1738..b10afaf 100644 +allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint; +allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *; diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc -index 7be4ddf..9710b33 100644 +index 7be4ddf74..9710b3336 100644 --- a/policy/modules/kernel/kernel.fc +++ b/policy/modules/kernel/kernel.fc @@ -1 +1,5 @@ @@ -19855,7 +19973,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..5113b22 100644 +index e100d886b..355a67b18 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -20692,7 +20810,7 @@ index e100d88..5113b22 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3387,649 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3387,685 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -21113,6 +21231,42 @@ index e100d88..5113b22 100644 + +######################################## +## ++## Access unlabeled infiniband pkeys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_ib_access_unlabeled_pkeys',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:infiniband_pkey access; ++') ++ ++######################################## ++## ++## Manage subnet on unlabeled Infiniband endports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_ib_manage_subnet_unlabeled_endports',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:infiniband_endport manage_subnet; ++') ++ ++######################################## ++## +## Allow caller to read the security state symbolic links. +## +## @@ -21344,7 +21498,7 @@ index e100d88..5113b22 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..a2f0d06 100644 +index 8dbab4c5e..af9ee60b6 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -21472,11 +21626,16 @@ index 8dbab4c..a2f0d06 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +278,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +278,26 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +corenet_filetrans_all_named_dev(kernel_t) ++ ++corenet_ib_access_all_pkeys(kernel_t) ++corenet_ib_access_unlabeled_pkeys(kernel_t) ++corenet_ib_manage_subnet_all_endports(kernel_t) ++corenet_ib_manage_subnet_unlabeled_endports(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) @@ -21498,7 +21657,7 @@ index 8dbab4c..a2f0d06 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +301,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +306,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -21508,7 +21667,7 @@ index 8dbab4c..a2f0d06 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,13 +316,23 @@ files_list_root(kernel_t) +@@ -277,13 +321,23 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -21532,7 +21691,7 @@ index 8dbab4c..a2f0d06 100644 ifdef(`distro_redhat',` # Bugzilla 222337 -@@ -291,11 +340,29 @@ ifdef(`distro_redhat',` +@@ -291,11 +345,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -21562,7 +21721,7 @@ index 8dbab4c..a2f0d06 100644 ') optional_policy(` -@@ -305,6 +372,19 @@ optional_policy(` +@@ -305,6 +377,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -21582,7 +21741,7 @@ index 8dbab4c..a2f0d06 100644 ') optional_policy(` -@@ -312,6 +392,11 @@ optional_policy(` +@@ -312,6 +397,11 @@ optional_policy(` ') optional_policy(` @@ -21594,7 +21753,7 @@ index 8dbab4c..a2f0d06 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +417,6 @@ optional_policy(` +@@ -332,9 +422,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -21604,7 +21763,7 @@ index 8dbab4c..a2f0d06 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +425,7 @@ optional_policy(` +@@ -343,9 +430,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -21615,7 +21774,7 @@ index 8dbab4c..a2f0d06 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +434,7 @@ optional_policy(` +@@ -354,7 +439,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -21624,7 +21783,7 @@ index 8dbab4c..a2f0d06 100644 ') ') -@@ -364,9 +444,22 @@ optional_policy(` +@@ -364,9 +449,22 @@ optional_policy(` ') optional_policy(` @@ -21647,7 +21806,7 @@ index 8dbab4c..a2f0d06 100644 ######################################## # # Unlabeled process local policy -@@ -388,6 +481,8 @@ optional_policy(` +@@ -388,6 +486,8 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; @@ -21656,7 +21815,7 @@ index 8dbab4c..a2f0d06 100644 # load_module() calls stop_machine() which # calls sched_setscheduler() allow can_load_kernmodule self:capability sys_nice; -@@ -399,14 +494,38 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +499,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -21700,7 +21859,7 @@ index 8dbab4c..a2f0d06 100644 +read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t) +list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if -index b08a6e8..43d504b 100644 +index b08a6e849..43d504b88 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` @@ -21776,7 +21935,7 @@ index b08a6e8..43d504b 100644 + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te -index 2da98c2..31bed0a 100644 +index 2da98c257..31bed0a7c 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -11,3 +11,4 @@ attribute mcssetcats; @@ -21785,7 +21944,7 @@ index 2da98c2..31bed0a 100644 attribute mcs_constrained_type; +attribute mcsnetwrite; diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if -index d178478..42bf05b 100644 +index d178478da..42bf05bcd 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',` @@ -21816,7 +21975,7 @@ index d178478..42bf05b 100644 ## ## diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te -index 8c7bd90..66ee5b9 100644 +index 8c7bd90d2..66ee5b9a1 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -12,6 +12,7 @@ attribute mlsfilewritetoclr; @@ -21828,14 +21987,14 @@ index 8c7bd90..66ee5b9 100644 attribute mlsnetread; attribute mlsnetreadtoclr; diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc -index 7be4ddf..4d4c577 100644 +index 7be4ddf74..4d4c577ad 100644 --- a/policy/modules/kernel/selinux.fc +++ b/policy/modules/kernel/selinux.fc @@ -1 +1 @@ -# This module currently does not have any file contexts. +/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 6d0811d..708f074 100644 +index 6d0811da3..708f07490 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -22204,7 +22363,7 @@ index 6d0811d..708f074 100644 + mls_trusted_object($1) ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index e0a973b..7d3e431 100644 +index e0a973ba1..7d3e431ee 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) @@ -22270,7 +22429,7 @@ index e0a973b..7d3e431 100644 ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 54f1827..6910c88 100644 +index 54f182702..6910c8869 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -7,6 +7,7 @@ @@ -22309,7 +22468,7 @@ index 54f1827..6910c88 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 64c4cd0..52070af 100644 +index 64c4cd01c..52070af0b 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,30 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -22958,7 +23117,7 @@ index 64c4cd0..52070af 100644 + +') diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te -index 156c333..02f5a3c 100644 +index 156c33310..02f5a3c91 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -57,3 +57,9 @@ dev_node(tape_device_t) @@ -22972,7 +23131,7 @@ index 156c333..02f5a3c 100644 + dev_manage_generic_blk_files(fixed_disk_raw_write) +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 0ea25b6..37069ae 100644 +index 0ea25b653..37069ae93 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -14,12 +14,13 @@ @@ -23000,7 +23159,7 @@ index 0ea25b6..37069ae 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index cbb729b..ce0291e 100644 +index cbb729b66..ce0291ec6 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -23876,7 +24035,7 @@ index cbb729b..ce0291e 100644 + dev_filetrans($1, tty_device_t, chr_file, "xvc9") ') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te -index 66e116a..a0a5d90 100644 +index 66e116a3f..a0a5d90fe 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -29,6 +29,7 @@ files_mountpoint(devpts_t) @@ -23898,21 +24057,21 @@ index 66e116a..a0a5d90 100644 dev_node(virtio_device_t) diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc new file mode 100644 -index 0000000..f310b9d +index 000000000..f310b9d55 --- /dev/null +++ b/policy/modules/kernel/unlabelednet.fc @@ -0,0 +1 @@ +# No unlabelednet file contexts. diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if new file mode 100644 -index 0000000..0ce0470 +index 000000000..0ce04703a --- /dev/null +++ b/policy/modules/kernel/unlabelednet.if @@ -0,0 +1 @@ +## Policy for allowing confined domains to use unlabeled_t packets diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te new file mode 100644 -index 0000000..48caabc +index 000000000..48caabc7e --- /dev/null +++ b/policy/modules/kernel/unlabelednet.te @@ -0,0 +1,12 @@ @@ -23929,7 +24088,7 @@ index 0000000..48caabc +allow domain unlabeled_t:packet { send recv }; + diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 834a065..ff93697 100644 +index 834a065de..ff9369756 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) @@ -23966,7 +24125,7 @@ index 834a065..ff93697 100644 consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te -index 3a45a3e..7499f24 100644 +index 3a45a3ef0..7499f24b5 100644 --- a/policy/modules/roles/logadm.te +++ b/policy/modules/roles/logadm.te @@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) @@ -23986,7 +24145,7 @@ index 3a45a3e..7499f24 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da11120..621ec5a 100644 +index da111206f..621ec5afc 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) @@ -24027,7 +24186,7 @@ index da11120..621ec5a 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if -index 234a940..a92415a 100644 +index 234a940f9..a92415a9d 100644 --- a/policy/modules/roles/staff.if +++ b/policy/modules/roles/staff.if @@ -1,4 +1,20 @@ @@ -24053,10 +24212,10 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..25e60c8 100644 +index 0fef1fca2..88ac7d6bb 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) +@@ -8,11 +8,73 @@ policy_module(staff, 2.4.0) role staff_r; userdom_unpriv_user_template(staff) @@ -24073,7 +24232,8 @@ index 0fef1fc..25e60c8 100644 # # Local policy # - ++corenet_ib_access_unlabeled_pkeys(staff_t) ++ +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) @@ -24126,11 +24286,10 @@ index 0fef1fc..25e60c8 100644 +optional_policy(` + accountsd_read_lib_files(staff_t) +') -+ + optional_policy(` apache_role(staff_r, staff_t) - ') -@@ -23,11 +84,128 @@ optional_policy(` +@@ -23,11 +85,128 @@ optional_policy(` ') optional_policy(` @@ -24260,7 +24419,7 @@ index 0fef1fc..25e60c8 100644 ') optional_policy(` -@@ -35,20 +213,74 @@ optional_policy(` +@@ -35,20 +214,74 @@ optional_policy(` ') optional_policy(` @@ -24337,7 +24496,7 @@ index 0fef1fc..25e60c8 100644 ') optional_policy(` -@@ -56,7 +288,20 @@ optional_policy(` +@@ -56,7 +289,20 @@ optional_policy(` ') optional_policy(` @@ -24359,7 +24518,7 @@ index 0fef1fc..25e60c8 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +310,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +311,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24370,7 +24529,7 @@ index 0fef1fc..25e60c8 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +319,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +320,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -24381,7 +24540,7 @@ index 0fef1fc..25e60c8 100644 ') optional_policy(` -@@ -101,10 +338,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +339,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24392,7 +24551,7 @@ index 0fef1fc..25e60c8 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +358,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +359,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24403,7 +24562,7 @@ index 0fef1fc..25e60c8 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +370,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +371,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24414,7 +24573,7 @@ index 0fef1fc..25e60c8 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +401,24 @@ ifndef(`distro_redhat',` +@@ -176,3 +402,24 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -24440,7 +24599,7 @@ index 0fef1fc..25e60c8 100644 + ') +') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if -index ff92430..36740ea 100644 +index ff9243078..36740eab3 100644 --- a/policy/modules/roles/sysadm.if +++ b/policy/modules/roles/sysadm.if @@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',` @@ -24468,10 +24627,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..8932351 100644 +index 2522ca6c0..800f41930 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,102 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,105 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -24555,6 +24714,9 @@ index 2522ca6..8932351 100644 +userdom_manage_tmp_role(sysadm_r, sysadm_t) +userdom_exec_admin_home_files(sysadm_t) + ++corenet_ib_access_unlabeled_pkeys(sysadm_t) ++corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) ++ +optional_policy(` + abrt_filetrans_named_content(sysadm_t) +') @@ -24584,7 +24746,7 @@ index 2522ca6..8932351 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +118,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +121,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -24599,7 +24761,7 @@ index 2522ca6..8932351 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +128,9 @@ optional_policy(` +@@ -71,9 +131,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -24610,7 +24772,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -87,6 +144,7 @@ optional_policy(` +@@ -87,6 +147,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -24618,7 +24780,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -110,11 +168,17 @@ optional_policy(` +@@ -110,11 +171,17 @@ optional_policy(` ') optional_policy(` @@ -24636,20 +24798,20 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -122,11 +186,27 @@ optional_policy(` +@@ -122,11 +189,27 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) ++') ++ ++optional_policy(` ++ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -24666,7 +24828,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -140,6 +220,10 @@ optional_policy(` +@@ -140,6 +223,10 @@ optional_policy(` ') optional_policy(` @@ -24677,7 +24839,7 @@ index 2522ca6..8932351 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +240,10 @@ optional_policy(` +@@ -156,6 +243,10 @@ optional_policy(` ') optional_policy(` @@ -24688,7 +24850,7 @@ index 2522ca6..8932351 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -164,6 +252,11 @@ optional_policy(` +@@ -164,6 +255,11 @@ optional_policy(` ') optional_policy(` @@ -24700,7 +24862,7 @@ index 2522ca6..8932351 100644 hadoop_role(sysadm_r, sysadm_t) ') -@@ -172,13 +265,31 @@ optional_policy(` +@@ -172,13 +268,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -24732,7 +24894,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -190,11 +301,12 @@ optional_policy(` +@@ -190,11 +304,12 @@ optional_policy(` ') optional_policy(` @@ -24747,7 +24909,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -210,22 +322,21 @@ optional_policy(` +@@ -210,22 +325,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -24777,7 +24939,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -237,14 +348,32 @@ optional_policy(` +@@ -237,14 +351,32 @@ optional_policy(` ') optional_policy(` @@ -24810,7 +24972,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -252,10 +381,20 @@ optional_policy(` +@@ -252,10 +384,20 @@ optional_policy(` ') optional_policy(` @@ -24831,7 +24993,7 @@ index 2522ca6..8932351 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +405,46 @@ optional_policy(` +@@ -266,35 +408,46 @@ optional_policy(` ') optional_policy(` @@ -24885,7 +25047,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -308,6 +458,7 @@ optional_policy(` +@@ -308,6 +461,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -24893,7 +25055,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -315,12 +466,20 @@ optional_policy(` +@@ -315,12 +469,20 @@ optional_policy(` ') optional_policy(` @@ -24915,7 +25077,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -345,30 +504,38 @@ optional_policy(` +@@ -345,30 +507,38 @@ optional_policy(` ') optional_policy(` @@ -24963,7 +25125,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -380,10 +547,6 @@ optional_policy(` +@@ -380,10 +550,6 @@ optional_policy(` ') optional_policy(` @@ -24974,7 +25136,7 @@ index 2522ca6..8932351 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +554,9 @@ optional_policy(` +@@ -391,6 +557,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -24984,7 +25146,7 @@ index 2522ca6..8932351 100644 ') optional_policy(` -@@ -398,31 +564,34 @@ optional_policy(` +@@ -398,31 +567,34 @@ optional_policy(` ') optional_policy(` @@ -25025,7 +25187,7 @@ index 2522ca6..8932351 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +604,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +607,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25036,7 +25198,7 @@ index 2522ca6..8932351 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +624,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +627,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25121,21 +25283,21 @@ index 2522ca6..8932351 100644 +') diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc new file mode 100644 -index 0000000..ae3b6db +index 000000000..ae3b6db92 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.fc @@ -0,0 +1 @@ +# No context diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if new file mode 100644 -index 0000000..bd83148 +index 000000000..bd83148e1 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.if @@ -0,0 +1 @@ +## No Interfaces diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te new file mode 100644 -index 0000000..63bc797 +index 000000000..63bc79792 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.te @@ -0,0 +1,25 @@ @@ -25166,7 +25328,7 @@ index 0000000..63bc797 +logging_stream_connect_syslog(sysadm_t) diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc new file mode 100644 -index 0000000..d9efb90 +index 000000000..d9efb902a --- /dev/null +++ b/policy/modules/roles/unconfineduser.fc @@ -0,0 +1,8 @@ @@ -25180,7 +25342,7 @@ index 0000000..d9efb90 +#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..f730286 +index 000000000..f73028658 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if @@ -0,0 +1,745 @@ @@ -25931,7 +26093,7 @@ index 0000000..f730286 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..883d9ea +index 000000000..883d9eaa3 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,362 @@ @@ -26298,7 +26460,7 @@ index 0000000..883d9ea +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if -index 3835596..fbca2be 100644 +index 383559646..fbca2be81 100644 --- a/policy/modules/roles/unprivuser.if +++ b/policy/modules/roles/unprivuser.if @@ -1,4 +1,4 @@ @@ -26308,7 +26470,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..74de333 100644 +index 6d77e81c5..74de33345 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -26500,7 +26662,7 @@ index 6d77e81..74de333 100644 + ') ') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index a26f84f..f4a44eb 100644 +index a26f84f40..f4a44ebc6 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -10,11 +10,16 @@ @@ -26540,7 +26702,7 @@ index a26f84f..f4a44eb 100644 -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 9d2f311..2d782e0 100644 +index 9d2f31168..2d782e051 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,90 +10,46 @@ @@ -26895,7 +27057,7 @@ index 9d2f311..2d782e0 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 0306134..bb5f3dd 100644 +index 03061349c..bb5f3dd51 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -27120,7 +27282,7 @@ index 0306134..bb5f3dd 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..7528851 100644 +index 76d9f66ec..7528851ad 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,16 +1,42 @@ @@ -27169,7 +27331,7 @@ index 76d9f66..7528851 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..79d568a 100644 +index fe0c68272..79d568a54 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -27902,7 +28064,7 @@ index fe0c682..79d568a 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..3038b08 100644 +index cc877c7b0..3038b0862 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -28576,7 +28738,7 @@ index cc877c7..3038b08 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..a47fd0b4 100644 +index 8274418c6..a47fd0b4d 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,39 @@ @@ -28745,7 +28907,7 @@ index 8274418..a47fd0b4 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..e6be63a 100644 +index 6bf0ecc2d..e6be63aa8 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -30505,7 +30667,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..fc04c66 100644 +index 8b403774f..fc04c66d5 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32032,7 +32194,7 @@ index 8b40377..fc04c66 100644 + dev_dontaudit_rw_dri(dridomain) +') diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..be02b96 100644 +index 1b6619e64..be02b9618 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -43,6 +43,27 @@ interface(`application_executable_file',` @@ -32143,7 +32305,7 @@ index 1b6619e..be02b96 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..af71c62 100644 +index c6fdab72d..af71c62f7 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te @@ -6,15 +6,40 @@ attribute application_domain_type; @@ -32189,7 +32351,7 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2479587..890e1e2 100644 +index 247958765..890e1e293 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ @@ -32284,7 +32446,7 @@ index 2479587..890e1e2 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..3db526f 100644 +index 3efd5b669..3db526f84 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -33202,7 +33364,7 @@ index 3efd5b6..3db526f 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..2d255df 100644 +index 09b791dcc..2d255df93 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -33705,7 +33867,7 @@ index 09b791d..2d255df 100644 + ssh_read_user_home_files(login_pgm) +') diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index c5e05ca..c9ddbee 100644 +index c5e05ca70..c9ddbeeca 100644 --- a/policy/modules/system/clock.fc +++ b/policy/modules/system/clock.fc @@ -3,3 +3,5 @@ @@ -33715,7 +33877,7 @@ index c5e05ca..c9ddbee 100644 +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if -index d475c2d..55305d5 100644 +index d475c2deb..55305d5f3 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',` @@ -33760,7 +33922,7 @@ index d475c2d..55305d5 100644 + files_etc_filetrans($1, adjtime_t, file, "adjtime" ) +') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index edece47..2e7b811 100644 +index edece47dc..2e7b81176 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -20,7 +20,7 @@ role system_r types hwclock_t; @@ -33807,7 +33969,7 @@ index edece47..2e7b811 100644 ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 948ce2a..8cab8ae 100644 +index 948ce2a32..8cab8aef2 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ @@ -33880,7 +34042,7 @@ index 948ce2a..8cab8ae 100644 + +/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0) diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if -index 016a770..3fce820 100644 +index 016a770b9..3fce820a5 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -154,3 +154,42 @@ interface(`fstools_getattr_swap_files',` @@ -33927,7 +34089,7 @@ index 016a770..3fce820 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 3f48d30..cb4f966 100644 +index 3f48d300a..cb4f966c0 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,9 +13,15 @@ role system_r types fsadm_t; @@ -34080,7 +34242,7 @@ index 3f48d30..cb4f966 100644 xen_rw_image_files(fsadm_t) ') diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc -index e1a1848..4927638 100644 +index e1a1848a2..492763873 100644 --- a/policy/modules/system/getty.fc +++ b/policy/modules/system/getty.fc @@ -3,8 +3,12 @@ @@ -34099,7 +34261,7 @@ index e1a1848..4927638 100644 /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if -index e4376aa..2c98c56 100644 +index e4376aa98..2c98c5647 100644 --- a/policy/modules/system/getty.if +++ b/policy/modules/system/getty.if @@ -96,3 +96,45 @@ interface(`getty_rw_config',` @@ -34149,7 +34311,7 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index f6743ea..ef08ff3 100644 +index f6743ea19..ef08ff3cf 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) @@ -34237,7 +34399,7 @@ index f6743ea..ef08ff3 100644 optional_policy(` diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc -index 9dfecf7..6d00f5c 100644 +index 9dfecf77c..6d00f5c13 100644 --- a/policy/modules/system/hostname.fc +++ b/policy/modules/system/hostname.fc @@ -1,2 +1,4 @@ @@ -34246,7 +34408,7 @@ index 9dfecf7..6d00f5c 100644 + +/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if -index 187f04f..cf0af09 100644 +index 187f04f83..cf0af0991 100644 --- a/policy/modules/system/hostname.if +++ b/policy/modules/system/hostname.if @@ -53,7 +53,6 @@ interface(`hostname_run',` @@ -34258,7 +34420,7 @@ index 187f04f..cf0af09 100644 interface(`hostname_exec',` gen_require(` diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index 24a7889..619b32e 100644 +index 24a78897a..619b32ebe 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config; @@ -34325,7 +34487,7 @@ index 24a7889..619b32e 100644 xen_dontaudit_use_fds(hostname_t) ') diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc -index caf736b..91c4c6f 100644 +index caf736b3b..91c4c6f23 100644 --- a/policy/modules/system/hotplug.fc +++ b/policy/modules/system/hotplug.fc @@ -7,5 +7,8 @@ @@ -34338,7 +34500,7 @@ index caf736b..91c4c6f 100644 /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if -index 40eb10c..2a0a32c 100644 +index 40eb10c60..2a0a32c2d 100644 --- a/policy/modules/system/hotplug.if +++ b/policy/modules/system/hotplug.if @@ -34,7 +34,7 @@ interface(`hotplug_domtrans',` @@ -34351,7 +34513,7 @@ index 40eb10c..2a0a32c 100644 corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index b2097e7..0a49e14 100644 +index b2097e743..0a49e14ba 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) @@ -34406,7 +34568,7 @@ index b2097e7..0a49e14 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index bc0ffc8..37b8ea5 100644 +index bc0ffc84e..37b8ea5ec 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -1,6 +1,9 @@ @@ -34474,7 +34636,7 @@ index bc0ffc8..37b8ea5 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..6ed0c39 100644 +index 79a45f62e..6ed0c399a 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -36309,7 +36471,7 @@ index 79a45f6..6ed0c39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..055193c 100644 +index 17eda2480..055193c5d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37801,7 +37963,7 @@ index 17eda24..055193c 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..d32012f 100644 +index 662e79be8..d32012ffe 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,14 +1,26 @@ @@ -37863,7 +38025,7 @@ index 662e79b..d32012f 100644 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..537aa42 100644 +index 0d4c8d35e..537aa4274 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -18,6 +18,24 @@ interface(`ipsec_domtrans',` @@ -38105,7 +38267,7 @@ index 0d4c8d3..537aa42 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..102b975 100644 +index 312cd0417..102b975de 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -38444,7 +38606,7 @@ index 312cd04..102b975 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..1ca98b8 100644 +index 73a1c4e1e..1ca98b865 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,22 +1,49 @@ @@ -38514,7 +38676,7 @@ index 73a1c4e..1ca98b8 100644 + +/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index c42fbc3..bf211db 100644 +index c42fbc329..bf211dbee 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,6 @@ interface(`iptables_domtrans',` @@ -38582,7 +38744,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..91d1296 100644 +index be8ed1e6c..91d1296b8 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -38765,14 +38927,14 @@ index be8ed1e..91d1296 100644 optional_policy(` diff --git a/policy/modules/system/kdbus.fc b/policy/modules/system/kdbus.fc new file mode 100644 -index 0000000..1bb8bf6 +index 000000000..1bb8bf6d7 --- /dev/null +++ b/policy/modules/system/kdbus.fc @@ -0,0 +1 @@ +# empty diff --git a/policy/modules/system/kdbus.if b/policy/modules/system/kdbus.if new file mode 100644 -index 0000000..6a1c9ed +index 000000000..6a1c9ed87 --- /dev/null +++ b/policy/modules/system/kdbus.if @@ -0,0 +1,2 @@ @@ -38780,7 +38942,7 @@ index 0000000..6a1c9ed + diff --git a/policy/modules/system/kdbus.te b/policy/modules/system/kdbus.te new file mode 100644 -index 0000000..c814795 +index 000000000..c8147952a --- /dev/null +++ b/policy/modules/system/kdbus.te @@ -0,0 +1,14 @@ @@ -38799,7 +38961,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..a70bee5 100644 +index 73bb3c00c..a70bee5b0 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -39143,7 +39305,7 @@ index 73bb3c0..a70bee5 100644 + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..b717d97 100644 +index 808ba93eb..b717d9709 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -39366,7 +39528,7 @@ index 808ba93..b717d97 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5..b9dbbe0 100644 +index 54f8fa5c8..b9dbbe005 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -39490,7 +39652,7 @@ index 54f8fa5..b9dbbe0 100644 - unconfined_domain(ldconfig_t) -') diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc -index be6a81b..a5303e9 100644 +index be6a81b80..a5303e920 100644 --- a/policy/modules/system/locallogin.fc +++ b/policy/modules/system/locallogin.fc @@ -1,3 +1,8 @@ @@ -39503,7 +39665,7 @@ index be6a81b..a5303e9 100644 +/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) +/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if -index 0e3c2a9..ea9bd57 100644 +index 0e3c2a977..ea9bd57dc 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` @@ -39567,7 +39729,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..fcf08ac 100644 +index 446fa9908..fcf08acb2 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -39782,7 +39944,7 @@ index 446fa99..fcf08ac 100644 + plymouthd_exec_plymouth(sulogin_t) ') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..9eacd9b 100644 +index b50c5fe81..9eacd9ba1 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -1,11 +1,15 @@ @@ -39874,7 +40036,7 @@ index b50c5fe..9eacd9b 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..7b39545 100644 +index 4e9488463..7b395456f 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -40500,7 +40662,7 @@ index 4e94884..7b39545 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..2ad89c5 100644 +index 59b04c1a2..2ad89c533 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -40996,7 +41158,7 @@ index 59b04c1..2ad89c5 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 6b91740..7724116 100644 +index 6b917403e..772411608 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -23,6 +23,8 @@ ifdef(`distro_gentoo',` @@ -41130,7 +41292,7 @@ index 6b91740..7724116 100644 + +/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..842ce28 100644 +index 58bc27f22..842ce28c4 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,41 @@ @@ -41450,7 +41612,7 @@ index 58bc27f..842ce28 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..b0cb1e5 100644 +index 79048c410..b0cb1e565 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -41731,7 +41893,7 @@ index 79048c4..b0cb1e5 100644 udev_read_pid_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..c62c761 100644 +index 9fe8e01e3..c62c76136 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,16 @@ ifdef(`distro_gentoo',` @@ -41801,7 +41963,7 @@ index 9fe8e01..c62c761 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..e4b9a3b 100644 +index fc28bc31b..e4b9a3bf0 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -42082,7 +42244,7 @@ index fc28bc3..e4b9a3b 100644 + files_var_filetrans($1, public_content_t, dir, "ftp") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index 1361961..be6b7fc 100644 +index 1361961d0..be6b7fc80 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -4,7 +4,6 @@ policy_module(miscfiles, 1.11.0) @@ -42107,7 +42269,7 @@ index 1361961..be6b7fc 100644 # # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc -index 9933677..7875b79 100644 +index 993367709..7875b79fa 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -10,8 +10,6 @@ ifdef(`distro_gentoo',` @@ -42136,7 +42298,7 @@ index 9933677..7875b79 100644 + +/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 7449974..b792900 100644 +index 7449974f6..b79290062 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,11 +12,28 @@ @@ -42332,7 +42494,7 @@ index 7449974..b792900 100644 + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8..aa59857 100644 +index 7a363b8b2..aa59857ad 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -42613,7 +42775,7 @@ index 7a363b8..aa59857 100644 ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index a38605e..f035d9f 100644 +index a38605e50..f035d9fbb 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc @@ -1,6 +1,26 @@ @@ -42646,7 +42808,7 @@ index a38605e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..8f676d0 100644 +index 4584457b1..8f676d0c8 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -43012,7 +43174,7 @@ index 4584457..8f676d0 100644 ') + diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 459a0ef..ed4756e 100644 +index 459a0efbc..ed4756edc 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -5,13 +5,6 @@ policy_module(mount, 1.16.1) @@ -43459,7 +43621,7 @@ index 459a0ef..ed4756e 100644 + unconfined_domain(unconfined_mount_t) ') diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc -index b263a8a..15576ab 100644 +index b263a8af5..15576ab83 100644 --- a/policy/modules/system/netlabel.fc +++ b/policy/modules/system/netlabel.fc @@ -1 +1,6 @@ @@ -43470,7 +43632,7 @@ index b263a8a..15576ab 100644 +/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) +/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te -index cbbda4a..d7c67bc 100644 +index cbbda4a3e..d7c67bc40 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) @@ -43513,7 +43675,7 @@ index cbbda4a..d7c67bc 100644 +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index d43f3b1..c5053db 100644 +index d43f3b194..c5053dbbd 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,15 @@ @@ -43569,7 +43731,7 @@ index d43f3b1..c5053db 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..0395f48 100644 +index 38220721d..0395f4810 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -44393,7 +44555,7 @@ index 3822072..0395f48 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..27d8d49 100644 +index dc4642022..27d8d49ba 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -45240,7 +45402,7 @@ index dc46420..27d8d49 100644 + policykit_dbus_chat(policy_manager_domain) ') diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc -index bea4629..06e2834 100644 +index bea462999..06e2834f7 100644 --- a/policy/modules/system/setrans.fc +++ b/policy/modules/system/setrans.fc @@ -2,4 +2,7 @@ @@ -45252,7 +45414,7 @@ index bea4629..06e2834 100644 /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if -index efa9c27..536a514 100644 +index efa9c27f6..536a514fc 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -40,3 +40,21 @@ interface(`setrans_translate_context',` @@ -45278,7 +45440,7 @@ index efa9c27..536a514 100644 + manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) +') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te -index 1447687..0b1da4d 100644 +index 1447687d5..0b1da4d3e 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -12,6 +12,7 @@ gen_require(` @@ -45306,7 +45468,7 @@ index 1447687..0b1da4d 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 40edc18..95f4458 100644 +index 40edc18ab..95f4458d2 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -17,23 +17,29 @@ ifdef(`distro_debian',` @@ -45382,7 +45544,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..e3cb4f2 100644 +index 2cea692c0..e3cb4f2ef 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -45955,7 +46117,7 @@ index 2cea692..e3cb4f2 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..41a5b08 100644 +index a392fc4bc..41a5b082f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46382,7 +46544,7 @@ index a392fc4..41a5b08 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..121b422 +index 000000000..121b42208 --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,81 @@ @@ -46469,7 +46631,7 @@ index 0000000..121b422 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..d1356af +index 000000000..d1356af89 --- /dev/null +++ b/policy/modules/system/systemd.if @@ -0,0 +1,1842 @@ @@ -48317,7 +48479,7 @@ index 0000000..d1356af +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..35fc2b8 +index 000000000..35fc2b865 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,1020 @@ @@ -49342,7 +49504,7 @@ index 0000000..35fc2b8 +init_rw_initctl(systemd_initctl_t) +init_stream_connectto(systemd_initctl_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index f41857e..49fd32e 100644 +index f41857e09..49fd32e17 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,8 @@ @@ -49395,7 +49557,7 @@ index f41857e..49fd32e 100644 ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 9a1650d..d7e8a01 100644 +index 9a1650d37..d7e8a0193 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -49639,7 +49801,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..a313a7d 100644 +index 39f185f68..a313a7d1a 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -49914,7 +50076,7 @@ index 39f185f..a313a7d 100644 optional_policy(` diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc -index 0abaf84..8b34dbc 100644 +index 0abaf8432..8b34dbc09 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -1,21 +1 @@ @@ -49940,7 +50102,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a9..5454d16 100644 +index 5ca20a97d..5454d1668 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -50489,7 +50651,7 @@ index 5ca20a9..5454d16 100644 + allow $1 unconfined_service_t:process signull; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..b31eeba 100644 +index 5fe902db3..b31eeba97 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,207 +1,32 @@ @@ -50714,7 +50876,7 @@ index 5fe902d..b31eeba 100644 + virt_transition_svirt(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..c54480a 100644 +index db7597682..c54480a1d 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -1,4 +1,37 @@ @@ -50757,7 +50919,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..d5e8f38 100644 +index 9dc60c6c0..d5e8f386a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -55878,7 +56040,7 @@ index 9dc60c6..d5e8f38 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..1589d60 100644 +index f4ac38dc7..1589d6065 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -56370,7 +56532,7 @@ index f4ac38d..1589d60 100644 + ssh_signal(confined_admindomain) +') diff --git a/policy/policy_capabilities b/policy/policy_capabilities -index db3cbca..710bd7c 100644 +index db3cbca45..710bd7cd2 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -31,3 +31,14 @@ policycap network_peer_controls; @@ -56389,7 +56551,7 @@ index db3cbca..710bd7c 100644 + + diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt -index e79d545..101086d 100644 +index e79d54501..101086d66 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -4,7 +4,7 @@ @@ -56420,7 +56582,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..dc1c884 100644 +index 6e9131723..dc1c884fe 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -56536,7 +56698,7 @@ index 6e91317..dc1c884 100644 +# +define(`manage_service_perms', `{ start stop status reload enable disable } ') diff --git a/policy/users b/policy/users -index c4ebc7e..30d6d7a 100644 +index c4ebc7e43..30d6d7a71 100644 --- a/policy/users +++ b/policy/users @@ -15,7 +15,7 @@ @@ -56575,7 +56737,7 @@ index c4ebc7e..30d6d7a 100644 -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/support/Makefile.devel b/support/Makefile.devel -index b96e9b3..ff7340f 100644 +index b96e9b3d1..ff7340fdb 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint @@ -56586,3 +56748,16 @@ index b96e9b3..ff7340f 100644 QUIET ?= y genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py +diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed +index 00b94b6ad..90813480d 100644 +--- a/support/comment_move_decl.sed ++++ b/support/comment_move_decl.sed +@@ -6,7 +6,7 @@ + /optional \{/,/} # end optional/b nextline + + /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/ +-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/ ++/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/ + /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/ + /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/ + /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/ diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 1f51d3d..97d1a04 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,12 +1,12 @@ diff --git a/.gitignore b/.gitignore new file mode 100644 -index 0000000..bea5755 +index 000000000..bea575523 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +TAGS diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..e948aef 100644 +index 1a93dc578..e948aef59 100644 --- a/abrt.fc +++ b/abrt.fc @@ -1,31 +1,47 @@ @@ -81,7 +81,7 @@ index 1a93dc5..e948aef 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..ee0c559 100644 +index 058d908e4..ee0c55969 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,42 @@ @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..4e5a592 100644 +index eb50f070f..4e5a59207 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1225,7 +1225,7 @@ index eb50f07..4e5a592 100644 - -miscfiles_read_localization(abrt_domain) diff --git a/accountsd.fc b/accountsd.fc -index f9d8d7a..0682710 100644 +index f9d8d7a92..068271030 100644 --- a/accountsd.fc +++ b/accountsd.fc @@ -1,3 +1,5 @@ @@ -1235,7 +1235,7 @@ index f9d8d7a..0682710 100644 /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) diff --git a/accountsd.if b/accountsd.if -index bd5ec9a..554177c 100644 +index bd5ec9ab0..554177cd2 100644 --- a/accountsd.if +++ b/accountsd.if @@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',` @@ -1296,7 +1296,7 @@ index bd5ec9a..554177c 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 3593510..7c13845 100644 +index 3593510d8..7c13845fd 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1377,7 +1377,7 @@ index 3593510..7c13845 100644 + xserver_manage_xdm_etc_files(accountsd_t) ') diff --git a/acct.if b/acct.if -index 81280d0..bc4038b 100644 +index 81280d008..bc4038b45 100644 --- a/acct.if +++ b/acct.if @@ -83,6 +83,24 @@ interface(`acct_manage_data',` @@ -1421,7 +1421,7 @@ index 81280d0..bc4038b 100644 domain_system_change_exemption($1) role_transition $2 acct_initrc_exec_t system_r; diff --git a/acct.te b/acct.te -index 8b9ad83..f4f2486 100644 +index 8b9ad83c5..f4f24864b 100644 --- a/acct.te +++ b/acct.te @@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t) @@ -1451,7 +1451,7 @@ index 8b9ad83..f4f2486 100644 userdom_dontaudit_use_unpriv_user_fds(acct_t) diff --git a/ada.te b/ada.te -index 8d42c97..2377f8f 100644 +index 8d42c97ae..2377f8f82 100644 --- a/ada.te +++ b/ada.te @@ -20,7 +20,7 @@ role ada_roles types ada_t; @@ -1464,7 +1464,7 @@ index 8d42c97..2377f8f 100644 optional_policy(` unconfined_domain(ada_t) diff --git a/afs.fc b/afs.fc -index 8926c16..206ea16 100644 +index 8926c1696..206ea16fd 100644 --- a/afs.fc +++ b/afs.fc @@ -3,6 +3,8 @@ @@ -1488,7 +1488,7 @@ index 8926c16..206ea16 100644 /usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) /usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) diff --git a/afs.if b/afs.if -index 3b41be6..97d99f9 100644 +index 3b41be699..97d99f979 100644 --- a/afs.if +++ b/afs.if @@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',` @@ -1538,7 +1538,7 @@ index 3b41be6..97d99f9 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 90ce637..8cf712d 100644 +index 90ce63748..8cf712d15 100644 --- a/afs.te +++ b/afs.te @@ -72,7 +72,7 @@ role system_r types afs_vlserver_t; @@ -1729,7 +1729,7 @@ index 90ce637..8cf712d 100644 sysnet_read_config(afs_domain) + diff --git a/aiccu.if b/aiccu.if -index 3b5dcb9..fbe187f 100644 +index 3b5dcb947..fbe187fe1 100644 --- a/aiccu.if +++ b/aiccu.if @@ -79,9 +79,13 @@ interface(`aiccu_admin',` @@ -1748,7 +1748,7 @@ index 3b5dcb9..fbe187f 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 5d2b90e..7374df0 100644 +index 5d2b90e04..7374df0b9 100644 --- a/aiccu.te +++ b/aiccu.te @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) @@ -1787,7 +1787,7 @@ index 5d2b90e..7374df0 100644 sysnet_domtrans_ifconfig(aiccu_t) ') diff --git a/aide.if b/aide.if -index 01cbb67..94a4a24 100644 +index 01cbb67df..94a4a2406 100644 --- a/aide.if +++ b/aide.if @@ -67,9 +67,13 @@ interface(`aide_admin',` @@ -1806,7 +1806,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 03831e6..3d35fff 100644 +index 03831e6e5..3d35fff8e 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1858,7 +1858,7 @@ index 03831e6..3d35fff 100644 optional_policy(` seutil_use_newrole_fds(aide_t) diff --git a/aisexec.if b/aisexec.if -index a2997fa..861cebd 100644 +index a2997fa57..861cebdf9 100644 --- a/aisexec.if +++ b/aisexec.if @@ -83,9 +83,13 @@ interface(`aisexecd_admin',` @@ -1877,7 +1877,7 @@ index a2997fa..861cebd 100644 domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff --git a/aisexec.te b/aisexec.te -index 4e4f063..808e067 100644 +index 4e4f06364..808e067e8 100644 --- a/aisexec.te +++ b/aisexec.te @@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) @@ -1911,7 +1911,7 @@ index 4e4f063..808e067 100644 rhcs_rw_fenced_semaphores(aisexec_t) diff --git a/ajaxterm.fc b/ajaxterm.fc new file mode 100644 -index 0000000..aeb1888 +index 000000000..aeb1888a7 --- /dev/null +++ b/ajaxterm.fc @@ -0,0 +1,6 @@ @@ -1923,7 +1923,7 @@ index 0000000..aeb1888 +/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) diff --git a/ajaxterm.if b/ajaxterm.if new file mode 100644 -index 0000000..7abe946 +index 000000000..7abe946d4 --- /dev/null +++ b/ajaxterm.if @@ -0,0 +1,90 @@ @@ -2019,7 +2019,7 @@ index 0000000..7abe946 +') diff --git a/ajaxterm.te b/ajaxterm.te new file mode 100644 -index 0000000..a95a4ad +index 000000000..a95a4adf3 --- /dev/null +++ b/ajaxterm.te @@ -0,0 +1,60 @@ @@ -2084,7 +2084,7 @@ index 0000000..a95a4ad +') + diff --git a/alsa.fc b/alsa.fc -index 33d9d31..58bf182 100644 +index 33d9d3111..58bf1829a 100644 --- a/alsa.fc +++ b/alsa.fc @@ -23,4 +23,10 @@ ifdef(`distro_debian',` @@ -2100,7 +2100,7 @@ index 33d9d31..58bf182 100644 + +/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) diff --git a/alsa.if b/alsa.if -index ca8d8cf..053a30a 100644 +index ca8d8cf3b..053a30ad4 100644 --- a/alsa.if +++ b/alsa.if @@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` @@ -2216,7 +2216,7 @@ index ca8d8cf..053a30a 100644 ######################################### diff --git a/alsa.te b/alsa.te -index 4b153f1..a799cd3 100644 +index 4b153f179..a799cd394 100644 --- a/alsa.te +++ b/alsa.te @@ -15,6 +15,9 @@ role alsa_roles types alsa_t; @@ -2297,7 +2297,7 @@ index 4b153f1..a799cd3 100644 userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) diff --git a/amanda.fc b/amanda.fc -index 7f4dfbc..e5c9f45 100644 +index 7f4dfbca3..e5c9f45b8 100644 --- a/amanda.fc +++ b/amanda.fc @@ -1,5 +1,6 @@ @@ -2317,7 +2317,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..89302e2 100644 +index 519051c7d..89302e2d9 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2460,7 +2460,7 @@ index 519051c..89302e2 100644 + fstools_signal(amanda_t) +') diff --git a/amavis.fc b/amavis.fc -index 17689a7..8aa6849 100644 +index 17689a707..8aa684917 100644 --- a/amavis.fc +++ b/amavis.fc @@ -12,8 +12,6 @@ ifdef(`distro_debian',` @@ -2473,7 +2473,7 @@ index 17689a7..8aa6849 100644 /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) diff --git a/amavis.if b/amavis.if -index 60d4f8c..18ef077 100644 +index 60d4f8c90..18ef0772c 100644 --- a/amavis.if +++ b/amavis.if @@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',` @@ -2527,7 +2527,7 @@ index 60d4f8c..18ef077 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 91fa72a..1736250 100644 +index 91fa72ae1..1736250ae 100644 --- a/amavis.te +++ b/amavis.te @@ -39,14 +39,14 @@ type amavis_quarantine_t; @@ -2621,7 +2621,7 @@ index 91fa72a..1736250 100644 postfix_list_spool(amavis_t) ') diff --git a/amtu.te b/amtu.te -index 16d0d66..60abfd0 100644 +index 16d0d66eb..60abfd080 100644 --- a/amtu.te +++ b/amtu.te @@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t) @@ -2638,7 +2638,7 @@ index 16d0d66..60abfd0 100644 optional_policy(` nscd_dontaudit_search_pid(amtu_t) diff --git a/anaconda.fc b/anaconda.fc -index b098089..fe35beb 100644 +index b098089d0..fe35bebfd 100644 --- a/anaconda.fc +++ b/anaconda.fc @@ -1 +1,13 @@ @@ -2656,7 +2656,7 @@ index b098089..fe35beb 100644 +/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0) +/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0) diff --git a/anaconda.if b/anaconda.if -index 14a61b7..76d9329 100644 +index 14a61b7e1..76d93294d 100644 --- a/anaconda.if +++ b/anaconda.if @@ -1 +1,132 @@ @@ -2793,7 +2793,7 @@ index 14a61b7..76d9329 100644 + files_search_var_lib($1) +') diff --git a/anaconda.te b/anaconda.te -index aa44abf..9e76516 100644 +index aa44abfe4..9e76516c2 100644 --- a/anaconda.te +++ b/anaconda.te @@ -4,6 +4,10 @@ gen_require(` @@ -2899,7 +2899,7 @@ index aa44abf..9e76516 100644 +') diff --git a/antivirus.fc b/antivirus.fc new file mode 100644 -index 0000000..219f32d +index 000000000..219f32db0 --- /dev/null +++ b/antivirus.fc @@ -0,0 +1,44 @@ @@ -2949,7 +2949,7 @@ index 0000000..219f32d + diff --git a/antivirus.if b/antivirus.if new file mode 100644 -index 0000000..36251b9 +index 000000000..36251b926 --- /dev/null +++ b/antivirus.if @@ -0,0 +1,325 @@ @@ -3280,7 +3280,7 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..d202f69 +index 000000000..d202f695a --- /dev/null +++ b/antivirus.te @@ -0,0 +1,274 @@ @@ -3559,7 +3559,7 @@ index 0000000..d202f69 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..966c2f3 100644 +index 7caefc353..966c2f3e6 100644 --- a/apache.fc +++ b/apache.fc @@ -1,162 +1,218 @@ @@ -3921,7 +3921,7 @@ index 7caefc3..966c2f3 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..fe461a3 100644 +index f6eb4851f..fe461a3fc 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -5575,7 +5575,7 @@ index f6eb485..fe461a3 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..6dd10dd 100644 +index 6649962b6..6dd10dd7d 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -7951,7 +7951,7 @@ index 6649962..6dd10dd 100644 ') + diff --git a/apcupsd.fc b/apcupsd.fc -index 5ec0e13..97c204f 100644 +index 5ec0e13c8..97c204fe5 100644 --- a/apcupsd.fc +++ b/apcupsd.fc @@ -1,18 +1,23 @@ @@ -7984,7 +7984,7 @@ index 5ec0e13..97c204f 100644 +/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) +/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) diff --git a/apcupsd.if b/apcupsd.if -index f3c0aba..f6e25ed 100644 +index f3c0abac6..f6e25eda4 100644 --- a/apcupsd.if +++ b/apcupsd.if @@ -102,7 +102,7 @@ interface(`apcupsd_append_log',` @@ -8093,7 +8093,7 @@ index f3c0aba..f6e25ed 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..a78dbce 100644 +index 080bc4ddb..a78dbced6 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t) @@ -8240,7 +8240,7 @@ index 080bc4d..a78dbce 100644 + sysnet_dns_name_resolve(apcupsd_cgi_script_t) ') diff --git a/apm.fc b/apm.fc -index ce27d2f..b2ba16a 100644 +index ce27d2fb3..b2ba16a04 100644 --- a/apm.fc +++ b/apm.fc @@ -1,3 +1,4 @@ @@ -8258,7 +8258,7 @@ index ce27d2f..b2ba16a 100644 /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) diff --git a/apm.if b/apm.if -index 1a7a97e..2c7252a 100644 +index 1a7a97e5c..2c7252a39 100644 --- a/apm.if +++ b/apm.if @@ -141,6 +141,30 @@ interface(`apm_stream_connect',` @@ -8308,7 +8308,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..f944ecc 100644 +index 7fd431bcd..f944eccf1 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8424,7 +8424,7 @@ index 7fd431b..f944ecc 100644 optional_policy(` diff --git a/apt.if b/apt.if -index cde81d2..2fe0201 100644 +index cde81d248..2fe02018a 100644 --- a/apt.if +++ b/apt.if @@ -171,7 +171,7 @@ interface(`apt_read_cache',` @@ -8437,7 +8437,7 @@ index cde81d2..2fe0201 100644 ') diff --git a/apt.te b/apt.te -index efa8530..ae5d0c9 100644 +index efa853059..ae5d0c9f2 100644 --- a/apt.te +++ b/apt.te @@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) @@ -8488,7 +8488,7 @@ index efa8530..ae5d0c9 100644 optional_policy(` backup_manage_store_files(apt_t) diff --git a/arpwatch.fc b/arpwatch.fc -index 9ca0d0f..9a1a61f 100644 +index 9ca0d0fb8..9a1a61f82 100644 --- a/arpwatch.fc +++ b/arpwatch.fc @@ -1,5 +1,7 @@ @@ -8500,7 +8500,7 @@ index 9ca0d0f..9a1a61f 100644 /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) diff --git a/arpwatch.if b/arpwatch.if -index 50c9b9c..533a555 100644 +index 50c9b9c87..533a555a2 100644 --- a/arpwatch.if +++ b/arpwatch.if @@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` @@ -8562,7 +8562,7 @@ index 50c9b9c..533a555 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 2d7bf34..766a91a 100644 +index 2d7bf345b..766a91a41 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -8626,7 +8626,7 @@ index 2d7bf34..766a91a 100644 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) diff --git a/asterisk.if b/asterisk.if -index 2077053..198a02a 100644 +index 2077053ea..198a02ab4 100644 --- a/asterisk.if +++ b/asterisk.if @@ -124,9 +124,13 @@ interface(`asterisk_admin',` @@ -8645,7 +8645,7 @@ index 2077053..198a02a 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 7e41350..1e0f4c4 100644 +index 7e4135022..1e0f4c49b 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -8715,7 +8715,7 @@ index 7e41350..1e0f4c4 100644 diff --git a/authconfig.fc b/authconfig.fc new file mode 100644 -index 0000000..4579cfe +index 000000000..4579cfe17 --- /dev/null +++ b/authconfig.fc @@ -0,0 +1,3 @@ @@ -8724,7 +8724,7 @@ index 0000000..4579cfe +/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0) diff --git a/authconfig.if b/authconfig.if new file mode 100644 -index 0000000..316c324 +index 000000000..316c324f2 --- /dev/null +++ b/authconfig.if @@ -0,0 +1,127 @@ @@ -8857,7 +8857,7 @@ index 0000000..316c324 +') diff --git a/authconfig.te b/authconfig.te new file mode 100644 -index 0000000..362a049 +index 000000000..362a049e9 --- /dev/null +++ b/authconfig.te @@ -0,0 +1,33 @@ @@ -8895,7 +8895,7 @@ index 0000000..362a049 + +unconfined_domain_noaudit(authconfig_t) diff --git a/automount.fc b/automount.fc -index 92adb37..0a2ffc6 100644 +index 92adb37e1..0a2ffc62d 100644 --- a/automount.fc +++ b/automount.fc @@ -1,6 +1,8 @@ @@ -8908,7 +8908,7 @@ index 92adb37..0a2ffc6 100644 /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) diff --git a/automount.if b/automount.if -index f24e369..4484a98 100644 +index f24e36960..4484a98da 100644 --- a/automount.if +++ b/automount.if @@ -29,7 +29,6 @@ interface(`automount_domtrans',` @@ -9005,7 +9005,7 @@ index f24e369..4484a98 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f40..1297f5b 100644 +index 27d2f400b..1297f5bbe 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -9093,7 +9093,7 @@ index 27d2f40..1297f5b 100644 +') + diff --git a/avahi.fc b/avahi.fc -index e9fe2ca..4c2d076 100644 +index e9fe2cac1..4c2d0769e 100644 --- a/avahi.fc +++ b/avahi.fc @@ -1,5 +1,7 @@ @@ -9105,7 +9105,7 @@ index e9fe2ca..4c2d076 100644 /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) diff --git a/avahi.if b/avahi.if -index 9078c3d..2f6b250 100644 +index 9078c3d85..2f6b2503e 100644 --- a/avahi.if +++ b/avahi.if @@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',` @@ -9168,7 +9168,7 @@ index 9078c3d..2f6b250 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index b8355b3..51ce1b6 100644 +index b8355b32f..51ce1b60f 100644 --- a/avahi.te +++ b/avahi.te @@ -13,17 +13,21 @@ type avahi_initrc_exec_t; @@ -9231,7 +9231,7 @@ index b8355b3..51ce1b6 100644 userdom_dontaudit_search_user_home_dirs(avahi_t) diff --git a/awstats.fc b/awstats.fc -index 11e6d5f..73b4ea4 100644 +index 11e6d5ffe..73b4ea47c 100644 --- a/awstats.fc +++ b/awstats.fc @@ -1,5 +1,5 @@ @@ -9243,7 +9243,7 @@ index 11e6d5f..73b4ea4 100644 /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/awstats.te b/awstats.te -index c1b16c3..ffbf2cb 100644 +index c1b16c392..ffbf2cb8f 100644 --- a/awstats.te +++ b/awstats.te @@ -26,6 +26,7 @@ type awstats_var_lib_t; @@ -9303,7 +9303,7 @@ index c1b16c3..ffbf2cb 100644 +read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +files_search_var_lib(awstats_script_t) diff --git a/backup.te b/backup.te -index 7811450..e787033 100644 +index 7811450b6..e78703340 100644 --- a/backup.te +++ b/backup.te @@ -21,7 +21,7 @@ files_type(backup_store_t) @@ -9333,7 +9333,7 @@ index 7811450..e787033 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) diff --git a/bacula.fc b/bacula.fc -index 27ec3d5..65aa71b 100644 +index 27ec3d519..65aa71bf6 100644 --- a/bacula.fc +++ b/bacula.fc @@ -8,6 +8,8 @@ @@ -9346,7 +9346,7 @@ index 27ec3d5..65aa71b 100644 /var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0) diff --git a/bacula.if b/bacula.if -index dcd774e..c240ffa 100644 +index dcd774ee4..c240ffaf6 100644 --- a/bacula.if +++ b/bacula.if @@ -69,6 +69,7 @@ interface(`bacula_admin',` @@ -9358,7 +9358,7 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b000..1a7c80f 100644 +index f16b00008..1a7c80f01 100644 --- a/bacula.te +++ b/bacula.te @@ -27,6 +27,9 @@ type bacula_store_t; @@ -9496,7 +9496,7 @@ index f16b000..1a7c80f 100644 + ') +') diff --git a/bcfg2.fc b/bcfg2.fc -index fb42e35..8af0e14 100644 +index fb42e352b..8af0e14ce 100644 --- a/bcfg2.fc +++ b/bcfg2.fc @@ -1,5 +1,7 @@ @@ -9508,7 +9508,7 @@ index fb42e35..8af0e14 100644 /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) diff --git a/bcfg2.if b/bcfg2.if -index ec95d36..186271b 100644 +index ec95d361e..186271b74 100644 --- a/bcfg2.if +++ b/bcfg2.if @@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',` @@ -9577,7 +9577,7 @@ index ec95d36..186271b 100644 + ') ') diff --git a/bcfg2.te b/bcfg2.te -index c3fd7b1..e189593 100644 +index c3fd7b148..e18959384 100644 --- a/bcfg2.te +++ b/bcfg2.te @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) @@ -9602,7 +9602,7 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..982ce9b 100644 +index 2b9a3a10d..982ce9b71 100644 --- a/bind.fc +++ b/bind.fc @@ -1,54 +1,78 @@ @@ -9727,7 +9727,7 @@ index 2b9a3a1..982ce9b 100644 +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') diff --git a/bind.if b/bind.if -index 531a8f2..3fcf187 100644 +index 531a8f244..3fcf18722 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',` @@ -9908,7 +9908,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..73543d3 100644 +index 124112346..73543d306 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -10083,7 +10083,7 @@ index 1241123..73543d3 100644 userdom_use_user_terminals(ndc_t) diff --git a/bird.te b/bird.te -index 1d60c27..f8bb700 100644 +index 1d60c2730..f8bb70055 100644 --- a/bird.te +++ b/bird.te @@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t) @@ -10095,7 +10095,7 @@ index 1d60c27..f8bb700 100644 logging_send_syslog_msg(bird_t) diff --git a/bitlbee.fc b/bitlbee.fc -index e9708d6..61362d0 100644 +index e9708d6cc..61362d088 100644 --- a/bitlbee.fc +++ b/bitlbee.fc @@ -7,7 +7,7 @@ @@ -10108,7 +10108,7 @@ index e9708d6..61362d0 100644 /var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) /var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/bitlbee.if b/bitlbee.if -index e73fb79..2badfc0 100644 +index e73fb799e..2badfc0d9 100644 --- a/bitlbee.if +++ b/bitlbee.if @@ -44,9 +44,13 @@ interface(`bitlbee_admin',` @@ -10127,7 +10127,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..102fa8e 100644 +index f5c1a48b6..102fa8eae 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t) @@ -10209,7 +10209,7 @@ index f5c1a48..102fa8e 100644 + diff --git a/blkmapd.fc b/blkmapd.fc new file mode 100644 -index 0000000..5e59fb4 +index 000000000..5e59fb414 --- /dev/null +++ b/blkmapd.fc @@ -0,0 +1,6 @@ @@ -10221,7 +10221,7 @@ index 0000000..5e59fb4 +/var/run/blkmapd\.pid -- gen_context(system_u:object_r:blkmapd_var_run_t,s0) diff --git a/blkmapd.if b/blkmapd.if new file mode 100644 -index 0000000..7666379 +index 000000000..76663796f --- /dev/null +++ b/blkmapd.if @@ -0,0 +1,121 @@ @@ -10348,7 +10348,7 @@ index 0000000..7666379 +') diff --git a/blkmapd.te b/blkmapd.te new file mode 100644 -index 0000000..6cfb355 +index 000000000..6cfb35592 --- /dev/null +++ b/blkmapd.te @@ -0,0 +1,44 @@ @@ -10397,7 +10397,7 @@ index 0000000..6cfb355 + rpc_read_nfs_state_data(blkmapd_t) +') diff --git a/blueman.fc b/blueman.fc -index c295d2e..4f84e9c 100644 +index c295d2e01..4f84e9c14 100644 --- a/blueman.fc +++ b/blueman.fc @@ -1,3 +1,4 @@ @@ -10406,7 +10406,7 @@ index c295d2e..4f84e9c 100644 /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.if b/blueman.if -index 16ec525..1dd4059 100644 +index 16ec52526..1dd40595c 100644 --- a/blueman.if +++ b/blueman.if @@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',` @@ -10418,7 +10418,7 @@ index 16ec525..1dd4059 100644 ######################################## diff --git a/blueman.te b/blueman.te -index 3a5032e..3facb71 100644 +index 3a5032e06..3facb7156 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0) @@ -10513,7 +10513,7 @@ index 3a5032e..3facb71 100644 + xserver_read_state_xdm(blueman_t) +') diff --git a/bluetooth.fc b/bluetooth.fc -index 2b9c7f3..0086b95 100644 +index 2b9c7f329..0086b95d1 100644 --- a/bluetooth.fc +++ b/bluetooth.fc @@ -5,10 +5,14 @@ @@ -10532,7 +10532,7 @@ index 2b9c7f3..0086b95 100644 /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/bluetooth.if b/bluetooth.if -index c723a0a..1c29d21 100644 +index c723a0ae0..1c29d21e7 100644 --- a/bluetooth.if +++ b/bluetooth.if @@ -37,7 +37,12 @@ interface(`bluetooth_role',` @@ -10663,7 +10663,7 @@ index c723a0a..1c29d21 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e..4b11e96 100644 +index 851769e55..4b11e9620 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t) @@ -10764,7 +10764,7 @@ index 851769e..4b11e96 100644 term_dontaudit_use_all_ttys(bluetooth_helper_t) diff --git a/boinc.fc b/boinc.fc -index 6d3ccad..9c69f28 100644 +index 6d3ccad60..9c69f28ab 100644 --- a/boinc.fc +++ b/boinc.fc @@ -1,9 +1,15 @@ @@ -10790,7 +10790,7 @@ index 6d3ccad..9c69f28 100644 +/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) +/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if -index 02fefaa..308616e 100644 +index 02fefaaf7..308616e8d 100644 --- a/boinc.if +++ b/boinc.if @@ -1,9 +1,166 @@ @@ -11010,7 +11010,7 @@ index 02fefaa..308616e 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..ff57137 100644 +index 687d4c48d..ff5713723 100644 --- a/boinc.te +++ b/boinc.te @@ -1,4 +1,4 @@ @@ -11312,7 +11312,7 @@ index 687d4c4..ff57137 100644 + unconfined_domain(boinc_project_t) +') diff --git a/brctl.te b/brctl.te -index c5a9113..1919abd 100644 +index c5a91138c..1919abdd8 100644 --- a/brctl.te +++ b/brctl.te @@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; @@ -11338,7 +11338,7 @@ index c5a9113..1919abd 100644 xen_dontaudit_rw_unix_stream_sockets(brctl_t) diff --git a/brltty.fc b/brltty.fc new file mode 100644 -index 0000000..05e3528 +index 000000000..05e352897 --- /dev/null +++ b/brltty.fc @@ -0,0 +1,10 @@ @@ -11354,7 +11354,7 @@ index 0000000..05e3528 + diff --git a/brltty.if b/brltty.if new file mode 100644 -index 0000000..968c957 +index 000000000..968c957ab --- /dev/null +++ b/brltty.if @@ -0,0 +1,80 @@ @@ -11440,7 +11440,7 @@ index 0000000..968c957 +') diff --git a/brltty.te b/brltty.te new file mode 100644 -index 0000000..c167267 +index 000000000..c167267f8 --- /dev/null +++ b/brltty.te @@ -0,0 +1,70 @@ @@ -11515,7 +11515,7 @@ index 0000000..c167267 + +term_use_unallocated_ttys(brltty_t) diff --git a/bugzilla.fc b/bugzilla.fc -index fce0b6e..9efceac 100644 +index fce0b6ebf..9efceac4e 100644 --- a/bugzilla.fc +++ b/bugzilla.fc @@ -1,4 +1,4 @@ @@ -11527,7 +11527,7 @@ index fce0b6e..9efceac 100644 -/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0) diff --git a/bugzilla.if b/bugzilla.if -index 1b22262..d9ea246 100644 +index 1b22262d5..d9ea246a1 100644 --- a/bugzilla.if +++ b/bugzilla.if @@ -12,10 +12,10 @@ @@ -11614,7 +11614,7 @@ index 1b22262..d9ea246 100644 + ') ') diff --git a/bugzilla.te b/bugzilla.te -index 18623e3..c62f617 100644 +index 18623e39e..c62f617e1 100644 --- a/bugzilla.te +++ b/bugzilla.te @@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0) @@ -11694,7 +11694,7 @@ index 18623e3..c62f617 100644 ') diff --git a/bumblebee.fc b/bumblebee.fc new file mode 100644 -index 0000000..b5ee23b +index 000000000..b5ee23be7 --- /dev/null +++ b/bumblebee.fc @@ -0,0 +1,7 @@ @@ -11707,7 +11707,7 @@ index 0000000..b5ee23b +/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) diff --git a/bumblebee.if b/bumblebee.if new file mode 100644 -index 0000000..2d2e60c +index 000000000..2d2e60c19 --- /dev/null +++ b/bumblebee.if @@ -0,0 +1,122 @@ @@ -11835,7 +11835,7 @@ index 0000000..2d2e60c +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..9aee6f3 +index 000000000..9aee6f327 --- /dev/null +++ b/bumblebee.te @@ -0,0 +1,63 @@ @@ -11903,7 +11903,7 @@ index 0000000..9aee6f3 + apm_stream_connect(bumblebee_t) +') diff --git a/cachefilesd.fc b/cachefilesd.fc -index 648c790..aa03fc8 100644 +index 648c7902b..aa03fc8ae 100644 --- a/cachefilesd.fc +++ b/cachefilesd.fc @@ -1,9 +1,34 @@ @@ -11945,7 +11945,7 @@ index 648c790..aa03fc8 100644 -/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) diff --git a/cachefilesd.if b/cachefilesd.if -index 8de2ab9..3b41945 100644 +index 8de2ab9c5..3b419455f 100644 --- a/cachefilesd.if +++ b/cachefilesd.if @@ -1,39 +1,35 @@ @@ -12011,7 +12011,7 @@ index 8de2ab9..3b41945 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index a3760bc..22ed920 100644 +index a3760bc92..22ed920b7 100644 --- a/cachefilesd.te +++ b/cachefilesd.te @@ -1,52 +1,125 @@ @@ -12163,7 +12163,7 @@ index a3760bc..22ed920 100644 + +init_sigchld_script(cachefiles_kernel_t) diff --git a/calamaris.if b/calamaris.if -index cd9c528..ba793b7 100644 +index cd9c52871..ba793b748 100644 --- a/calamaris.if +++ b/calamaris.if @@ -42,7 +42,7 @@ interface(`calamaris_run',` @@ -12176,7 +12176,7 @@ index cd9c528..ba793b7 100644 ') diff --git a/calamaris.te b/calamaris.te -index 7e57460..8d8cd78 100644 +index 7e574604b..8d8cd78e5 100644 --- a/calamaris.te +++ b/calamaris.te @@ -23,7 +23,7 @@ files_type(calamaris_www_t) @@ -12218,7 +12218,7 @@ index 7e57460..8d8cd78 100644 optional_policy(` diff --git a/callweaver.te b/callweaver.te -index 0e5be4c..b9a407f 100644 +index 0e5be4cdf..b9a407f90 100644 --- a/callweaver.te +++ b/callweaver.te @@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t) @@ -12227,7 +12227,7 @@ index 0e5be4c..b9a407f 100644 -miscfiles_read_localization(callweaver_t) diff --git a/canna.if b/canna.if -index 400db07..f416e22 100644 +index 400db07a2..f416e22a7 100644 --- a/canna.if +++ b/canna.if @@ -43,9 +43,13 @@ interface(`canna_admin',` @@ -12246,7 +12246,7 @@ index 400db07..f416e22 100644 domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff --git a/canna.te b/canna.te -index 9fe6162..5c505e7 100644 +index 9fe61621f..5c505e7de 100644 --- a/canna.te +++ b/canna.te @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) @@ -12276,7 +12276,7 @@ index 9fe6162..5c505e7 100644 sysnet_read_config(canna_t) diff --git a/ccs.if b/ccs.if -index 5ded72d..cb94e5e 100644 +index 5ded72d37..cb94e5ea7 100644 --- a/ccs.if +++ b/ccs.if @@ -98,20 +98,24 @@ interface(`ccs_manage_config',` @@ -12308,7 +12308,7 @@ index 5ded72d..cb94e5e 100644 files_search_var_lib($1) admin_pattern($1, ccs_var_lib_t) diff --git a/ccs.te b/ccs.te -index 658134d..58deece 100644 +index 658134d8a..58deeceaa 100644 --- a/ccs.te +++ b/ccs.te @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) @@ -12356,7 +12356,7 @@ index 658134d..58deece 100644 optional_policy(` diff --git a/cdrecord.if b/cdrecord.if -index fbc20f6..4de4a00 100644 +index fbc20f694..4de4a005c 100644 --- a/cdrecord.if +++ b/cdrecord.if @@ -27,6 +27,9 @@ interface(`cdrecord_role',` @@ -12371,7 +12371,7 @@ index fbc20f6..4de4a00 100644 ps_process_pattern($2, cdrecord_t) ') diff --git a/cdrecord.te b/cdrecord.te -index 16883c9..97e9a42 100644 +index 16883c9c3..97e9a429e 100644 --- a/cdrecord.te +++ b/cdrecord.te @@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t; @@ -12418,7 +12418,7 @@ index 16883c9..97e9a42 100644 optional_policy(` resmgr_stream_connect(cdrecord_t) diff --git a/certmaster.if b/certmaster.if -index 0c53b18..ef29f6e 100644 +index 0c53b189b..ef29f6e6c 100644 --- a/certmaster.if +++ b/certmaster.if @@ -117,13 +117,16 @@ interface(`certmaster_manage_log',` @@ -12442,7 +12442,7 @@ index 0c53b18..ef29f6e 100644 domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff --git a/certmaster.te b/certmaster.te -index 4a87873..113f3b3 100644 +index 4a878730b..113f3b32f 100644 --- a/certmaster.te +++ b/certmaster.te @@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) @@ -12460,7 +12460,7 @@ index 4a87873..113f3b3 100644 + +mta_send_mail(certmaster_t) diff --git a/certmonger.fc b/certmonger.fc -index ed298d8..c887648 100644 +index ed298d8b6..c88764838 100644 --- a/certmonger.fc +++ b/certmonger.fc @@ -1,7 +1,12 @@ @@ -12477,7 +12477,7 @@ index ed298d8..c887648 100644 /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/certmonger.if b/certmonger.if -index 008f8ef..144c074 100644 +index 008f8ef26..144c0740a 100644 --- a/certmonger.if +++ b/certmonger.if @@ -160,16 +160,20 @@ interface(`certmonger_admin',` @@ -12505,7 +12505,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..80de6d3 100644 +index 550b287ce..80de6d3b7 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) @@ -12680,7 +12680,7 @@ index 550b287..80de6d3 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 171fafb..e88a026 100644 +index 171fafb99..e88a0268a 100644 --- a/certwatch.te +++ b/certwatch.te @@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t; @@ -12735,7 +12735,7 @@ index 171fafb..e88a026 100644 ') diff --git a/cfengine.if b/cfengine.if -index a731122..5279d4e 100644 +index a7311229f..5279d4e3a 100644 --- a/cfengine.if +++ b/cfengine.if @@ -13,7 +13,6 @@ @@ -12835,7 +12835,7 @@ index a731122..5279d4e 100644 ') + diff --git a/cfengine.te b/cfengine.te -index fbe3ad9..21ab8e1 100644 +index fbe3ad955..21ab8e176 100644 --- a/cfengine.te +++ b/cfengine.te @@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) @@ -12869,7 +12869,7 @@ index fbe3ad9..21ab8e1 100644 domain_read_all_domains_state(cfengine_monitord_t) diff --git a/cgdcbxd.fc b/cgdcbxd.fc new file mode 100644 -index 0000000..7567038 +index 000000000..756703813 --- /dev/null +++ b/cgdcbxd.fc @@ -0,0 +1,5 @@ @@ -12880,7 +12880,7 @@ index 0000000..7567038 +/var/run/cgdcbxd\.pid -- gen_context(system_u:object_r:cgdcbxd_var_run_t,s0) diff --git a/cgdcbxd.if b/cgdcbxd.if new file mode 100644 -index 0000000..1efacf1 +index 000000000..1efacf1d1 --- /dev/null +++ b/cgdcbxd.if @@ -0,0 +1,99 @@ @@ -12985,7 +12985,7 @@ index 0000000..1efacf1 +') diff --git a/cgdcbxd.te b/cgdcbxd.te new file mode 100644 -index 0000000..06ff1b0 +index 000000000..06ff1b01a --- /dev/null +++ b/cgdcbxd.te @@ -0,0 +1,36 @@ @@ -13026,7 +13026,7 @@ index 0000000..06ff1b0 + +domain_dontaudit_read_all_domains_state(cgdcbxd_t) diff --git a/cgroup.if b/cgroup.if -index 85ca63f..1d1c99c 100644 +index 85ca63f9a..1d1c99c8f 100644 --- a/cgroup.if +++ b/cgroup.if @@ -171,8 +171,26 @@ interface(`cgroup_admin',` @@ -13059,7 +13059,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..514eb47 100644 +index 80a88a27a..514eb47f2 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -13143,7 +13143,7 @@ index 80a88a2..514eb47 100644 +logging_send_syslog_msg(cgred_t) diff --git a/chrome.fc b/chrome.fc new file mode 100644 -index 0000000..5c6bdb6 +index 000000000..5c6bdb68d --- /dev/null +++ b/chrome.fc @@ -0,0 +1,11 @@ @@ -13160,7 +13160,7 @@ index 0000000..5c6bdb6 +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) diff --git a/chrome.if b/chrome.if new file mode 100644 -index 0000000..aa308eb +index 000000000..aa308eba6 --- /dev/null +++ b/chrome.if @@ -0,0 +1,137 @@ @@ -13303,7 +13303,7 @@ index 0000000..aa308eb +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..435a5cd +index 000000000..435a5cdc1 --- /dev/null +++ b/chrome.te @@ -0,0 +1,256 @@ @@ -13564,7 +13564,7 @@ index 0000000..435a5cd + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) +') diff --git a/chronyd.fc b/chronyd.fc -index 4e4143e..f03dba0 100644 +index 4e4143ed8..f03dba037 100644 --- a/chronyd.fc +++ b/chronyd.fc @@ -1,13 +1,18 @@ @@ -13589,7 +13589,7 @@ index 4e4143e..f03dba0 100644 /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/chronyd.if b/chronyd.if -index 32e8265..ac74503 100644 +index 32e8265c2..ac74503d1 100644 --- a/chronyd.if +++ b/chronyd.if @@ -57,6 +57,24 @@ interface(`chronyd_exec',` @@ -13772,7 +13772,7 @@ index 32e8265..ac74503 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..cfc64f1 100644 +index e5b621c29..cfc64f1b0 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13859,7 +13859,7 @@ index e5b621c..cfc64f1 100644 ') diff --git a/cinder.fc b/cinder.fc new file mode 100644 -index 0000000..4b318b7 +index 000000000..4b318b783 --- /dev/null +++ b/cinder.fc @@ -0,0 +1,16 @@ @@ -13881,7 +13881,7 @@ index 0000000..4b318b7 +/var/run/cinder(/.*)? gen_context(system_u:object_r:cinder_var_run_t,s0) diff --git a/cinder.if b/cinder.if new file mode 100644 -index 0000000..fc9cae7 +index 000000000..fc9cae7c7 --- /dev/null +++ b/cinder.if @@ -0,0 +1,57 @@ @@ -13944,7 +13944,7 @@ index 0000000..fc9cae7 +') diff --git a/cinder.te b/cinder.te new file mode 100644 -index 0000000..488a7a6 +index 000000000..488a7a659 --- /dev/null +++ b/cinder.te @@ -0,0 +1,169 @@ @@ -14118,7 +14118,7 @@ index 0000000..488a7a6 +') + diff --git a/cipe.te b/cipe.te -index a0aa693..af571ed 100644 +index a0aa693d1..af571edbb 100644 --- a/cipe.te +++ b/cipe.te @@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) @@ -14147,7 +14147,7 @@ index a0aa693..af571ed 100644 userdom_dontaudit_use_unpriv_user_fds(ciped_t) diff --git a/clamav.fc b/clamav.fc -index d72afcc..c53b80d 100644 +index d72afcc31..c53b80dcd 100644 --- a/clamav.fc +++ b/clamav.fc @@ -6,6 +6,8 @@ @@ -14160,7 +14160,7 @@ index d72afcc..c53b80d 100644 /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) diff --git a/clamav.if b/clamav.if -index 4cc4a5c..a6c6322 100644 +index 4cc4a5cd0..a6c632290 100644 --- a/clamav.if +++ b/clamav.if @@ -1,4 +1,4 @@ @@ -14410,7 +14410,7 @@ index 4cc4a5c..a6c6322 100644 + ') diff --git a/clamav.te b/clamav.te -index ce3836a..10595e6 100644 +index ce3836acd..10595e6e5 100644 --- a/clamav.te +++ b/clamav.te @@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false) @@ -14582,7 +14582,7 @@ index ce3836a..10595e6 100644 ') diff --git a/clockspeed.te b/clockspeed.te -index d3e2a67..f5b330c 100644 +index d3e2a67e5..f5b330c08 100644 --- a/clockspeed.te +++ b/clockspeed.te @@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; @@ -14625,7 +14625,7 @@ index d3e2a67..f5b330c 100644 optional_policy(` daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) diff --git a/clogd.te b/clogd.te -index 4a5b3d1..cd146bd 100644 +index 4a5b3d1a5..cd146bd5a 100644 --- a/clogd.te +++ b/clogd.te @@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) @@ -14641,7 +14641,7 @@ index 4a5b3d1..cd146bd 100644 ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..3849f13 +index 000000000..3849f134a --- /dev/null +++ b/cloudform.fc @@ -0,0 +1,21 @@ @@ -14668,7 +14668,7 @@ index 0000000..3849f13 +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) diff --git a/cloudform.if b/cloudform.if new file mode 100644 -index 0000000..55fe0d6 +index 000000000..55fe0d668 --- /dev/null +++ b/cloudform.if @@ -0,0 +1,116 @@ @@ -14790,7 +14790,7 @@ index 0000000..55fe0d6 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..21e6ae7 +index 000000000..21e6ae757 --- /dev/null +++ b/cloudform.te @@ -0,0 +1,249 @@ @@ -15044,7 +15044,7 @@ index 0000000..21e6ae7 +userdom_home_manager(iwhd_t) + diff --git a/cmirrord.if b/cmirrord.if -index cc4e7cb..f348d27 100644 +index cc4e7cb96..f348d2746 100644 --- a/cmirrord.if +++ b/cmirrord.if @@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',` @@ -15076,7 +15076,7 @@ index cc4e7cb..f348d27 100644 domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/cmirrord.te b/cmirrord.te -index bbdd396..28b1761 100644 +index bbdd3960e..28b176182 100644 --- a/cmirrord.te +++ b/cmirrord.te @@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t) @@ -15119,7 +15119,7 @@ index bbdd396..28b1761 100644 + rhcs_rw_cluster_tmpfs(cmirrord_t) +') diff --git a/cobbler.fc b/cobbler.fc -index 973d208..6ce8803 100644 +index 973d208ff..6ce88039f 100644 --- a/cobbler.fc +++ b/cobbler.fc @@ -4,11 +4,15 @@ @@ -15139,7 +15139,7 @@ index 973d208..6ce8803 100644 /var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) /var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) diff --git a/cobbler.if b/cobbler.if -index c223f81..8b567c1 100644 +index c223f8132..8b567c191 100644 --- a/cobbler.if +++ b/cobbler.if @@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',` @@ -15208,7 +15208,7 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..36fb0e4 100644 +index 5f306dd44..36fb0e4e7 100644 --- a/cobbler.te +++ b/cobbler.te @@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t) @@ -15326,7 +15326,7 @@ index 5f306dd..36fb0e4 100644 ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 -index 0000000..bf80173 +index 000000000..bf801737d --- /dev/null +++ b/cockpit.fc @@ -0,0 +1,13 @@ @@ -15345,7 +15345,7 @@ index 0000000..bf80173 +/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_var_run_t,s0) diff --git a/cockpit.if b/cockpit.if new file mode 100644 -index 0000000..d5920c0 +index 000000000..d5920c061 --- /dev/null +++ b/cockpit.if @@ -0,0 +1,188 @@ @@ -15539,7 +15539,7 @@ index 0000000..d5920c0 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..b802a99 +index 000000000..b802a9920 --- /dev/null +++ b/cockpit.te @@ -0,0 +1,121 @@ @@ -15665,7 +15665,7 @@ index 0000000..b802a99 + unconfined_domtrans(cockpit_session_t) +') diff --git a/collectd.fc b/collectd.fc -index 79a3abe..3ee73d1 100644 +index 79a3abe3a..3ee73d17d 100644 --- a/collectd.fc +++ b/collectd.fc @@ -1,9 +1,13 @@ @@ -15684,7 +15684,7 @@ index 79a3abe..3ee73d1 100644 -/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) +/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0) diff --git a/collectd.if b/collectd.if -index 954309e..6780142 100644 +index 954309e64..67801421b 100644 --- a/collectd.if +++ b/collectd.if @@ -2,8 +2,145 @@ @@ -15867,7 +15867,7 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..90a9319 100644 +index 6471fa8c4..90a9319c6 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) @@ -15997,7 +15997,7 @@ index 6471fa8..90a9319 100644 + +auth_read_passwd(collectd_script_t) diff --git a/colord.fc b/colord.fc -index 71639eb..08ab891 100644 +index 71639eb54..08ab89171 100644 --- a/colord.fc +++ b/colord.fc @@ -7,5 +7,7 @@ @@ -16009,7 +16009,7 @@ index 71639eb..08ab891 100644 /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/colord.if b/colord.if -index 8e27a37..c69be28 100644 +index 8e27a37c1..c69be28b9 100644 --- a/colord.if +++ b/colord.if @@ -1,4 +1,4 @@ @@ -16063,7 +16063,7 @@ index 8e27a37..c69be28 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb2..86836f9 100644 +index 9f2dfb233..86836f9cd 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) @@ -16193,7 +16193,7 @@ index 9f2dfb2..86836f9 100644 + zoneminder_rw_tmpfs_files(colord_t) +') diff --git a/comsat.te b/comsat.te -index c63cf85..dc6998b 100644 +index c63cf8556..dc6998b60 100644 --- a/comsat.te +++ b/comsat.te @@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t) @@ -16220,7 +16220,7 @@ index c63cf85..dc6998b 100644 mta_getattr_spool(comsat_t) diff --git a/condor.fc b/condor.fc -index ad2b696..28d1af0 100644 +index ad2b69606..28d1af020 100644 --- a/condor.fc +++ b/condor.fc @@ -1,6 +1,7 @@ @@ -16232,7 +16232,7 @@ index ad2b696..28d1af0 100644 /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) diff --git a/condor.if b/condor.if -index 881d92f..a2d588a 100644 +index 881d92f35..a2d588a51 100644 --- a/condor.if +++ b/condor.if @@ -1,75 +1,391 @@ @@ -16691,7 +16691,7 @@ index 881d92f..a2d588a 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..2a52b42 100644 +index ce9f040e2..2a52b429f 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16884,7 +16884,7 @@ index ce9f040..2a52b42 100644 +') diff --git a/conman.fc b/conman.fc new file mode 100644 -index 0000000..b13a6f6 +index 000000000..b13a6f6db --- /dev/null +++ b/conman.fc @@ -0,0 +1,10 @@ @@ -16900,7 +16900,7 @@ index 0000000..b13a6f6 +/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0) diff --git a/conman.if b/conman.if new file mode 100644 -index 0000000..1cc5fa4 +index 000000000..1cc5fa464 --- /dev/null +++ b/conman.if @@ -0,0 +1,143 @@ @@ -17049,7 +17049,7 @@ index 0000000..1cc5fa4 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..2357f3b +index 000000000..2357f3ba8 --- /dev/null +++ b/conman.te @@ -0,0 +1,97 @@ @@ -17151,7 +17151,7 @@ index 0000000..2357f3b + unconfined_domain(conman_unconfined_script_t) +') diff --git a/consolekit.fc b/consolekit.fc -index 23c9558..29e5fd3 100644 +index 23c95582f..29e5fd38d 100644 --- a/consolekit.fc +++ b/consolekit.fc @@ -1,3 +1,5 @@ @@ -17161,7 +17161,7 @@ index 23c9558..29e5fd3 100644 /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff --git a/consolekit.if b/consolekit.if -index 5b830ec..78025c5 100644 +index 5b830ec9c..78025c5e7 100644 --- a/consolekit.if +++ b/consolekit.if @@ -21,6 +21,27 @@ interface(`consolekit_domtrans',` @@ -17284,7 +17284,7 @@ index 5b830ec..78025c5 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index bd18063..94407f8 100644 +index bd18063f6..94407f854 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,21 +19,23 @@ type consolekit_var_run_t; @@ -17381,7 +17381,7 @@ index bd18063..94407f8 100644 optional_policy(` policykit_domtrans_auth(consolekit_t) diff --git a/corosync.fc b/corosync.fc -index da39f0f..b26d3e0 100644 +index da39f0fcc..b26d3e0a4 100644 --- a/corosync.fc +++ b/corosync.fc @@ -1,5 +1,7 @@ @@ -17399,7 +17399,7 @@ index da39f0f..b26d3e0 100644 +/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/corosync.if b/corosync.if -index 694a037..d859681 100644 +index 694a037da..d8596812d 100644 --- a/corosync.if +++ b/corosync.if @@ -77,6 +77,25 @@ interface(`corosync_read_log',` @@ -17520,7 +17520,7 @@ index 694a037..d859681 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index d5aa1e4..9a25701 100644 +index d5aa1e446..9a2570145 100644 --- a/corosync.te +++ b/corosync.te @@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t) @@ -17599,7 +17599,7 @@ index d5aa1e4..9a25701 100644 + wdmd_rw_tmpfs(corosync_t) +') diff --git a/couchdb.fc b/couchdb.fc -index c086302..5380ab6 100644 +index c0863022d..5380ab641 100644 --- a/couchdb.fc +++ b/couchdb.fc @@ -1,8 +1,10 @@ @@ -17617,7 +17617,7 @@ index c086302..5380ab6 100644 /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) diff --git a/couchdb.if b/couchdb.if -index 715a826..a1cbdb2 100644 +index 715a826f1..a1cbdb29e 100644 --- a/couchdb.if +++ b/couchdb.if @@ -2,7 +2,7 @@ @@ -17847,7 +17847,7 @@ index 715a826..a1cbdb2 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..9b3a328 100644 +index ae1c1b12a..9b3a328c2 100644 --- a/couchdb.te +++ b/couchdb.te @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) @@ -17924,7 +17924,7 @@ index ae1c1b1..9b3a328 100644 -miscfiles_read_localization(couchdb_t) diff --git a/courier.fc b/courier.fc -index 2f017a0..defdc87 100644 +index 2f017a076..defdc871e 100644 --- a/courier.fc +++ b/courier.fc @@ -11,17 +11,18 @@ @@ -17955,7 +17955,7 @@ index 2f017a0..defdc87 100644 /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) diff --git a/courier.if b/courier.if -index 10f820f..acdb179 100644 +index 10f820fc7..acdb179e8 100644 --- a/courier.if +++ b/courier.if @@ -1,12 +1,12 @@ @@ -18131,7 +18131,7 @@ index 10f820f..acdb179 100644 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te -index ae3bc70..d64452f 100644 +index ae3bc70e9..d64452f77 100644 --- a/courier.te +++ b/courier.te @@ -18,7 +18,7 @@ type courier_etc_t; @@ -18221,7 +18221,7 @@ index ae3bc70..d64452f 100644 ######################################## # diff --git a/cpucontrol.te b/cpucontrol.te -index af72c4e..afab036 100644 +index af72c4e55..afab0367f 100644 --- a/cpucontrol.te +++ b/cpucontrol.te @@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain) @@ -18258,7 +18258,7 @@ index af72c4e..afab036 100644 -miscfiles_read_localization(cpuspeed_t) +logging_send_syslog_msg(cpuspeed_t) diff --git a/cpufreqselector.te b/cpufreqselector.te -index 6cedb87..530e250 100644 +index 6cedb8724..530e250e5 100644 --- a/cpufreqselector.te +++ b/cpufreqselector.te @@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) @@ -18296,7 +18296,7 @@ index 6cedb87..530e250 100644 +') diff --git a/cpuplug.fc b/cpuplug.fc new file mode 100644 -index 0000000..be203ff +index 000000000..be203ff49 --- /dev/null +++ b/cpuplug.fc @@ -0,0 +1,3 @@ @@ -18305,7 +18305,7 @@ index 0000000..be203ff +/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0) diff --git a/cpuplug.if b/cpuplug.if new file mode 100644 -index 0000000..c68d1d3 +index 000000000..c68d1d3cf --- /dev/null +++ b/cpuplug.if @@ -0,0 +1,20 @@ @@ -18331,7 +18331,7 @@ index 0000000..c68d1d3 +') diff --git a/cpuplug.te b/cpuplug.te new file mode 100644 -index 0000000..074f3e0 +index 000000000..074f3e04d --- /dev/null +++ b/cpuplug.te @@ -0,0 +1,40 @@ @@ -18376,7 +18376,7 @@ index 0000000..074f3e0 +logging_send_syslog_msg(cpuplug_t) + diff --git a/cron.fc b/cron.fc -index ad0bae9..615a947 100644 +index ad0bae948..615a947aa 100644 --- a/cron.fc +++ b/cron.fc @@ -1,66 +1,77 @@ @@ -18498,7 +18498,7 @@ index ad0bae9..615a947 100644 +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') diff --git a/cron.if b/cron.if -index 1303b30..f13c532 100644 +index 1303b3036..f13c53200 100644 --- a/cron.if +++ b/cron.if @@ -2,11 +2,12 @@ @@ -19533,7 +19533,7 @@ index 1303b30..f13c532 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..61dcff6 100644 +index 7de385956..61dcff6a5 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20523,7 +20523,7 @@ index 7de3859..61dcff6 100644 type unconfined_cronjob_t; diff --git a/ctdb.fc b/ctdb.fc -index 8401fe6..84ece3e 100644 +index 8401fe6f3..84ece3e4a 100644 --- a/ctdb.fc +++ b/ctdb.fc @@ -1,12 +1,20 @@ @@ -20548,7 +20548,7 @@ index 8401fe6..84ece3e 100644 /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if -index b25b01d..06895f3 100644 +index b25b01d12..06895f39a 100644 --- a/ctdb.if +++ b/ctdb.if @@ -1,9 +1,178 @@ @@ -20853,7 +20853,7 @@ index b25b01d..06895f3 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..73da04a 100644 +index 001b502e6..73da04ae1 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20974,7 +20974,7 @@ index 001b502..73da04a 100644 optional_policy(` diff --git a/cups.fc b/cups.fc -index 949011e..8f8bc20 100644 +index 949011ec8..8f8bc200a 100644 --- a/cups.fc +++ b/cups.fc @@ -1,77 +1,92 @@ @@ -21120,7 +21120,7 @@ index 949011e..8f8bc20 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 3023be7..5afde80 100644 +index 3023be7f6..5afde8039 100644 --- a/cups.if +++ b/cups.if @@ -70,6 +70,7 @@ interface(`cups_stream_connect',` @@ -21259,7 +21259,7 @@ index 3023be7..5afde80 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..8c014f7 100644 +index c91813ccb..8c014f781 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21990,7 +21990,7 @@ index c91813c..8c014f7 100644 ') + diff --git a/cvs.fc b/cvs.fc -index 75c8be9..4c1a965 100644 +index 75c8be90c..4c1a965c0 100644 --- a/cvs.fc +++ b/cvs.fc @@ -1,13 +1,16 @@ @@ -22013,7 +22013,7 @@ index 75c8be9..4c1a965 100644 -/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) diff --git a/cvs.if b/cvs.if -index 64775fd..91a6056 100644 +index 64775fd37..91a60569c 100644 --- a/cvs.if +++ b/cvs.if @@ -1,5 +1,23 @@ @@ -22093,7 +22093,7 @@ index 64775fd..91a6056 100644 + admin_pattern($1, cvs_home_t) ') diff --git a/cvs.te b/cvs.te -index 0f77550..36e4a38 100644 +index 0f7755005..36e4a38cf 100644 --- a/cvs.te +++ b/cvs.te @@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2) @@ -22185,7 +22185,7 @@ index 0f77550..36e4a38 100644 + files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir }) ') diff --git a/cyphesis.te b/cyphesis.te -index 77ffc73..86e11f5 100644 +index 77ffc7355..86e11f5e3 100644 --- a/cyphesis.te +++ b/cyphesis.te @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) @@ -22211,7 +22211,7 @@ index 77ffc73..86e11f5 100644 optional_policy(` diff --git a/cyrus.if b/cyrus.if -index 83bfda6..92d9fb2 100644 +index 83bfda6ed..92d9fb2e7 100644 --- a/cyrus.if +++ b/cyrus.if @@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` @@ -22256,7 +22256,7 @@ index 83bfda6..92d9fb2 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 4283f2d..41de1bd 100644 +index 4283f2de2..41de1bdf6 100644 --- a/cyrus.te +++ b/cyrus.te @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) @@ -22336,7 +22336,7 @@ index 4283f2d..41de1bd 100644 ') diff --git a/daemontools.if b/daemontools.if -index 3b3d9a0..6c8106a 100644 +index 3b3d9a0b7..6c8106a87 100644 --- a/daemontools.if +++ b/daemontools.if @@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',` @@ -22345,7 +22345,7 @@ index 3b3d9a0..6c8106a 100644 ') + diff --git a/daemontools.te b/daemontools.te -index ee1b4aa..2fd746e 100644 +index ee1b4aa8e..2fd746e05 100644 --- a/daemontools.te +++ b/daemontools.te @@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; @@ -22395,7 +22395,7 @@ index ee1b4aa..2fd746e 100644 - -miscfiles_read_localization(svc_start_t) diff --git a/dante.te b/dante.te -index 5a5e290..6321a1d 100644 +index 5a5e2902a..6321a1d0a 100644 --- a/dante.te +++ b/dante.te @@ -53,7 +53,6 @@ dev_read_sysfs(dante_t) @@ -22407,7 +22407,7 @@ index 5a5e290..6321a1d 100644 fs_getattr_all_fs(dante_t) diff --git a/dbadm.te b/dbadm.te -index b60c464..3a5246a 100644 +index b60c464f1..3a5246a9b 100644 --- a/dbadm.te +++ b/dbadm.te @@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) @@ -22444,7 +22444,7 @@ index b60c464..3a5246a 100644 + sudo_role_template(dbadm, dbadm_r, dbadm_t) +') diff --git a/dbskk.te b/dbskk.te -index f55c420..e9d64ab 100644 +index f55c42082..e9d64ab5f 100644 --- a/dbskk.te +++ b/dbskk.te @@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t) @@ -22467,7 +22467,7 @@ index f55c420..e9d64ab 100644 - -miscfiles_read_localization(dbskkd_t) diff --git a/dbus.fc b/dbus.fc -index dda905b..5587295 100644 +index dda905b9c..558729530 100644 --- a/dbus.fc +++ b/dbus.fc @@ -1,20 +1,29 @@ @@ -22511,7 +22511,7 @@ index dda905b..5587295 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..01f6380 100644 +index 62d22cb46..01f6380e6 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -23432,7 +23432,7 @@ index 62d22cb..01f6380 100644 + ') diff --git a/dbus.te b/dbus.te -index c9998c8..cdf3b2d 100644 +index c9998c80d..cdf3b2dc7 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23837,7 +23837,7 @@ index c9998c8..cdf3b2d 100644 +kernel_stream_connect(session_bus_type) +systemd_login_read_pid_files(session_bus_type) diff --git a/dcc.fc b/dcc.fc -index 62d3c4e..cef59a7 100644 +index 62d3c4e66..cef59a752 100644 --- a/dcc.fc +++ b/dcc.fc @@ -10,6 +10,8 @@ @@ -23850,7 +23850,7 @@ index 62d3c4e..cef59a7 100644 /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) diff --git a/dcc.if b/dcc.if -index a5c21e0..4639421 100644 +index a5c21e0e8..46394219a 100644 --- a/dcc.if +++ b/dcc.if @@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',` @@ -23862,7 +23862,7 @@ index a5c21e0..4639421 100644 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te -index 353fa4a..a5e912f 100644 +index 353fa4a09..a5e912fca 100644 --- a/dcc.te +++ b/dcc.te @@ -45,7 +45,7 @@ type dcc_var_t; @@ -24015,7 +24015,7 @@ index 353fa4a..a5e912f 100644 userdom_dontaudit_search_user_home_dirs(dccm_t) diff --git a/ddclient.if b/ddclient.if -index 5606b40..cd18cf2 100644 +index 5606b4069..cd18cf2a7 100644 --- a/ddclient.if +++ b/ddclient.if @@ -70,9 +70,13 @@ interface(`ddclient_admin',` @@ -24034,7 +24034,7 @@ index 5606b40..cd18cf2 100644 domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te -index a4caa1b..42f3066 100644 +index a4caa1b5b..42f30662d 100644 --- a/ddclient.te +++ b/ddclient.te @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) @@ -24089,7 +24089,7 @@ index a4caa1b..42f3066 100644 sysnet_exec_ifconfig(ddclient_t) sysnet_dns_name_resolve(ddclient_t) diff --git a/ddcprobe.te b/ddcprobe.te -index 8fa4bb9..8f5ffb0 100644 +index 8fa4bb994..8f5ffb00a 100644 --- a/ddcprobe.te +++ b/ddcprobe.te @@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t) @@ -24103,7 +24103,7 @@ index 8fa4bb9..8f5ffb0 100644 term_use_all_ttys(ddcprobe_t) term_use_all_ptys(ddcprobe_t) diff --git a/denyhosts.if b/denyhosts.if -index a7326da..c87b5b7 100644 +index a7326da62..c87b5b7c6 100644 --- a/denyhosts.if +++ b/denyhosts.if @@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',` @@ -24144,7 +24144,7 @@ index a7326da..c87b5b7 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index 583a527..91c4104 100644 +index 583a52726..91c4104c7 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) @@ -24196,7 +24196,7 @@ index 583a527..91c4104 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/devicekit.fc b/devicekit.fc -index ae49c9d..99a54eb 100644 +index ae49c9d99..99a54eb7f 100644 --- a/devicekit.fc +++ b/devicekit.fc @@ -11,6 +11,8 @@ @@ -24214,7 +24214,7 @@ index ae49c9d..99a54eb 100644 /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) + diff --git a/devicekit.if b/devicekit.if -index 8ce99ff..1bc5d3a 100644 +index 8ce99ff48..1bc5d3aea 100644 --- a/devicekit.if +++ b/devicekit.if @@ -1,4 +1,4 @@ @@ -24631,7 +24631,7 @@ index 8ce99ff..1bc5d3a 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..cb628f9 100644 +index 77a5003c0..cb628f935 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -24878,7 +24878,7 @@ index 77a5003..cb628f9 100644 +') + diff --git a/dhcp.fc b/dhcp.fc -index 8182c48..0b9bb97 100644 +index 8182c4806..0b9bb9710 100644 --- a/dhcp.fc +++ b/dhcp.fc @@ -1,6 +1,13 @@ @@ -24897,7 +24897,7 @@ index 8182c48..0b9bb97 100644 /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) diff --git a/dhcp.if b/dhcp.if -index c697edb..954c090 100644 +index c697edbcd..954c090bd 100644 --- a/dhcp.if +++ b/dhcp.if @@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` @@ -24969,7 +24969,7 @@ index c697edb..954c090 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b9..d6cb9e7 100644 +index 98a24b989..d6cb9e7ba 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -25056,7 +25056,7 @@ index 98a24b9..d6cb9e7 100644 dbus_connect_system_bus(dhcpd_t) ') diff --git a/dictd.if b/dictd.if -index 3cc3494..cb0a1f4 100644 +index 3cc3494bd..cb0a1f4bf 100644 --- a/dictd.if +++ b/dictd.if @@ -38,8 +38,11 @@ interface(`dictd_admin',` @@ -25073,7 +25073,7 @@ index 3cc3494..cb0a1f4 100644 init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/dictd.te b/dictd.te -index 433d3c5..0dccebf 100644 +index 433d3c5a0..0dccebfd9 100644 --- a/dictd.te +++ b/dictd.te @@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) @@ -25102,7 +25102,7 @@ index 433d3c5..0dccebf 100644 optional_policy(` diff --git a/dirmngr.te b/dirmngr.te -index b3b2188..5f91705 100644 +index b3b218815..5f917054c 100644 --- a/dirmngr.te +++ b/dirmngr.te @@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) @@ -25114,7 +25114,7 @@ index b3b2188..5f91705 100644 miscfiles_read_localization(dirmngr_t) diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc new file mode 100644 -index 0000000..38b17f8 +index 000000000..38b17f89f --- /dev/null +++ b/dirsrv-admin.fc @@ -0,0 +1,17 @@ @@ -25137,7 +25137,7 @@ index 0000000..38b17f8 +/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0) diff --git a/dirsrv-admin.if b/dirsrv-admin.if new file mode 100644 -index 0000000..0d4e704 +index 000000000..0d4e70492 --- /dev/null +++ b/dirsrv-admin.if @@ -0,0 +1,157 @@ @@ -25300,7 +25300,7 @@ index 0000000..0d4e704 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..09223af +index 000000000..09223afb3 --- /dev/null +++ b/dirsrv-admin.te @@ -0,0 +1,167 @@ @@ -25473,7 +25473,7 @@ index 0000000..09223af + diff --git a/dirsrv.fc b/dirsrv.fc new file mode 100644 -index 0000000..5d30dab +index 000000000..5d30dab95 --- /dev/null +++ b/dirsrv.fc @@ -0,0 +1,23 @@ @@ -25502,7 +25502,7 @@ index 0000000..5d30dab +/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --git a/dirsrv.if b/dirsrv.if new file mode 100644 -index 0000000..b3784d8 +index 000000000..b3784d85d --- /dev/null +++ b/dirsrv.if @@ -0,0 +1,232 @@ @@ -25740,7 +25740,7 @@ index 0000000..b3784d8 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..03988c9 +index 000000000..03988c910 --- /dev/null +++ b/dirsrv.te @@ -0,0 +1,204 @@ @@ -25949,7 +25949,7 @@ index 0000000..03988c9 + snmp_stream_connect(dirsrv_snmp_t) +') diff --git a/distcc.if b/distcc.if -index 24d8c74..1790ec5 100644 +index 24d8c740c..1790ec5dc 100644 --- a/distcc.if +++ b/distcc.if @@ -19,7 +19,7 @@ @@ -25962,7 +25962,7 @@ index 24d8c74..1790ec5 100644 ') diff --git a/distcc.te b/distcc.te -index 898b2f4..8a1725b 100644 +index 898b2f433..8a1725b62 100644 --- a/distcc.te +++ b/distcc.te @@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) @@ -25983,7 +25983,7 @@ index 898b2f4..8a1725b 100644 userdom_dontaudit_search_user_home_dirs(distccd_t) diff --git a/djbdns.if b/djbdns.if -index 671d3c0..6d36c95 100644 +index 671d3c0a1..6d36c951a 100644 --- a/djbdns.if +++ b/djbdns.if @@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',` @@ -26011,7 +26011,7 @@ index 671d3c0..6d36c95 100644 ##################################### diff --git a/djbdns.te b/djbdns.te -index 87ca536..ebd327a 100644 +index 87ca536ae..ebd327ad1 100644 --- a/djbdns.te +++ b/djbdns.te @@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain) @@ -26026,7 +26026,7 @@ index 87ca536..ebd327a 100644 # # axfrdns local policy diff --git a/dkim.fc b/dkim.fc -index 5818418..674367b 100644 +index 5818418af..674367b3a 100644 --- a/dkim.fc +++ b/dkim.fc @@ -9,7 +9,6 @@ @@ -26038,7 +26038,7 @@ index 5818418..674367b 100644 /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/dmidecode.if b/dmidecode.if -index 41c3f67..653a1ec 100644 +index 41c3f6770..653a1ecbb 100644 --- a/dmidecode.if +++ b/dmidecode.if @@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',` @@ -26068,7 +26068,7 @@ index 41c3f67..653a1ec 100644 ## ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te -index aa0ef6e..02bdb68 100644 +index aa0ef6e94..02bdb681d 100644 --- a/dmidecode.te +++ b/dmidecode.te @@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t) @@ -26082,7 +26082,7 @@ index aa0ef6e..02bdb68 100644 + rhsmcertd_rw_inherited_lock_files(dmidecode_t) +') diff --git a/dnsmasq.fc b/dnsmasq.fc -index 23ab808..84735a8 100644 +index 23ab808d8..84735a8cb 100644 --- a/dnsmasq.fc +++ b/dnsmasq.fc @@ -1,13 +1,16 @@ @@ -26105,7 +26105,7 @@ index 23ab808..84735a8 100644 +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..a79982c 100644 +index 19aa0b80b..a79982cd6 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -26391,7 +26391,7 @@ index 19aa0b8..a79982c 100644 + + diff --git a/dnsmasq.te b/dnsmasq.te -index 37a3b7b..78c681c 100644 +index 37a3b7b30..78c681ce9 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,12 +24,15 @@ logging_log_file(dnsmasq_var_log_t) @@ -26495,7 +26495,7 @@ index 37a3b7b..78c681c 100644 +') diff --git a/dnssec.fc b/dnssec.fc new file mode 100644 -index 0000000..1714fa6 +index 000000000..1714fa661 --- /dev/null +++ b/dnssec.fc @@ -0,0 +1,6 @@ @@ -26507,7 +26507,7 @@ index 0000000..1714fa6 +/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) diff --git a/dnssec.if b/dnssec.if new file mode 100644 -index 0000000..d22ed69 +index 000000000..d22ed691a --- /dev/null +++ b/dnssec.if @@ -0,0 +1,123 @@ @@ -26636,7 +26636,7 @@ index 0000000..d22ed69 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..2387876 +index 000000000..238787661 --- /dev/null +++ b/dnssec.te @@ -0,0 +1,91 @@ @@ -26732,7 +26732,7 @@ index 0000000..2387876 + networkmanager_read_conf(dnssec_trigger_t) +') diff --git a/dnssectrigger.te b/dnssectrigger.te -index c7bb4e7..e6fe2f40 100644 +index c7bb4e782..e6fe2f402 100644 --- a/dnssectrigger.te +++ b/dnssectrigger.te @@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t) @@ -26745,7 +26745,7 @@ index c7bb4e7..e6fe2f40 100644 sysnet_manage_config(dnssec_triggerd_t) sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/dovecot.fc b/dovecot.fc -index c880070..4448055 100644 +index c88007004..444805588 100644 --- a/dovecot.fc +++ b/dovecot.fc @@ -1,36 +1,48 @@ @@ -26820,7 +26820,7 @@ index c880070..4448055 100644 -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if -index d5badb7..c2431fc 100644 +index d5badb755..c2431fc73 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,29 +1,49 @@ @@ -27037,7 +27037,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..994752c 100644 +index 0aabc7e66..994752cd2 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -27480,7 +27480,7 @@ index 0aabc7e..994752c 100644 sendmail_domtrans(dovecot_deliver_t) ') diff --git a/dpkg.te b/dpkg.te -index 50af48c..5ab4901 100644 +index 50af48c89..5ab49010f 100644 --- a/dpkg.te +++ b/dpkg.te @@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) @@ -27493,7 +27493,7 @@ index 50af48c..5ab4901 100644 allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; diff --git a/drbd.fc b/drbd.fc -index 671a3fb..47b4958 100644 +index 671a3fb6f..47b4958d0 100644 --- a/drbd.fc +++ b/drbd.fc @@ -3,7 +3,7 @@ @@ -27512,7 +27512,7 @@ index 671a3fb..47b4958 100644 + +/var/run/drbd(/.*)? gen_context(system_u:object_r:drbd_var_run_t,s0) diff --git a/drbd.if b/drbd.if -index 9a21639..26c5986 100644 +index 9a2163936..26c59868b 100644 --- a/drbd.if +++ b/drbd.if @@ -2,12 +2,11 @@ @@ -27654,7 +27654,7 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..af2c2ad 100644 +index f2516cc07..af2c2ad81 100644 --- a/drbd.te +++ b/drbd.te @@ -18,38 +18,72 @@ files_type(drbd_var_lib_t) @@ -27737,7 +27737,7 @@ index f2516cc..af2c2ad 100644 + rhcs_manage_cluster_lib_files(drbd_t) +') diff --git a/dspam.fc b/dspam.fc -index 5eddac5..b5fcb77 100644 +index 5eddac51c..b5fcb7760 100644 --- a/dspam.fc +++ b/dspam.fc @@ -2,11 +2,16 @@ @@ -27760,7 +27760,7 @@ index 5eddac5..b5fcb77 100644 + +/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0) diff --git a/dspam.if b/dspam.if -index 18f2452..a446210 100644 +index 18f245250..a446210f0 100644 --- a/dspam.if +++ b/dspam.if @@ -1,13 +1,15 @@ @@ -28035,7 +28035,7 @@ index 18f2452..a446210 100644 + ') diff --git a/dspam.te b/dspam.te -index ef62363..0841716 100644 +index ef6236335..084171673 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28114,7 +28114,7 @@ index ef62363..0841716 100644 +') diff --git a/ejabberd.fc b/ejabberd.fc new file mode 100644 -index 0000000..e797d62 +index 000000000..e797d6209 --- /dev/null +++ b/ejabberd.fc @@ -0,0 +1,7 @@ @@ -28127,7 +28127,7 @@ index 0000000..e797d62 +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_log_t,s0) diff --git a/ejabberd.if b/ejabberd.if new file mode 100644 -index 0000000..91ef4a4 +index 000000000..91ef4a49b --- /dev/null +++ b/ejabberd.if @@ -0,0 +1,34 @@ @@ -28167,7 +28167,7 @@ index 0000000..91ef4a4 +') diff --git a/ejabberd.te b/ejabberd.te new file mode 100644 -index 0000000..4498b11 +index 000000000..4498b1110 --- /dev/null +++ b/ejabberd.te @@ -0,0 +1,62 @@ @@ -28234,7 +28234,7 @@ index 0000000..4498b11 + +sysnet_read_config(ejabberd_t) diff --git a/entropyd.te b/entropyd.te -index b8b8328..e3dc7c7 100644 +index b8b8328c0..e3dc7c72c 100644 --- a/entropyd.te +++ b/entropyd.te @@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0) @@ -28276,7 +28276,7 @@ index b8b8328..e3dc7c7 100644 userdom_dontaudit_search_user_home_dirs(entropyd_t) diff --git a/etcd.fc b/etcd.fc new file mode 100644 -index 0000000..eac30a3 +index 000000000..eac30a338 --- /dev/null +++ b/etcd.fc @@ -0,0 +1,5 @@ @@ -28287,7 +28287,7 @@ index 0000000..eac30a3 +/var/lib/etcd(/.*)? gen_context(system_u:object_r:etcd_var_lib_t,s0) diff --git a/etcd.if b/etcd.if new file mode 100644 -index 0000000..d1a05a6 +index 000000000..d1a05a650 --- /dev/null +++ b/etcd.if @@ -0,0 +1,161 @@ @@ -28454,7 +28454,7 @@ index 0000000..d1a05a6 +') diff --git a/etcd.te b/etcd.te new file mode 100644 -index 0000000..7cee445 +index 000000000..7cee445f6 --- /dev/null +++ b/etcd.te @@ -0,0 +1,42 @@ @@ -28501,7 +28501,7 @@ index 0000000..7cee445 + +logging_send_syslog_msg(etcd_t) diff --git a/evolution.fc b/evolution.fc -index 597f305..8520653 100644 +index 597f305da..85206539c 100644 --- a/evolution.fc +++ b/evolution.fc @@ -1,5 +1,6 @@ @@ -28512,7 +28512,7 @@ index 597f305..8520653 100644 /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) diff --git a/evolution.te b/evolution.te -index c99e07c..ab9dd9f 100644 +index c99e07c48..ab9dd9f90 100644 --- a/evolution.te +++ b/evolution.te @@ -168,7 +168,6 @@ dev_read_urand(evolution_t) @@ -28557,7 +28557,7 @@ index c99e07c..ab9dd9f 100644 fs_search_auto_mountpoints(evolution_server_t) diff --git a/exim.if b/exim.if -index 9bbc690..4a8d053 100644 +index 9bbc6907a..4a8d0536b 100644 --- a/exim.if +++ b/exim.if @@ -21,35 +21,51 @@ interface(`exim_domtrans',` @@ -28708,7 +28708,7 @@ index 9bbc690..4a8d053 100644 role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; diff --git a/exim.te b/exim.te -index 4086c51..3e7a990 100644 +index 4086c51b9..3e7a99099 100644 --- a/exim.te +++ b/exim.te @@ -55,7 +55,7 @@ type exim_log_t; @@ -28790,7 +28790,7 @@ index 4086c51..3e7a990 100644 optional_policy(` diff --git a/fail2ban.if b/fail2ban.if -index 50d0084..94e1936 100644 +index 50d0084d4..94e193606 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',` @@ -29094,7 +29094,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..7bebd26 100644 +index cf0e56772..7bebd2699 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -29219,7 +29219,7 @@ index cf0e567..7bebd26 100644 + apache_read_log(fail2ban_client_t) +') diff --git a/fcoe.te b/fcoe.te -index ce358fb..cdc11a7 100644 +index ce358fb3f..cdc11a7f9 100644 --- a/fcoe.te +++ b/fcoe.te @@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t) @@ -29260,7 +29260,7 @@ index ce358fb..cdc11a7 100644 + networkmanager_dgram_send(fcoemon_t) +') diff --git a/fetchmail.fc b/fetchmail.fc -index 133b8ee..a47a12f 100644 +index 133b8ee67..a47a12fe7 100644 --- a/fetchmail.fc +++ b/fetchmail.fc @@ -1,4 +1,5 @@ @@ -29270,7 +29270,7 @@ index 133b8ee..a47a12f 100644 /etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) diff --git a/fetchmail.if b/fetchmail.if -index c3f7916..cab3954 100644 +index c3f791660..cab3954f3 100644 --- a/fetchmail.if +++ b/fetchmail.if @@ -23,14 +23,16 @@ interface(`fetchmail_admin',` @@ -29294,7 +29294,7 @@ index c3f7916..cab3954 100644 admin_pattern($1, fetchmail_etc_t) diff --git a/fetchmail.te b/fetchmail.te -index 742559a..fa51d09 100644 +index 742559a54..fa51d09dd 100644 --- a/fetchmail.te +++ b/fetchmail.te @@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t) @@ -29354,7 +29354,7 @@ index 742559a..fa51d09 100644 optional_policy(` procmail_domtrans(fetchmail_t) diff --git a/finger.te b/finger.te -index 35da09d..85f1e03 100644 +index 35da09d97..85f1e03d4 100644 --- a/finger.te +++ b/finger.te @@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) @@ -29391,7 +29391,7 @@ index 35da09d..85f1e03 100644 userdom_dontaudit_use_unpriv_user_fds(fingerd_t) diff --git a/firewalld.fc b/firewalld.fc -index 21d7b84..0e272bd 100644 +index 21d7b8442..0e272bd0e 100644 --- a/firewalld.fc +++ b/firewalld.fc @@ -1,3 +1,5 @@ @@ -29401,7 +29401,7 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index c62c567..a74f123 100644 +index c62c5670a..a74f123da 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,7 +2,7 @@ @@ -29577,7 +29577,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..42ee4d3 100644 +index 98072a3a1..42ee4d39c 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t) @@ -29687,7 +29687,7 @@ index 98072a3..42ee4d3 100644 ') diff --git a/firewallgui.if b/firewallgui.if -index e6866d1..941f4ef 100644 +index e6866d1fd..941f4ef73 100644 --- a/firewallgui.if +++ b/firewallgui.if @@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',` @@ -29698,7 +29698,7 @@ index e6866d1..941f4ef 100644 + dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; ') diff --git a/firewallgui.te b/firewallgui.te -index 2094546..2481a97 100644 +index 209454664..2481a9704 100644 --- a/firewallgui.te +++ b/firewallgui.te @@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t) @@ -29729,7 +29729,7 @@ index 2094546..2481a97 100644 optional_policy(` diff --git a/firstboot.fc b/firstboot.fc -index 12c782c..ba614e4 100644 +index 12c782c89..ba614e457 100644 --- a/firstboot.fc +++ b/firstboot.fc @@ -1,5 +1,3 @@ @@ -29741,7 +29741,7 @@ index 12c782c..ba614e4 100644 -/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) +/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/firstboot.if b/firstboot.if -index 280f875..f3a67c9 100644 +index 280f875f0..f3a67c911 100644 --- a/firstboot.if +++ b/firstboot.if @@ -1,4 +1,7 @@ @@ -29868,7 +29868,7 @@ index 280f875..f3a67c9 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index 5010f04..0341ae1 100644 +index 5010f04e1..0341ae121 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ @@ -30008,7 +30008,7 @@ index 5010f04..0341ae1 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index 92a6479..f064c94 100644 +index 92a6479a2..f064c940d 100644 --- a/fprintd.te +++ b/fprintd.te @@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t) @@ -30069,7 +30069,7 @@ index 92a6479..f064c94 100644 ') diff --git a/freeipmi.fc b/freeipmi.fc new file mode 100644 -index 0000000..0942a2e +index 000000000..0942a2e39 --- /dev/null +++ b/freeipmi.fc @@ -0,0 +1,17 @@ @@ -30092,7 +30092,7 @@ index 0000000..0942a2e +/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0) diff --git a/freeipmi.if b/freeipmi.if new file mode 100644 -index 0000000..dc94853 +index 000000000..dc9485309 --- /dev/null +++ b/freeipmi.if @@ -0,0 +1,71 @@ @@ -30169,7 +30169,7 @@ index 0000000..dc94853 + diff --git a/freeipmi.te b/freeipmi.te new file mode 100644 -index 0000000..0ca4fc3 +index 000000000..0ca4fc3e8 --- /dev/null +++ b/freeipmi.te @@ -0,0 +1,79 @@ @@ -30254,14 +30254,14 @@ index 0000000..0ca4fc3 +files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid") diff --git a/freqset.fc b/freqset.fc new file mode 100644 -index 0000000..3cd9c38 +index 000000000..3cd9c38fd --- /dev/null +++ b/freqset.fc @@ -0,0 +1 @@ +/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0) diff --git a/freqset.if b/freqset.if new file mode 100644 -index 0000000..190ccc0 +index 000000000..190ccc035 --- /dev/null +++ b/freqset.if @@ -0,0 +1,76 @@ @@ -30343,7 +30343,7 @@ index 0000000..190ccc0 +') diff --git a/freqset.te b/freqset.te new file mode 100644 -index 0000000..0d09fbd +index 000000000..0d09fbd62 --- /dev/null +++ b/freqset.te @@ -0,0 +1,34 @@ @@ -30382,7 +30382,7 @@ index 0000000..0d09fbd + +userdom_use_inherited_user_terminals(freqset_t) diff --git a/ftp.fc b/ftp.fc -index ddb75c1..f38075f 100644 +index ddb75c12c..f38075ff8 100644 --- a/ftp.fc +++ b/ftp.fc @@ -1,5 +1,8 @@ @@ -30403,7 +30403,7 @@ index ddb75c1..f38075f 100644 /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/ftp.if b/ftp.if -index 4498143..84a4858 100644 +index 44981434b..84a4858b6 100644 --- a/ftp.if +++ b/ftp.if @@ -1,5 +1,67 @@ @@ -30498,7 +30498,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..34a9ced 100644 +index 36838c202..34a9cedf3 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -30892,7 +30892,7 @@ index 36838c2..34a9ced 100644 -') diff --git a/fwupd.fc b/fwupd.fc new file mode 100644 -index 0000000..859dc40 +index 000000000..859dc40ed --- /dev/null +++ b/fwupd.fc @@ -0,0 +1,10 @@ @@ -30908,7 +30908,7 @@ index 0000000..859dc40 +/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0) diff --git a/fwupd.if b/fwupd.if new file mode 100644 -index 0000000..daef190 +index 000000000..daef19015 --- /dev/null +++ b/fwupd.if @@ -0,0 +1,281 @@ @@ -31195,7 +31195,7 @@ index 0000000..daef190 +') diff --git a/fwupd.te b/fwupd.te new file mode 100644 -index 0000000..7bf263a +index 000000000..7bf263a6c --- /dev/null +++ b/fwupd.te @@ -0,0 +1,70 @@ @@ -31270,7 +31270,7 @@ index 0000000..7bf263a + unconfined_domain(fwupd_t) +') diff --git a/games.if b/games.if -index e2a3e0d..50ebd40 100644 +index e2a3e0dba..50ebd4080 100644 --- a/games.if +++ b/games.if @@ -58,3 +58,23 @@ interface(`games_rw_data',` @@ -31298,7 +31298,7 @@ index e2a3e0d..50ebd40 100644 + manage_files_pattern($1, games_data_t, games_data_t) +') diff --git a/games.te b/games.te -index e5b15fb..220622e 100644 +index e5b15fb7e..220622e84 100644 --- a/games.te +++ b/games.te @@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) @@ -31346,7 +31346,7 @@ index e5b15fb..220622e 100644 diff --git a/ganesha.fc b/ganesha.fc new file mode 100644 -index 0000000..855f58e +index 000000000..855f58e55 --- /dev/null +++ b/ganesha.fc @@ -0,0 +1,12 @@ @@ -31364,7 +31364,7 @@ index 0000000..855f58e +/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) diff --git a/ganesha.if b/ganesha.if new file mode 100644 -index 0000000..d9ba5fa +index 000000000..d9ba5fa27 --- /dev/null +++ b/ganesha.if @@ -0,0 +1,147 @@ @@ -31517,7 +31517,7 @@ index 0000000..d9ba5fa +') diff --git a/ganesha.te b/ganesha.te new file mode 100644 -index 0000000..3cf186e +index 000000000..3cf186efc --- /dev/null +++ b/ganesha.te @@ -0,0 +1,109 @@ @@ -31631,7 +31631,7 @@ index 0000000..3cf186e + fs_getattr_fusefs(ganesha_t) +') diff --git a/gatekeeper.te b/gatekeeper.te -index 2820368..88c98f4 100644 +index 28203689c..88c98f481 100644 --- a/gatekeeper.te +++ b/gatekeeper.te @@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) @@ -31660,7 +31660,7 @@ index 2820368..88c98f4 100644 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) diff --git a/gear.fc b/gear.fc new file mode 100644 -index 0000000..98c012c +index 000000000..98c012c6e --- /dev/null +++ b/gear.fc @@ -0,0 +1,7 @@ @@ -31673,7 +31673,7 @@ index 0000000..98c012c +/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) diff --git a/gear.if b/gear.if new file mode 100644 -index 0000000..d745c67 +index 000000000..d745c675f --- /dev/null +++ b/gear.if @@ -0,0 +1,289 @@ @@ -31968,7 +31968,7 @@ index 0000000..d745c67 +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..33dbdf7 +index 000000000..33dbdf7ec --- /dev/null +++ b/gear.te @@ -0,0 +1,136 @@ @@ -32110,7 +32110,7 @@ index 0000000..33dbdf7 +') diff --git a/geoclue.fc b/geoclue.fc new file mode 100644 -index 0000000..a97f14f +index 000000000..a97f14fd9 --- /dev/null +++ b/geoclue.fc @@ -0,0 +1,4 @@ @@ -32120,7 +32120,7 @@ index 0000000..a97f14f +/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0) diff --git a/geoclue.if b/geoclue.if new file mode 100644 -index 0000000..cf9f7bf +index 000000000..cf9f7bfca --- /dev/null +++ b/geoclue.if @@ -0,0 +1,153 @@ @@ -32279,7 +32279,7 @@ index 0000000..cf9f7bf +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..fb8be0d +index 000000000..fb8be0d88 --- /dev/null +++ b/geoclue.te @@ -0,0 +1,72 @@ @@ -32356,7 +32356,7 @@ index 0000000..fb8be0d + pcscd_stream_connect(geoclue_t) +') diff --git a/gift.te b/gift.te -index 8a820fa..996b30c 100644 +index 8a820face..996b30c16 100644 --- a/gift.te +++ b/gift.te @@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t) @@ -32404,7 +32404,7 @@ index 8a820fa..996b30c 100644 +userdom_use_inherited_user_terminals(giftd_t) +userdom_home_manager(gitd_t) diff --git a/git.fc b/git.fc -index 24700f8..6561d56 100644 +index 24700f84b..6561d568e 100644 --- a/git.fc +++ b/git.fc @@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) @@ -32427,7 +32427,7 @@ index 24700f8..6561d56 100644 +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0) diff --git a/git.if b/git.if -index 1e29af1..6c64f55 100644 +index 1e29af196..6c64f55c3 100644 --- a/git.if +++ b/git.if @@ -37,7 +37,10 @@ template(`git_role',` @@ -32473,7 +32473,7 @@ index 1e29af1..6c64f55 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index dc49c71..54df5e3 100644 +index dc49c715e..54df5e36e 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -32648,7 +32648,7 @@ index dc49c71..54df5e3 100644 -miscfiles_read_localization(git_daemon) diff --git a/gitosis.te b/gitosis.te -index 582db0a..d77a1a5 100644 +index 582db0a2e..d77a1a549 100644 --- a/gitosis.te +++ b/gitosis.te @@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t) @@ -32665,7 +32665,7 @@ index 582db0a..d77a1a5 100644 tunable_policy(`gitosis_can_sendmail',` diff --git a/glance.fc b/glance.fc -index c21a528..a746a2b 100644 +index c21a528b5..a746a2b16 100644 --- a/glance.fc +++ b/glance.fc @@ -1,8 +1,14 @@ @@ -32685,7 +32685,7 @@ index c21a528..a746a2b 100644 /var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) diff --git a/glance.if b/glance.if -index 9eacb2c..7b19ad2 100644 +index 9eacb2c9c..7b19ad2db 100644 --- a/glance.if +++ b/glance.if @@ -1,5 +1,38 @@ @@ -32756,7 +32756,7 @@ index 9eacb2c..7b19ad2 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index 5cd0909..bd3c3d2 100644 +index 5cd09096a..bd3c3d21b 100644 --- a/glance.te +++ b/glance.te @@ -5,10 +5,31 @@ policy_module(glance, 1.1.0) @@ -32937,7 +32937,7 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..9806f50 +index 000000000..9806f50ae --- /dev/null +++ b/glusterd.fc @@ -0,0 +1,25 @@ @@ -32968,7 +32968,7 @@ index 0000000..9806f50 +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if new file mode 100644 -index 0000000..4501460 +index 000000000..450146018 --- /dev/null +++ b/glusterd.if @@ -0,0 +1,302 @@ @@ -33276,7 +33276,7 @@ index 0000000..4501460 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..cbcaf9a +index 000000000..cbcaf9aed --- /dev/null +++ b/glusterd.te @@ -0,0 +1,324 @@ @@ -33606,7 +33606,7 @@ index 0000000..cbcaf9a +') diff --git a/glusterfs.fc b/glusterfs.fc deleted file mode 100644 -index 4bd6ade..0000000 +index 4bd6ade46..000000000 --- a/glusterfs.fc +++ /dev/null @@ -1,16 +0,0 @@ @@ -33628,7 +33628,7 @@ index 4bd6ade..0000000 -/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterfs.if b/glusterfs.if deleted file mode 100644 -index 05233c8..0000000 +index 05233c86e..000000000 --- a/glusterfs.if +++ /dev/null @@ -1,71 +0,0 @@ @@ -33705,7 +33705,7 @@ index 05233c8..0000000 -') diff --git a/glusterfs.te b/glusterfs.te deleted file mode 100644 -index 4e95c7e..0000000 +index 4e95c7e2f..000000000 --- a/glusterfs.te +++ /dev/null @@ -1,105 +0,0 @@ @@ -33815,7 +33815,7 @@ index 4e95c7e..0000000 - -miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index e39de43..5edcb83 100644 +index e39de436a..5edcb8330 100644 --- a/gnome.fc +++ b/gnome.fc @@ -1,15 +1,60 @@ @@ -33889,7 +33889,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..72d67c2 100644 +index ab09d6195..72d67c2cb 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -35948,7 +35948,7 @@ index ab09d61..72d67c2 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..5664744 100644 +index 63893eb2d..566474488 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -36265,7 +36265,7 @@ index 63893eb..5664744 100644 + +userdom_use_inherited_user_terminals(gnomedomain) diff --git a/gnomeclock.fc b/gnomeclock.fc -index f9ba8cd..6906301 100644 +index f9ba8cd99..690630113 100644 --- a/gnomeclock.fc +++ b/gnomeclock.fc @@ -1,7 +1,10 @@ @@ -36282,7 +36282,7 @@ index f9ba8cd..6906301 100644 /usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --git a/gnomeclock.if b/gnomeclock.if -index 3f55702..25c7ab8 100644 +index 3f55702fb..25c7ab82c 100644 --- a/gnomeclock.if +++ b/gnomeclock.if @@ -2,8 +2,7 @@ @@ -36340,7 +36340,7 @@ index 3f55702..25c7ab8 100644 ## ## diff --git a/gnomeclock.te b/gnomeclock.te -index 7cd7435..8f26e98 100644 +index 7cd7435e6..8f26e9862 100644 --- a/gnomeclock.te +++ b/gnomeclock.te @@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0) @@ -36469,7 +36469,7 @@ index 7cd7435..8f26e98 100644 policykit_read_lib(gnomeclock_t) policykit_read_reload(gnomeclock_t) diff --git a/gpg.fc b/gpg.fc -index 888cd2c..c02fa56 100644 +index 888cd2c68..c02fa5694 100644 --- a/gpg.fc +++ b/gpg.fc @@ -1,10 +1,14 @@ @@ -36492,7 +36492,7 @@ index 888cd2c..c02fa56 100644 -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/gpg.if b/gpg.if -index 180f1b7..3c8757e 100644 +index 180f1b7cc..3c8757e47 100644 --- a/gpg.if +++ b/gpg.if @@ -2,57 +2,79 @@ @@ -36788,7 +36788,7 @@ index 180f1b7..3c8757e 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82..2569781 100644 +index 0e97e82f1..2569781e9 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -37248,7 +37248,7 @@ index 0e97e82..2569781 100644 + miscfiles_manage_public_files(gpg_web_t) ') diff --git a/gpm.te b/gpm.te -index 69734fd..a659808 100644 +index 69734fd15..a659808d0 100644 --- a/gpm.te +++ b/gpm.te @@ -13,7 +13,7 @@ type gpm_initrc_exec_t; @@ -37291,7 +37291,7 @@ index 69734fd..a659808 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index fe3895e..a820546 100644 +index fe3895ece..a820546e3 100644 --- a/gpsd.te +++ b/gpsd.te @@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t) @@ -37326,7 +37326,7 @@ index fe3895e..a820546 100644 chronyd_stream_connect(gpsd_t) diff --git a/gssproxy.fc b/gssproxy.fc new file mode 100644 -index 0000000..f4659d1 +index 000000000..f4659d125 --- /dev/null +++ b/gssproxy.fc @@ -0,0 +1,8 @@ @@ -37340,7 +37340,7 @@ index 0000000..f4659d1 +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 -index 0000000..8a2013a +index 000000000..8a2013af9 --- /dev/null +++ b/gssproxy.if @@ -0,0 +1,217 @@ @@ -37563,7 +37563,7 @@ index 0000000..8a2013a +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..79e22c5 +index 000000000..79e22c58a --- /dev/null +++ b/gssproxy.te @@ -0,0 +1,74 @@ @@ -37642,7 +37642,7 @@ index 0000000..79e22c5 + kerberos_manage_host_rcache(gssproxy_t) +') diff --git a/guest.te b/guest.te -index 19cdbe1..0605776 100644 +index 19cdbe1d7..060577633 100644 --- a/guest.te +++ b/guest.te @@ -20,4 +20,4 @@ optional_policy(` @@ -37652,7 +37652,7 @@ index 19cdbe1..0605776 100644 -#gen_user(guest_u, user, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/hadoop.te b/hadoop.te -index e151378..04d173d 100644 +index e15137840..04d173d1d 100644 --- a/hadoop.te +++ b/hadoop.te @@ -155,7 +155,6 @@ dev_read_urand(hadoop_t) @@ -37689,7 +37689,7 @@ index e151378..04d173d 100644 fs_getattr_xattr_fs(zookeeper_server_t) diff --git a/hal.te b/hal.te -index bbccc79..b027202 100644 +index bbccc79f1..b02720214 100644 --- a/hal.te +++ b/hal.te @@ -61,7 +61,6 @@ files_type(hald_var_lib_t) @@ -37727,7 +37727,7 @@ index bbccc79..b027202 100644 logging_search_logs(hald_keymap_t) diff --git a/hddtemp.if b/hddtemp.if -index 1728071..6e2d333 100644 +index 1728071d0..6e2d333d9 100644 --- a/hddtemp.if +++ b/hddtemp.if @@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',` @@ -37779,7 +37779,7 @@ index 1728071..6e2d333 100644 domain_system_change_exemption($1) role_transition $2 hddtemp_initrc_exec_t system_r; diff --git a/hddtemp.te b/hddtemp.te -index 9e11b98..6338ea7 100644 +index 9e11b9822..6338ea761 100644 --- a/hddtemp.te +++ b/hddtemp.te @@ -4,10 +4,12 @@ policy_module(hddtemp, 1.2.0) @@ -37820,7 +37820,7 @@ index 9e11b98..6338ea7 100644 -miscfiles_read_localization(hddtemp_t) diff --git a/hostapd.fc b/hostapd.fc new file mode 100644 -index 0000000..0ca97b8 +index 000000000..0ca97b84b --- /dev/null +++ b/hostapd.fc @@ -0,0 +1,5 @@ @@ -37832,7 +37832,7 @@ index 0000000..0ca97b8 \ No newline at end of file diff --git a/hostapd.if b/hostapd.if new file mode 100644 -index 0000000..d0016da +index 000000000..d0016da91 --- /dev/null +++ b/hostapd.if @@ -0,0 +1,101 @@ @@ -37939,7 +37939,7 @@ index 0000000..d0016da +') diff --git a/hostapd.te b/hostapd.te new file mode 100644 -index 0000000..438573d +index 000000000..438573dfa --- /dev/null +++ b/hostapd.te @@ -0,0 +1,53 @@ @@ -37997,7 +37997,7 @@ index 0000000..438573d + +miscfiles_read_localization(hostapd_t) diff --git a/howl.te b/howl.te -index b9e60ec..0477728 100644 +index b9e60ecfb..0477728a0 100644 --- a/howl.te +++ b/howl.te @@ -36,7 +36,6 @@ kernel_request_load_module(howl_t) @@ -38019,7 +38019,7 @@ index b9e60ec..0477728 100644 diff --git a/hsqldb.fc b/hsqldb.fc new file mode 100644 -index 0000000..aa92d71 +index 000000000..aa92d7118 --- /dev/null +++ b/hsqldb.fc @@ -0,0 +1,7 @@ @@ -38032,7 +38032,7 @@ index 0000000..aa92d71 +/var/lib/hsqldb(/.*)? gen_context(system_u:object_r:hsqldb_var_lib_t,s0) diff --git a/hsqldb.if b/hsqldb.if new file mode 100644 -index 0000000..f43f748 +index 000000000..f43f7489f --- /dev/null +++ b/hsqldb.if @@ -0,0 +1,241 @@ @@ -38279,7 +38279,7 @@ index 0000000..f43f748 +') diff --git a/hsqldb.te b/hsqldb.te new file mode 100644 -index 0000000..28816b4 +index 000000000..28816b4fd --- /dev/null +++ b/hsqldb.te @@ -0,0 +1,57 @@ @@ -38342,7 +38342,7 @@ index 0000000..28816b4 +sysnet_read_config(hsqldb_t) diff --git a/hwloc.fc b/hwloc.fc new file mode 100644 -index 0000000..d0c5a15 +index 000000000..d0c5a1502 --- /dev/null +++ b/hwloc.fc @@ -0,0 +1,5 @@ @@ -38353,7 +38353,7 @@ index 0000000..d0c5a15 +/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) diff --git a/hwloc.if b/hwloc.if new file mode 100644 -index 0000000..c2349ec +index 000000000..c2349ecf5 --- /dev/null +++ b/hwloc.if @@ -0,0 +1,106 @@ @@ -38465,7 +38465,7 @@ index 0000000..c2349ec +') diff --git a/hwloc.te b/hwloc.te new file mode 100644 -index 0000000..0f45fd5 +index 000000000..0f45fd50e --- /dev/null +++ b/hwloc.te @@ -0,0 +1,31 @@ @@ -38501,7 +38501,7 @@ index 0000000..0f45fd5 + +dev_read_sysfs(hwloc_dhwd_t) diff --git a/hypervkvp.fc b/hypervkvp.fc -index b46130e..e2ae3b2 100644 +index b46130ef5..e2ae3b22b 100644 --- a/hypervkvp.fc +++ b/hypervkvp.fc @@ -1,3 +1,10 @@ @@ -38518,7 +38518,7 @@ index b46130e..e2ae3b2 100644 + +/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/hypervkvp.if b/hypervkvp.if -index 6517fad..f183748 100644 +index 6517fadbb..f1837481b 100644 --- a/hypervkvp.if +++ b/hypervkvp.if @@ -1,32 +1,135 @@ @@ -38671,7 +38671,7 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..ea3c933 100644 +index 4eb7041ef..ea3c93385 100644 --- a/hypervkvp.te +++ b/hypervkvp.te @@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0) @@ -38845,7 +38845,7 @@ index 4eb7041..ea3c933 100644 -sysnet_dns_name_resolve(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te -index 369a056..65fde93 100644 +index 369a0566b..65fde93d9 100644 --- a/i18n_input.te +++ b/i18n_input.te @@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) @@ -38887,7 +38887,7 @@ index 369a056..65fde93 100644 optional_policy(` canna_stream_connect(i18n_input_t) diff --git a/icecast.if b/icecast.if -index 580b533..c267cea 100644 +index 580b533ce..c267cea58 100644 --- a/icecast.if +++ b/icecast.if @@ -176,6 +176,14 @@ interface(`icecast_admin',` @@ -38906,7 +38906,7 @@ index 580b533..c267cea 100644 domain_system_change_exemption($1) role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te -index a9e573a..9a9245f 100644 +index a9e573a50..9a9245f49 100644 --- a/icecast.te +++ b/icecast.te @@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t) @@ -38932,7 +38932,7 @@ index a9e573a..9a9245f 100644 tunable_policy(`icecast_use_any_tcp_ports',` corenet_tcp_connect_all_ports(icecast_t) diff --git a/ifplugd.if b/ifplugd.if -index 8999899..96909ae 100644 +index 899989996..96909ae6a 100644 --- a/ifplugd.if +++ b/ifplugd.if @@ -119,7 +119,7 @@ interface(`ifplugd_admin',` @@ -38945,7 +38945,7 @@ index 8999899..96909ae 100644 init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff --git a/ifplugd.te b/ifplugd.te -index b0546b4..98d7326 100644 +index b0546b43b..98d7326a8 100644 --- a/ifplugd.te +++ b/ifplugd.te @@ -10,7 +10,7 @@ type ifplugd_exec_t; @@ -38973,7 +38973,7 @@ index b0546b4..98d7326 100644 sysnet_domtrans_ifconfig(ifplugd_t) diff --git a/imaze.te b/imaze.te -index 1eb24d8..b320d51 100644 +index 1eb24d8c8..b320d51ae 100644 --- a/imaze.te +++ b/imaze.te @@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t) @@ -38994,7 +38994,7 @@ index 1eb24d8..b320d51 100644 userdom_dontaudit_search_user_home_dirs(imazesrv_t) diff --git a/inetd.if b/inetd.if -index fbb54e7..05c3777 100644 +index fbb54e7d8..05c377768 100644 --- a/inetd.if +++ b/inetd.if @@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',` @@ -39011,7 +39011,7 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..ed6af79 100644 +index c6450df8a..ed6af7994 100644 --- a/inetd.te +++ b/inetd.te @@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t) @@ -39127,7 +39127,7 @@ index c6450df..ed6af79 100644 optional_policy(` unconfined_domain(inetd_child_t) diff --git a/inn.fc b/inn.fc -index 8c0a48b..b9eabf1 100644 +index 8c0a48b1d..b9eabf145 100644 --- a/inn.fc +++ b/inn.fc @@ -3,6 +3,8 @@ @@ -39220,7 +39220,7 @@ index 8c0a48b..b9eabf1 100644 /var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) /var/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) diff --git a/inn.if b/inn.if -index eb87f23..d3d32c3 100644 +index eb87f2341..d3d32c3ad 100644 --- a/inn.if +++ b/inn.if @@ -124,6 +124,7 @@ interface(`inn_read_config',` @@ -39290,7 +39290,7 @@ index eb87f23..d3d32c3 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index d39f0cc..2422996 100644 +index d39f0cc51..2422996ec 100644 --- a/inn.te +++ b/inn.te @@ -15,6 +15,9 @@ files_config_file(innd_etc_t) @@ -39373,7 +39373,7 @@ index d39f0cc..2422996 100644 mta_send_mail(innd_t) diff --git a/iodine.fc b/iodine.fc -index ca07a87..6ea129c 100644 +index ca07a8744..6ea129cf6 100644 --- a/iodine.fc +++ b/iodine.fc @@ -1,3 +1,5 @@ @@ -39383,7 +39383,7 @@ index ca07a87..6ea129c 100644 + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/iodine.if b/iodine.if -index a0bfbd0..8dc7c3e 100644 +index a0bfbd04f..8dc7c3e31 100644 --- a/iodine.if +++ b/iodine.if @@ -2,6 +2,50 @@ @@ -39438,7 +39438,7 @@ index a0bfbd0..8dc7c3e 100644 ## administrate an iodined environment ## diff --git a/iodine.te b/iodine.te -index d443fee..6cbbf7d 100644 +index d443feee4..6cbbf7d84 100644 --- a/iodine.te +++ b/iodine.te @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) @@ -39462,14 +39462,14 @@ index d443fee..6cbbf7d 100644 diff --git a/iotop.fc b/iotop.fc new file mode 100644 -index 0000000..c8d2dea +index 000000000..c8d2deac2 --- /dev/null +++ b/iotop.fc @@ -0,0 +1 @@ +/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0) diff --git a/iotop.if b/iotop.if new file mode 100644 -index 0000000..7fc3464 +index 000000000..7fc3464e6 --- /dev/null +++ b/iotop.if @@ -0,0 +1,46 @@ @@ -39521,7 +39521,7 @@ index 0000000..7fc3464 +') diff --git a/iotop.te b/iotop.te new file mode 100644 -index 0000000..61f2003 +index 000000000..61f2003c8 --- /dev/null +++ b/iotop.te @@ -0,0 +1,39 @@ @@ -39566,7 +39566,7 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..74206ed +index 000000000..74206edcb --- /dev/null +++ b/ipa.fc @@ -0,0 +1,29 @@ @@ -39601,7 +39601,7 @@ index 0000000..74206ed + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..d611c53 +index 000000000..d611c53d4 --- /dev/null +++ b/ipa.if @@ -0,0 +1,309 @@ @@ -39916,7 +39916,7 @@ index 0000000..d611c53 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..28955dd +index 000000000..28955ddc0 --- /dev/null +++ b/ipa.te @@ -0,0 +1,273 @@ @@ -40195,7 +40195,7 @@ index 0000000..28955dd +') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 -index 0000000..0f598ca +index 000000000..0f598ca9f --- /dev/null +++ b/ipmievd.fc @@ -0,0 +1,9 @@ @@ -40210,7 +40210,7 @@ index 0000000..0f598ca +/var/lock/subsys/ipmi -- gen_context(system_u:object_r:ipmievd_lock_t,s0) diff --git a/ipmievd.if b/ipmievd.if new file mode 100644 -index 0000000..e86db54 +index 000000000..e86db5418 --- /dev/null +++ b/ipmievd.if @@ -0,0 +1,120 @@ @@ -40336,7 +40336,7 @@ index 0000000..e86db54 +') diff --git a/ipmievd.te b/ipmievd.te new file mode 100644 -index 0000000..a2c9648 +index 000000000..a2c964844 --- /dev/null +++ b/ipmievd.te @@ -0,0 +1,51 @@ @@ -40392,7 +40392,7 @@ index 0000000..a2c9648 +modutils_read_module_config(ipmievd_t) + diff --git a/irc.fc b/irc.fc -index 48e7739..1bf0326 100644 +index 48e7739f9..1bf0326cd 100644 --- a/irc.fc +++ b/irc.fc @@ -1,6 +1,6 @@ @@ -40404,7 +40404,7 @@ index 48e7739..1bf0326 100644 /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) diff --git a/irc.if b/irc.if -index ac00fb0..36ef2e5 100644 +index ac00fb0fb..36ef2e59c 100644 --- a/irc.if +++ b/irc.if @@ -20,6 +20,7 @@ interface(`irc_role',` @@ -40467,7 +40467,7 @@ index ac00fb0..36ef2e5 100644 + userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index 2636503..5910c59 100644 +index 263650367..5910c5931 100644 --- a/irc.te +++ b/irc.te @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t @@ -40646,7 +40646,7 @@ index 2636503..5910c59 100644 seutil_use_newrole_fds(irc_t) ') diff --git a/ircd.if b/ircd.if -index ade9803..3620c9a 100644 +index ade980323..3620c9a67 100644 --- a/ircd.if +++ b/ircd.if @@ -33,8 +33,8 @@ interface(`ircd_admin',` @@ -40661,7 +40661,7 @@ index ade9803..3620c9a 100644 files_search_var_lib($1) diff --git a/ircd.te b/ircd.te -index efaf4b1..bd1a132 100644 +index efaf4b10a..bd1a132ac 100644 --- a/ircd.te +++ b/ircd.te @@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t) @@ -40682,7 +40682,7 @@ index efaf4b1..bd1a132 100644 userdom_dontaudit_search_user_home_dirs(ircd_t) diff --git a/irqbalance.te b/irqbalance.te -index e1f302d..1e5418a 100644 +index e1f302ddb..1e5418a2e 100644 --- a/irqbalance.te +++ b/irqbalance.te @@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t) @@ -40703,7 +40703,7 @@ index e1f302d..1e5418a 100644 userdom_dontaudit_search_user_home_dirs(irqbalance_t) diff --git a/iscsi.fc b/iscsi.fc -index 08b7560..417e630 100644 +index 08b756047..417e63004 100644 --- a/iscsi.fc +++ b/iscsi.fc @@ -1,19 +1,18 @@ @@ -40731,7 +40731,7 @@ index 08b7560..417e630 100644 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) diff --git a/iscsi.if b/iscsi.if -index 1a35420..8101022 100644 +index 1a354203e..8101022be 100644 --- a/iscsi.if +++ b/iscsi.if @@ -21,6 +21,52 @@ interface(`iscsid_domtrans',` @@ -40870,7 +40870,7 @@ index 1a35420..8101022 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..9c628b2 100644 +index ca020faa9..9c628b22e 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -40978,7 +40978,7 @@ index ca020fa..9c628b2 100644 + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) +') diff --git a/isns.te b/isns.te -index bc11034..3cda6e9 100644 +index bc1103493..3cda6e9bd 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -41014,7 +41014,7 @@ index bc11034..3cda6e9 100644 - -sysnet_dns_name_resolve(isnsd_t) diff --git a/jabber.fc b/jabber.fc -index 59ad3b3..bd02cc8 100644 +index 59ad3b3c4..bd02cc87d 100644 --- a/jabber.fc +++ b/jabber.fc @@ -1,25 +1,18 @@ @@ -41056,7 +41056,7 @@ index 59ad3b3..bd02cc8 100644 + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/jabber.if b/jabber.if -index 7eb3811..8075ba5 100644 +index 7eb381121..8075ba5f0 100644 --- a/jabber.if +++ b/jabber.if @@ -1,29 +1,76 @@ @@ -41267,7 +41267,7 @@ index 7eb3811..8075ba5 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index af67c36..aa88a0a 100644 +index af67c36ee..aa88a0ac2 100644 --- a/jabber.te +++ b/jabber.te @@ -9,129 +9,133 @@ attribute jabberd_domain; @@ -41481,7 +41481,7 @@ index af67c36..aa88a0a 100644 -auth_use_nsswitch(jabberd_router_t) +sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te -index a7ae153..6341e31 100644 +index a7ae1531b..6341e3119 100644 --- a/java.te +++ b/java.te @@ -11,7 +11,7 @@ policy_module(java, 2.7.0) @@ -41517,7 +41517,7 @@ index a7ae153..6341e31 100644 libs_legacy_use_shared_libs(java_domain) diff --git a/jetty.fc b/jetty.fc new file mode 100644 -index 0000000..c7c4fba +index 000000000..c7c4fba01 --- /dev/null +++ b/jetty.fc @@ -0,0 +1,12 @@ @@ -41535,7 +41535,7 @@ index 0000000..c7c4fba +/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0) diff --git a/jetty.if b/jetty.if new file mode 100644 -index 0000000..6679a02 +index 000000000..6679a02aa --- /dev/null +++ b/jetty.if @@ -0,0 +1,415 @@ @@ -41956,7 +41956,7 @@ index 0000000..6679a02 +') diff --git a/jetty.te b/jetty.te new file mode 100644 -index 0000000..71325e5 +index 000000000..71325e5e6 --- /dev/null +++ b/jetty.te @@ -0,0 +1,78 @@ @@ -42039,7 +42039,7 @@ index 0000000..71325e5 + abrt_read_config(jetty_t) +') diff --git a/jockey.if b/jockey.if -index 2fb7a20..c6ba007 100644 +index 2fb7a20fa..c6ba00798 100644 --- a/jockey.if +++ b/jockey.if @@ -1 +1,131 @@ @@ -42176,7 +42176,7 @@ index 2fb7a20..c6ba007 100644 + ') +') diff --git a/jockey.te b/jockey.te -index d59ec10..a46018d 100644 +index d59ec10a2..a46018d04 100644 --- a/jockey.te +++ b/jockey.te @@ -15,6 +15,9 @@ files_type(jockey_cache_t) @@ -42225,14 +42225,14 @@ index d59ec10..a46018d 100644 ') diff --git a/journalctl.fc b/journalctl.fc new file mode 100644 -index 0000000..f270652 +index 000000000..f27065286 --- /dev/null +++ b/journalctl.fc @@ -0,0 +1 @@ +/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0) diff --git a/journalctl.if b/journalctl.if new file mode 100644 -index 0000000..17126b6 +index 000000000..17126b64c --- /dev/null +++ b/journalctl.if @@ -0,0 +1,95 @@ @@ -42333,7 +42333,7 @@ index 0000000..17126b6 +') diff --git a/journalctl.te b/journalctl.te new file mode 100644 -index 0000000..68dd2b7 +index 000000000..68dd2b7d6 --- /dev/null +++ b/journalctl.te @@ -0,0 +1,47 @@ @@ -42386,14 +42386,14 @@ index 0000000..68dd2b7 +userdom_rw_inherited_user_home_content_files(journalctl_t) diff --git a/kde.fc b/kde.fc new file mode 100644 -index 0000000..25e4b68 +index 000000000..25e4b6817 --- /dev/null +++ b/kde.fc @@ -0,0 +1 @@ +#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0) diff --git a/kde.if b/kde.if new file mode 100644 -index 0000000..cf65577 +index 000000000..cf6557769 --- /dev/null +++ b/kde.if @@ -0,0 +1,22 @@ @@ -42421,7 +42421,7 @@ index 0000000..cf65577 +') diff --git a/kde.te b/kde.te new file mode 100644 -index 0000000..dbe3f03 +index 000000000..dbe3f038d --- /dev/null +++ b/kde.te @@ -0,0 +1,41 @@ @@ -42467,7 +42467,7 @@ index 0000000..dbe3f03 +') + diff --git a/kdump.fc b/kdump.fc -index a49ae4e..0c0e987 100644 +index a49ae4e91..0c0e987a8 100644 --- a/kdump.fc +++ b/kdump.fc @@ -1,13 +1,16 @@ @@ -42495,7 +42495,7 @@ index a49ae4e..0c0e987 100644 + +/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..92f125f 100644 +index 3a00b3a13..92f125fdf 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -42791,7 +42791,7 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..794264a 100644 +index 715fc211c..794264a1d 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -42974,7 +42974,7 @@ index 715fc21..794264a 100644 + unconfined_domain(kdumpctl_t) ') diff --git a/kdumpgui.if b/kdumpgui.if -index 182ab8b..8b1d9c2 100644 +index 182ab8b58..8b1d9c23c 100644 --- a/kdumpgui.if +++ b/kdumpgui.if @@ -1 +1,23 @@ @@ -43003,7 +43003,7 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 2990962..6629aaf 100644 +index 2990962b6..6629aaf27 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0) @@ -43130,7 +43130,7 @@ index 2990962..6629aaf 100644 ') diff --git a/keepalived.fc b/keepalived.fc new file mode 100644 -index 0000000..9a19f91 +index 000000000..9a19f91f3 --- /dev/null +++ b/keepalived.fc @@ -0,0 +1,7 @@ @@ -43143,7 +43143,7 @@ index 0000000..9a19f91 +/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0) diff --git a/keepalived.if b/keepalived.if new file mode 100644 -index 0000000..bd7e7fa +index 000000000..bd7e7fa17 --- /dev/null +++ b/keepalived.if @@ -0,0 +1,80 @@ @@ -43229,7 +43229,7 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..04c46e7 +index 000000000..04c46e714 --- /dev/null +++ b/keepalived.te @@ -0,0 +1,95 @@ @@ -43329,7 +43329,7 @@ index 0000000..04c46e7 + ') +') diff --git a/kerberos.fc b/kerberos.fc -index 4fe75fd..3504a9b 100644 +index 4fe75fd63..3504a9bf7 100644 --- a/kerberos.fc +++ b/kerberos.fc @@ -1,52 +1,54 @@ @@ -43425,7 +43425,7 @@ index 4fe75fd..3504a9b 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f6c00d8..79ea4d8 100644 +index f6c00d8e6..79ea4d8d2 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -44171,7 +44171,7 @@ index f6c00d8..79ea4d8 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..9b9eb11 100644 +index 8833d596d..9b9eb11ed 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -44542,7 +44542,7 @@ index 8833d59..9b9eb11 100644 seutil_read_file_contexts(kpropd_t) diff --git a/kerneloops.if b/kerneloops.if -index 714448f..fa0c994 100644 +index 714448f8d..fa0c994e5 100644 --- a/kerneloops.if +++ b/kerneloops.if @@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',` @@ -44566,7 +44566,7 @@ index 714448f..fa0c994 100644 domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; diff --git a/kerneloops.te b/kerneloops.te -index bcdb295..f6e3736 100644 +index bcdb29599..f6e3736dd 100644 --- a/kerneloops.te +++ b/kerneloops.te @@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t) @@ -44587,7 +44587,7 @@ index bcdb295..f6e3736 100644 dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') diff --git a/keyboardd.if b/keyboardd.if -index 8982b91..6134ef2 100644 +index 8982b9106..6134ef258 100644 --- a/keyboardd.if +++ b/keyboardd.if @@ -1,19 +1,39 @@ @@ -44639,7 +44639,7 @@ index 8982b91..6134ef2 100644 + allow $1 keyboardd_t:fifo_file read_fifo_file_perms; ') diff --git a/keyboardd.te b/keyboardd.te -index 628b78b..fe65617 100644 +index 628b78b4b..fe656175e 100644 --- a/keyboardd.te +++ b/keyboardd.te @@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; @@ -44650,7 +44650,7 @@ index 628b78b..fe65617 100644 - -miscfiles_read_localization(keyboardd_t) diff --git a/keystone.fc b/keystone.fc -index b273d80..6b2b50d 100644 +index b273d803c..6b2b50d69 100644 --- a/keystone.fc +++ b/keystone.fc @@ -1,7 +1,13 @@ @@ -44668,7 +44668,7 @@ index b273d80..6b2b50d 100644 + +/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0) diff --git a/keystone.if b/keystone.if -index e88fb16..ec6121a 100644 +index e88fb16e0..ec6121a5c 100644 --- a/keystone.if +++ b/keystone.if @@ -1,42 +1,219 @@ @@ -44907,7 +44907,7 @@ index e88fb16..ec6121a 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 9929647..c573d0e 100644 +index 992964774..c573d0ed5 100644 --- a/keystone.te +++ b/keystone.te @@ -18,13 +18,20 @@ logging_log_file(keystone_log_t) @@ -44999,7 +44999,7 @@ index 9929647..c573d0e 100644 + corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t) ') diff --git a/kismet.if b/kismet.if -index aa2a337..7ff229f 100644 +index aa2a3379b..7ff229f32 100644 --- a/kismet.if +++ b/kismet.if @@ -283,7 +283,7 @@ interface(`kismet_manage_log',` @@ -45025,7 +45025,7 @@ index aa2a337..7ff229f 100644 files_search_var_lib($1) admin_pattern($1, kismet_var_lib_t) diff --git a/kismet.te b/kismet.te -index 8ad0d4d..01e5037 100644 +index 8ad0d4d50..01e503790 100644 --- a/kismet.te +++ b/kismet.te @@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t) @@ -45073,7 +45073,7 @@ index 8ad0d4d..01e5037 100644 dbus_system_bus_client(kismet_t) diff --git a/kmscon.fc b/kmscon.fc new file mode 100644 -index 0000000..ccd29c0 +index 000000000..ccd29c079 --- /dev/null +++ b/kmscon.fc @@ -0,0 +1,3 @@ @@ -45082,7 +45082,7 @@ index 0000000..ccd29c0 +/etc/kmscon(/.*)? gen_context(system_u:object_r:kmscon_conf_t,s0) diff --git a/kmscon.if b/kmscon.if new file mode 100644 -index 0000000..b9347fa +index 000000000..b9347faa9 --- /dev/null +++ b/kmscon.if @@ -0,0 +1,25 @@ @@ -45113,7 +45113,7 @@ index 0000000..b9347fa +') diff --git a/kmscon.te b/kmscon.te new file mode 100644 -index 0000000..32a9e13 +index 000000000..32a9e1356 --- /dev/null +++ b/kmscon.te @@ -0,0 +1,88 @@ @@ -45206,7 +45206,7 @@ index 0000000..32a9e13 + ') +') diff --git a/ksmtuned.fc b/ksmtuned.fc -index e736c45..4b1e1e4 100644 +index e736c450c..4b1e1e453 100644 --- a/ksmtuned.fc +++ b/ksmtuned.fc @@ -1,5 +1,7 @@ @@ -45218,7 +45218,7 @@ index e736c45..4b1e1e4 100644 /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/ksmtuned.if b/ksmtuned.if -index 93a64bc..af6d741 100644 +index 93a64bc50..af6d741d6 100644 --- a/ksmtuned.if +++ b/ksmtuned.if @@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',` @@ -45295,7 +45295,7 @@ index 93a64bc..af6d741 100644 + allow $1 ksmtuned_unit_file_t:service all_service_perms; ') diff --git a/ksmtuned.te b/ksmtuned.te -index 8eef134..a2ca1a0 100644 +index 8eef134ac..a2ca1a009 100644 --- a/ksmtuned.te +++ b/ksmtuned.te @@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1) @@ -45348,7 +45348,7 @@ index 8eef134..a2ca1a0 100644 + samba_read_share_files(ksmtuned_t) +') diff --git a/ktalk.fc b/ktalk.fc -index 38ecb07..451067e 100644 +index 38ecb07d1..451067ebd 100644 --- a/ktalk.fc +++ b/ktalk.fc @@ -1,3 +1,5 @@ @@ -45358,7 +45358,7 @@ index 38ecb07..451067e 100644 /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) diff --git a/ktalk.if b/ktalk.if -index 19777b8..cd721fd 100644 +index 19777b806..cd721fd6b 100644 --- a/ktalk.if +++ b/ktalk.if @@ -1 +1,77 @@ @@ -45441,7 +45441,7 @@ index 19777b8..cd721fd 100644 + ') +') diff --git a/ktalk.te b/ktalk.te -index c5548c5..1356fcb 100644 +index c5548c5ed..1356fcbd2 100644 --- a/ktalk.te +++ b/ktalk.te @@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) @@ -45473,7 +45473,7 @@ index c5548c5..1356fcb 100644 +userdom_use_user_ttys(ktalkd_t) diff --git a/kubernetes.fc b/kubernetes.fc new file mode 100644 -index 0000000..deda99e +index 000000000..deda99ed6 --- /dev/null +++ b/kubernetes.fc @@ -0,0 +1,11 @@ @@ -45490,7 +45490,7 @@ index 0000000..deda99e + diff --git a/kubernetes.if b/kubernetes.if new file mode 100644 -index 0000000..b2841e5 +index 000000000..b2841e526 --- /dev/null +++ b/kubernetes.if @@ -0,0 +1,87 @@ @@ -45583,7 +45583,7 @@ index 0000000..b2841e5 +') diff --git a/kubernetes.te b/kubernetes.te new file mode 100644 -index 0000000..b625b53 +index 000000000..b625b5343 --- /dev/null +++ b/kubernetes.te @@ -0,0 +1,76 @@ @@ -45664,7 +45664,7 @@ index 0000000..b625b53 + +allow kube_proxy_t self:capability net_admin; diff --git a/kudzu.if b/kudzu.if -index 5297064..6ba8108 100644 +index 52970645f..6ba810834 100644 --- a/kudzu.if +++ b/kudzu.if @@ -86,9 +86,13 @@ interface(`kudzu_admin',` @@ -45683,7 +45683,7 @@ index 5297064..6ba8108 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 1664036..ee7a9a1 100644 +index 16640364b..ee7a9a1d5 100644 --- a/kudzu.te +++ b/kudzu.te @@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t) @@ -45744,7 +45744,7 @@ index 1664036..ee7a9a1 100644 - unconfined_domtrans(kudzu_t) -') diff --git a/l2tp.fc b/l2tp.fc -index d5d1572..ddc6ef2 100644 +index d5d1572b1..ddc6ef210 100644 --- a/l2tp.fc +++ b/l2tp.fc @@ -5,7 +5,9 @@ @@ -45758,7 +45758,7 @@ index d5d1572..ddc6ef2 100644 /var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) +/var/run/*.xl2tpd.* -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tp.if b/l2tp.if -index 73e2803..34ca3aa 100644 +index 73e2803ee..34ca3aa22 100644 --- a/l2tp.if +++ b/l2tp.if @@ -1,9 +1,45 @@ @@ -45987,7 +45987,7 @@ index 73e2803..34ca3aa 100644 role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; diff --git a/l2tp.te b/l2tp.te -index bb06a7f..01e784b 100644 +index bb06a7fee..01e784bf5 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) @@ -46057,7 +46057,7 @@ index bb06a7f..01e784b 100644 ppp_signal(l2tpd_t) ppp_kill(l2tpd_t) diff --git a/ldap.fc b/ldap.fc -index b7e5679..c93db33 100644 +index b7e567916..c93db3316 100644 --- a/ldap.fc +++ b/ldap.fc @@ -1,8 +1,11 @@ @@ -46088,7 +46088,7 @@ index b7e5679..c93db33 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index 3602712..af83a5b 100644 +index 3602712d0..af83a5b6b 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,69 @@ @@ -46334,7 +46334,7 @@ index 3602712..af83a5b 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b111..8fa1510 100644 +index 4c2b1110e..8fa1510d7 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -46408,7 +46408,7 @@ index 4c2b111..8fa1510 100644 ') diff --git a/lightsquid.fc b/lightsquid.fc -index 044390c..63e2058 100644 +index 044390c6e..63e205863 100644 --- a/lightsquid.fc +++ b/lightsquid.fc @@ -1,11 +1,11 @@ @@ -46429,7 +46429,7 @@ index 044390c..63e2058 100644 +/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0) +/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0) diff --git a/lightsquid.if b/lightsquid.if -index 33a28b9..33ffe24 100644 +index 33a28b9ad..33ffe2484 100644 --- a/lightsquid.if +++ b/lightsquid.if @@ -76,5 +76,7 @@ interface(`lightsquid_admin',` @@ -46442,7 +46442,7 @@ index 33a28b9..33ffe24 100644 + ') ') diff --git a/lightsquid.te b/lightsquid.te -index 09c4f27..6c7855e 100644 +index 09c4f27ba..6c7855e4e 100644 --- a/lightsquid.te +++ b/lightsquid.te @@ -13,38 +13,34 @@ type lightsquid_exec_t; @@ -46495,7 +46495,7 @@ index 09c4f27..6c7855e 100644 optional_policy(` diff --git a/likewise.if b/likewise.if -index bd20e8c..3393a01 100644 +index bd20e8cc9..3393a01e6 100644 --- a/likewise.if +++ b/likewise.if @@ -1,9 +1,22 @@ @@ -46637,7 +46637,7 @@ index bd20e8c..3393a01 100644 - admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) -') diff --git a/likewise.te b/likewise.te -index d8c2442..f5dff31 100644 +index d8c2442a8..f5dff3173 100644 --- a/likewise.te +++ b/likewise.te @@ -26,7 +26,7 @@ type likewise_var_lib_t; @@ -46715,7 +46715,7 @@ index d8c2442..f5dff31 100644 corenet_tcp_sendrecv_generic_node(srvsvcd_t) diff --git a/linuxptp.fc b/linuxptp.fc new file mode 100644 -index 0000000..d2061a9 +index 000000000..d2061a9e4 --- /dev/null +++ b/linuxptp.fc @@ -0,0 +1,11 @@ @@ -46732,7 +46732,7 @@ index 0000000..d2061a9 +/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0) diff --git a/linuxptp.if b/linuxptp.if new file mode 100644 -index 0000000..7ba5060 +index 000000000..7ba50607c --- /dev/null +++ b/linuxptp.if @@ -0,0 +1,121 @@ @@ -46859,7 +46859,7 @@ index 0000000..7ba5060 + diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 -index 0000000..7acdb2d +index 000000000..7acdb2d40 --- /dev/null +++ b/linuxptp.te @@ -0,0 +1,180 @@ @@ -47044,7 +47044,7 @@ index 0000000..7acdb2d + gpsd_rw_shm(ptp4l_t) +') diff --git a/lircd.if b/lircd.if -index dff21a7..b6981c8 100644 +index dff21a7c4..b6981c846 100644 --- a/lircd.if +++ b/lircd.if @@ -81,8 +81,11 @@ interface(`lircd_admin',` @@ -47061,7 +47061,7 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87b..eecd4c1 100644 +index 483c87bb6..eecd4c158 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -47118,7 +47118,7 @@ index 483c87b..eecd4c1 100644 sysnet_dns_name_resolve(lircd_t) diff --git a/livecd.if b/livecd.if -index e354181..fc614ba 100644 +index e3541811a..fc614bac2 100644 --- a/livecd.if +++ b/livecd.if @@ -38,11 +38,36 @@ interface(`livecd_domtrans',` @@ -47159,7 +47159,7 @@ index e354181..fc614ba 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 2f974bf..f6e97fa 100644 +index 2f974bf83..f6e97faaf 100644 --- a/livecd.te +++ b/livecd.te @@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) @@ -47193,7 +47193,7 @@ index 2f974bf..f6e97fa 100644 optional_policy(` diff --git a/lldpad.fc b/lldpad.fc -index 8031a78..72e56ac 100644 +index 8031a78eb..72e56acc3 100644 --- a/lldpad.fc +++ b/lldpad.fc @@ -5,3 +5,5 @@ @@ -47203,7 +47203,7 @@ index 8031a78..72e56ac 100644 + +/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0) diff --git a/lldpad.if b/lldpad.if -index d18c960..b7bd752 100644 +index d18c96023..b7bd75245 100644 --- a/lldpad.if +++ b/lldpad.if @@ -2,6 +2,25 @@ @@ -47271,7 +47271,7 @@ index d18c960..b7bd752 100644 + allow $1 lldpad_tmpfs_t:file relabelto; +') diff --git a/lldpad.te b/lldpad.te -index 2a491d9..3399d59 100644 +index 2a491d96c..3399d597a 100644 --- a/lldpad.te +++ b/lldpad.te @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) @@ -47307,7 +47307,7 @@ index 2a491d9..3399d59 100644 + virt_dgram_send(lldpad_t) +') diff --git a/loadkeys.te b/loadkeys.te -index d2f4643..c8e6b37 100644 +index d2f464375..c8e6b37b0 100644 --- a/loadkeys.te +++ b/loadkeys.te @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) @@ -47335,7 +47335,7 @@ index d2f4643..c8e6b37 100644 ifdef(`hide_broken_symptoms',` diff --git a/lockdev.if b/lockdev.if -index 4313b8b..cd1435c 100644 +index 4313b8bc0..cd1435cdf 100644 --- a/lockdev.if +++ b/lockdev.if @@ -1,5 +1,25 @@ @@ -47365,7 +47365,7 @@ index 4313b8b..cd1435c 100644 ## ## Role access for lockdev. diff --git a/lockdev.te b/lockdev.te -index 61db5a0..9d5d255 100644 +index 61db5a0a7..9d5d25524 100644 --- a/lockdev.te +++ b/lockdev.te @@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t) @@ -47376,7 +47376,7 @@ index 61db5a0..9d5d255 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.fc b/logrotate.fc -index a11d5be..60f83c5 100644 +index a11d5be99..60f83c5db 100644 --- a/logrotate.fc +++ b/logrotate.fc @@ -1,6 +1,6 @@ @@ -47389,7 +47389,7 @@ index a11d5be..60f83c5 100644 -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) diff --git a/logrotate.if b/logrotate.if -index dd8e01a..9cd6b0b 100644 +index dd8e01af3..9cd6b0b8e 100644 --- a/logrotate.if +++ b/logrotate.if @@ -1,4 +1,4 @@ @@ -47444,7 +47444,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..6180bdb 100644 +index be0ab84b3..6180bdbdc 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -47779,7 +47779,7 @@ index be0ab84..6180bdb 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..dd17cb0 100644 +index ab650340c..dd17cb0c5 100644 --- a/logwatch.te +++ b/logwatch.te @@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) @@ -47886,7 +47886,7 @@ index ab65034..dd17cb0 100644 + qmail_domtrans_queue(logwatch_mail_t) +') diff --git a/lpd.fc b/lpd.fc -index 2fb9b2e..08974e3 100644 +index 2fb9b2ec2..08974e376 100644 --- a/lpd.fc +++ b/lpd.fc @@ -19,6 +19,7 @@ @@ -47898,7 +47898,7 @@ index 2fb9b2e..08974e3 100644 /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) diff --git a/lpd.if b/lpd.if -index 6256371..ce2acb8 100644 +index 62563717b..ce2acb881 100644 --- a/lpd.if +++ b/lpd.if @@ -1,44 +1,49 @@ @@ -48078,7 +48078,7 @@ index 6256371..ce2acb8 100644 can_exec($1, lpr_exec_t) ') diff --git a/lpd.te b/lpd.te -index 39d3164..1ec2cd2 100644 +index 39d31640e..1ec2cd26e 100644 --- a/lpd.te +++ b/lpd.te @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -48250,7 +48250,7 @@ index 39d3164..1ec2cd2 100644 + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') diff --git a/lsm.fc b/lsm.fc -index c455730..6e14667 100644 +index c45573053..6e1466794 100644 --- a/lsm.fc +++ b/lsm.fc @@ -1,3 +1,7 @@ @@ -48262,7 +48262,7 @@ index c455730..6e14667 100644 + /var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if -index d314333..27ede09 100644 +index d3143334d..27ede090c 100644 --- a/lsm.if +++ b/lsm.if @@ -1,25 +1,86 @@ @@ -48373,7 +48373,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..1400ca8 100644 +index 4ec0eea30..1400ca864 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -48490,7 +48490,7 @@ index 4ec0eea..1400ca8 100644 +storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) diff --git a/lttng-tools.fc b/lttng-tools.fc new file mode 100644 -index 0000000..bdd17ca +index 000000000..bdd17ca85 --- /dev/null +++ b/lttng-tools.fc @@ -0,0 +1,5 @@ @@ -48501,7 +48501,7 @@ index 0000000..bdd17ca +/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0) diff --git a/lttng-tools.if b/lttng-tools.if new file mode 100644 -index 0000000..e86897d +index 000000000..e86897d29 --- /dev/null +++ b/lttng-tools.if @@ -0,0 +1,117 @@ @@ -48624,7 +48624,7 @@ index 0000000..e86897d +') diff --git a/lttng-tools.te b/lttng-tools.te new file mode 100644 -index 0000000..1d2ca22 +index 000000000..1d2ca2224 --- /dev/null +++ b/lttng-tools.te @@ -0,0 +1,60 @@ @@ -48689,7 +48689,7 @@ index 0000000..1d2ca22 +modutils_read_module_config(lttng_sessiond_t) +files_read_kernel_modules(lttng_sessiond_t) diff --git a/mailman.fc b/mailman.fc -index 995d0a5..3d40d59 100644 +index 995d0a5d3..3d40d59d2 100644 --- a/mailman.fc +++ b/mailman.fc @@ -2,10 +2,12 @@ @@ -48707,7 +48707,7 @@ index 995d0a5..3d40d59 100644 /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) diff --git a/mailman.if b/mailman.if -index 108c0f1..a248501 100644 +index 108c0f1f5..a2485018e 100644 --- a/mailman.if +++ b/mailman.if @@ -1,44 +1,70 @@ @@ -49017,7 +49017,7 @@ index 108c0f1..a248501 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index ac81c7f..a9faca9 100644 +index ac81c7fa9..a9faca989 100644 --- a/mailman.te +++ b/mailman.te @@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0) @@ -49120,7 +49120,7 @@ index ac81c7f..a9faca9 100644 + fs_manage_fusefs_symlinks(mailman_domain) +') diff --git a/mailscanner.if b/mailscanner.if -index 214cb44..bd1d48e 100644 +index 214cb4498..bd1d48e4f 100644 --- a/mailscanner.if +++ b/mailscanner.if @@ -2,29 +2,27 @@ @@ -49201,7 +49201,7 @@ index 214cb44..bd1d48e 100644 + files_list_pids($1) ') diff --git a/mailscanner.te b/mailscanner.te -index 6b6e2e1..3fb3393 100644 +index 6b6e2e130..3fb3393ba 100644 --- a/mailscanner.te +++ b/mailscanner.te @@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t) @@ -49247,7 +49247,7 @@ index 6b6e2e1..3fb3393 100644 spamassassin_read_lib_files(mscan_t) ') diff --git a/man2html.fc b/man2html.fc -index 82f6255..3686732 100644 +index 82f625551..368673237 100644 --- a/man2html.fc +++ b/man2html.fc @@ -1,5 +1,5 @@ @@ -49261,7 +49261,7 @@ index 82f6255..3686732 100644 -/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) +/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0) diff --git a/man2html.if b/man2html.if -index 54ec04d..53eaf61 100644 +index 54ec04d3b..53eaf61d6 100644 --- a/man2html.if +++ b/man2html.if @@ -1 +1,137 @@ @@ -49403,7 +49403,7 @@ index 54ec04d..53eaf61 100644 + ') +') diff --git a/man2html.te b/man2html.te -index e08c55d..24b56e9 100644 +index e08c55d43..24b56e9ee 100644 --- a/man2html.te +++ b/man2html.te @@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0) @@ -49438,7 +49438,7 @@ index e08c55d..24b56e9 100644 + files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file }) +') diff --git a/mandb.fc b/mandb.fc -index 8ae78b5..b365cdd 100644 +index 8ae78b5bf..b365cddec 100644 --- a/mandb.fc +++ b/mandb.fc @@ -1 +1,12 @@ @@ -49455,7 +49455,7 @@ index 8ae78b5..b365cdd 100644 + +/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if -index 327f3f7..4f61561 100644 +index 327f3f726..4f6156138 100644 --- a/mandb.if +++ b/mandb.if @@ -1,14 +1,14 @@ @@ -49693,7 +49693,7 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd..56fa2cf 100644 +index e6136fd37..56fa2cfc1 100644 --- a/mandb.te +++ b/mandb.te @@ -10,19 +10,40 @@ roleattribute system_r mandb_roles; @@ -49757,7 +49757,7 @@ index e6136fd..56fa2cf 100644 ifdef(`distro_debian',` optional_policy(` diff --git a/mcelog.if b/mcelog.if -index f89651e..c73214d 100644 +index f89651e75..c73214d81 100644 --- a/mcelog.if +++ b/mcelog.if @@ -19,6 +19,25 @@ interface(`mcelog_domtrans',` @@ -49787,7 +49787,7 @@ index f89651e..c73214d 100644 ## ## All of the rules required to diff --git a/mcelog.te b/mcelog.te -index 59b3b3d..494c4f3 100644 +index 59b3b3dd6..494c4f3a4 100644 --- a/mcelog.te +++ b/mcelog.te @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) @@ -49841,7 +49841,7 @@ index 59b3b3d..494c4f3 100644 cron_system_entry(mcelog_t, mcelog_exec_t) diff --git a/mcollective.fc b/mcollective.fc new file mode 100644 -index 0000000..821bf88 +index 000000000..821bf8822 --- /dev/null +++ b/mcollective.fc @@ -0,0 +1,3 @@ @@ -49850,7 +49850,7 @@ index 0000000..821bf88 +/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0) diff --git a/mcollective.if b/mcollective.if new file mode 100644 -index 0000000..3f433f1 +index 000000000..3f433f1e2 --- /dev/null +++ b/mcollective.if @@ -0,0 +1,109 @@ @@ -49965,7 +49965,7 @@ index 0000000..3f433f1 +') diff --git a/mcollective.te b/mcollective.te new file mode 100644 -index 0000000..8bc27f4 +index 000000000..8bc27f4c5 --- /dev/null +++ b/mcollective.te @@ -0,0 +1,27 @@ @@ -49997,7 +49997,7 @@ index 0000000..8bc27f4 +domain_use_interactive_fds(mcollective_t) + diff --git a/mediawiki.fc b/mediawiki.fc -index 99f7c41..1745603 100644 +index 99f7c4187..174560318 100644 --- a/mediawiki.fc +++ b/mediawiki.fc @@ -1,8 +1,8 @@ @@ -50016,7 +50016,7 @@ index 99f7c41..1745603 100644 +/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) +/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) diff --git a/mediawiki.if b/mediawiki.if -index 9771b4b..9b183e6 100644 +index 9771b4ba3..9b183e62b 100644 --- a/mediawiki.if +++ b/mediawiki.if @@ -1 +1,40 @@ @@ -50062,7 +50062,7 @@ index 9771b4b..9b183e6 100644 + delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) +') diff --git a/mediawiki.te b/mediawiki.te -index c528b9f..fcbc191 100644 +index c528b9fa7..fcbc1911c 100644 --- a/mediawiki.te +++ b/mediawiki.te @@ -5,13 +5,26 @@ policy_module(mediawiki, 1.0.0) @@ -50096,7 +50096,7 @@ index c528b9f..fcbc191 100644 + miscfiles_read_tetex_data(mediawiki_script_t) +') diff --git a/memcached.if b/memcached.if -index 1d4eb19..650014e 100644 +index 1d4eb19b8..650014e0f 100644 --- a/memcached.if +++ b/memcached.if @@ -1,4 +1,4 @@ @@ -50233,7 +50233,7 @@ index 1d4eb19..650014e 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 29b7521..68ec663 100644 +index 29b752160..68ec663c2 100644 --- a/memcached.te +++ b/memcached.te @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) @@ -50251,7 +50251,7 @@ index 29b7521..68ec663 100644 -miscfiles_read_localization(memcached_t) diff --git a/milter.fc b/milter.fc -index 89409eb..67e42f6 100644 +index 89409ebbc..67e42f6a9 100644 --- a/milter.fc +++ b/milter.fc @@ -1,18 +1,29 @@ @@ -50295,7 +50295,7 @@ index 89409eb..67e42f6 100644 +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if -index cba62db..562833a 100644 +index cba62db12..562833a81 100644 --- a/milter.if +++ b/milter.if @@ -1,47 +1,43 @@ @@ -50433,7 +50433,7 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 4dc99f4..48e3f38 100644 +index 4dc99f464..48e3f3813 100644 --- a/milter.te +++ b/milter.te @@ -5,73 +5,117 @@ policy_module(milter, 1.5.0) @@ -50634,7 +50634,7 @@ index 4dc99f4..48e3f38 100644 spamassassin_domtrans_client(spamass_milter_t) ') diff --git a/minissdpd.if b/minissdpd.if -index b330161..5450937 100644 +index b3301610f..54509375e 100644 --- a/minissdpd.if +++ b/minissdpd.if @@ -39,10 +39,10 @@ interface(`minissdpd_read_config',` @@ -50652,7 +50652,7 @@ index b330161..5450937 100644 init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) diff --git a/mip6d.fc b/mip6d.fc new file mode 100644 -index 0000000..767bbad +index 000000000..767bbad7b --- /dev/null +++ b/mip6d.fc @@ -0,0 +1,3 @@ @@ -50661,7 +50661,7 @@ index 0000000..767bbad +/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0) diff --git a/mip6d.if b/mip6d.if new file mode 100644 -index 0000000..861b486 +index 000000000..861b486dc --- /dev/null +++ b/mip6d.if @@ -0,0 +1,80 @@ @@ -50747,7 +50747,7 @@ index 0000000..861b486 +') diff --git a/mip6d.te b/mip6d.te new file mode 100644 -index 0000000..0f290e9 +index 000000000..0f290e9d4 --- /dev/null +++ b/mip6d.te @@ -0,0 +1,33 @@ @@ -50786,7 +50786,7 @@ index 0000000..0f290e9 + diff --git a/mirrormanager.fc b/mirrormanager.fc new file mode 100644 -index 0000000..abd53a4 +index 000000000..abd53a4c7 --- /dev/null +++ b/mirrormanager.fc @@ -0,0 +1,7 @@ @@ -50799,7 +50799,7 @@ index 0000000..abd53a4 +/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0) diff --git a/mirrormanager.if b/mirrormanager.if new file mode 100644 -index 0000000..86467cf +index 000000000..86467cffb --- /dev/null +++ b/mirrormanager.if @@ -0,0 +1,256 @@ @@ -51061,7 +51061,7 @@ index 0000000..86467cf +') diff --git a/mirrormanager.te b/mirrormanager.te new file mode 100644 -index 0000000..f59af1b +index 000000000..f59af1b98 --- /dev/null +++ b/mirrormanager.te @@ -0,0 +1,46 @@ @@ -51113,7 +51113,7 @@ index 0000000..f59af1b +') diff --git a/mock.fc b/mock.fc new file mode 100644 -index 0000000..394bc46 +index 000000000..394bc4658 --- /dev/null +++ b/mock.fc @@ -0,0 +1,7 @@ @@ -51126,7 +51126,7 @@ index 0000000..394bc46 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/mock.if b/mock.if new file mode 100644 -index 0000000..f5b98e6 +index 000000000..f5b98e6de --- /dev/null +++ b/mock.if @@ -0,0 +1,311 @@ @@ -51443,7 +51443,7 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..f647022 +index 000000000..f647022cb --- /dev/null +++ b/mock.te @@ -0,0 +1,288 @@ @@ -51736,7 +51736,7 @@ index 0000000..f647022 + userdom_read_user_home_content_files(mock_build_t) +') diff --git a/modemmanager.fc b/modemmanager.fc -index a83894c..481dca3 100644 +index a83894c6e..481dca3ff 100644 --- a/modemmanager.fc +++ b/modemmanager.fc @@ -1 +1,4 @@ @@ -51745,7 +51745,7 @@ index a83894c..481dca3 100644 + +/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) diff --git a/modemmanager.if b/modemmanager.if -index b1ac8b5..24782b3 100644 +index b1ac8b5d8..24782b35f 100644 --- a/modemmanager.if +++ b/modemmanager.if @@ -21,6 +21,31 @@ interface(`modemmanager_domtrans',` @@ -51815,7 +51815,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..ad481ce 100644 +index d15eb5b64..ad481cee4 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -51871,7 +51871,7 @@ index d15eb5b..ad481ce 100644 optional_policy(` diff --git a/mojomojo.fc b/mojomojo.fc -index 7b827ca..5ee8a0f 100644 +index 7b827ca7f..5ee8a0f2b 100644 --- a/mojomojo.fc +++ b/mojomojo.fc @@ -1,5 +1,5 @@ @@ -51884,7 +51884,7 @@ index 7b827ca..5ee8a0f 100644 -/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) +/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0) diff --git a/mojomojo.if b/mojomojo.if -index 73952f4..b19a6ee 100644 +index 73952f4c9..b19a6ee2d 100644 --- a/mojomojo.if +++ b/mojomojo.if @@ -15,7 +15,6 @@ @@ -51896,7 +51896,7 @@ index 73952f4..b19a6ee 100644 interface(`mojomojo_admin',` refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') diff --git a/mojomojo.te b/mojomojo.te -index b94102e..25d1d33 100644 +index b94102efd..25d1d33a1 100644 --- a/mojomojo.te +++ b/mojomojo.te @@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0) @@ -51950,7 +51950,7 @@ index b94102e..25d1d33 100644 +') diff --git a/mon_statd.fc b/mon_statd.fc new file mode 100644 -index 0000000..60c11c0 +index 000000000..60c11c060 --- /dev/null +++ b/mon_statd.fc @@ -0,0 +1,7 @@ @@ -51963,7 +51963,7 @@ index 0000000..60c11c0 +/var/run/fstatd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0) diff --git a/mon_statd.if b/mon_statd.if new file mode 100644 -index 0000000..1ce3e44 +index 000000000..1ce3e4428 --- /dev/null +++ b/mon_statd.if @@ -0,0 +1,39 @@ @@ -52008,7 +52008,7 @@ index 0000000..1ce3e44 +') diff --git a/mon_statd.te b/mon_statd.te new file mode 100644 -index 0000000..e7220a5 +index 000000000..e7220a5a8 --- /dev/null +++ b/mon_statd.te @@ -0,0 +1,76 @@ @@ -52089,7 +52089,7 @@ index 0000000..e7220a5 +logging_send_syslog_msg(mon_procd_t) + diff --git a/mongodb.fc b/mongodb.fc -index 6fcfc31..e9e6bc5 100644 +index 6fcfc31b4..e9e6bc51c 100644 --- a/mongodb.fc +++ b/mongodb.fc @@ -1,9 +1,19 @@ @@ -52116,7 +52116,7 @@ index 6fcfc31..e9e6bc5 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..eaaeb0d 100644 +index 169f236e8..eaaeb0d8b 100644 --- a/mongodb.te +++ b/mongodb.te @@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t) @@ -52214,7 +52214,7 @@ index 169f236..eaaeb0d 100644 +') + diff --git a/mono.te b/mono.te -index a6a8643..c0f6cf5 100644 +index a6a86439f..c0f6cf503 100644 --- a/mono.te +++ b/mono.te @@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack }; @@ -52227,7 +52227,7 @@ index a6a8643..c0f6cf5 100644 init_dbus_chat_script(mono_t) diff --git a/monop.if b/monop.if -index 8fdaece..5440757 100644 +index 8fdaecea2..544075765 100644 --- a/monop.if +++ b/monop.if @@ -31,7 +31,7 @@ interface(`monop_admin',` @@ -52240,7 +52240,7 @@ index 8fdaece..5440757 100644 files_search_pids($1) diff --git a/monop.te b/monop.te -index 5f93763..8596763 100644 +index 5f9376384..8596763e7 100644 --- a/monop.te +++ b/monop.te @@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t) @@ -52269,7 +52269,7 @@ index 5f93763..8596763 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/motion.fc b/motion.fc new file mode 100644 -index 0000000..7415106 +index 000000000..74151069b --- /dev/null +++ b/motion.fc @@ -0,0 +1,9 @@ @@ -52284,7 +52284,7 @@ index 0000000..7415106 +/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0) diff --git a/motion.if b/motion.if new file mode 100644 -index 0000000..edfd267 +index 000000000..edfd26777 --- /dev/null +++ b/motion.if @@ -0,0 +1,198 @@ @@ -52488,7 +52488,7 @@ index 0000000..edfd267 +') diff --git a/motion.te b/motion.te new file mode 100644 -index 0000000..c7f4eb5 +index 000000000..c7f4eb583 --- /dev/null +++ b/motion.te @@ -0,0 +1,65 @@ @@ -52558,7 +52558,7 @@ index 0000000..c7f4eb5 +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..549fb8c 100644 +index 6ffaba2e4..549fb8cdd 100644 --- a/mozilla.fc +++ b/mozilla.fc @@ -1,38 +1,72 @@ @@ -52669,7 +52669,7 @@ index 6ffaba2..549fb8c 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..e27c53d 100644 +index 6194b806b..e27c53d6e 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -53497,7 +53497,7 @@ index 6194b80..e27c53d 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..7d5d385 100644 +index 11ac8e4fc..7d5d385a2 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54573,7 +54573,7 @@ index 11ac8e4..7d5d385 100644 + corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t) ') diff --git a/mpd.fc b/mpd.fc -index 313ce52..ae93e07 100644 +index 313ce521c..ae93e07eb 100644 --- a/mpd.fc +++ b/mpd.fc @@ -1,3 +1,5 @@ @@ -54589,7 +54589,7 @@ index 313ce52..ae93e07 100644 + +/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0) diff --git a/mpd.if b/mpd.if -index 5fa77c7..2e01c7d 100644 +index 5fa77c7e6..2e01c7d0a 100644 --- a/mpd.if +++ b/mpd.if @@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',` @@ -54634,7 +54634,7 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index fe72523..062ad64 100644 +index fe7252355..062ad640a 100644 --- a/mpd.te +++ b/mpd.te @@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) @@ -54755,7 +54755,7 @@ index fe72523..062ad64 100644 ') diff --git a/mplayer.if b/mplayer.if -index 861d5e9..1c3d5a5 100644 +index 861d5e974..1c3d5a538 100644 --- a/mplayer.if +++ b/mplayer.if @@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',` @@ -54783,7 +54783,7 @@ index 861d5e9..1c3d5a5 100644 + userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") +') diff --git a/mplayer.te b/mplayer.te -index 0f03cd9..e3ed393 100644 +index 0f03cd937..e3ed3933d 100644 --- a/mplayer.te +++ b/mplayer.te @@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0) @@ -54879,7 +54879,7 @@ index 0f03cd9..e3ed393 100644 ') diff --git a/mrtg.if b/mrtg.if -index c595094..2346458 100644 +index c595094a6..23464583b 100644 --- a/mrtg.if +++ b/mrtg.if @@ -2,6 +2,25 @@ @@ -54909,7 +54909,7 @@ index c595094..2346458 100644 ## ## diff --git a/mrtg.te b/mrtg.te -index 65a246a..fa86320 100644 +index 65a246a52..fa8632064 100644 --- a/mrtg.te +++ b/mrtg.te @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) @@ -54945,7 +54945,7 @@ index 65a246a..fa86320 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..fce39c1 100644 +index f42896cbf..fce39c1ce 100644 --- a/mta.fc +++ b/mta.fc @@ -1,34 +1,39 @@ @@ -55007,7 +55007,7 @@ index f42896c..fce39c1 100644 +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..cd52baf 100644 +index ed81cac5a..cd52baf59 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -56174,7 +56174,7 @@ index ed81cac..cd52baf 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..94b1dfc 100644 +index ff1d68c6a..94b1dfca7 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -56639,7 +56639,7 @@ index ff1d68c..94b1dfc 100644 + + diff --git a/munin.fc b/munin.fc -index eb4b72a..4ea6ce7 100644 +index eb4b72a92..4ea6ce7e2 100644 --- a/munin.fc +++ b/munin.fc @@ -1,77 +1,78 @@ @@ -56768,7 +56768,7 @@ index eb4b72a..4ea6ce7 100644 +/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) +/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) diff --git a/munin.if b/munin.if -index b744fe3..cb0e2af 100644 +index b744fe35e..cb0e2af61 100644 --- a/munin.if +++ b/munin.if @@ -1,12 +1,13 @@ @@ -56981,7 +56981,7 @@ index b744fe3..cb0e2af 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..1ea095c 100644 +index b70870816..1ea095ce8 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -57259,7 +57259,7 @@ index b708708..1ea095c 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666..2accd90 100644 +index 06f8666df..2accd90d2 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,27 +1,46 @@ @@ -57326,7 +57326,7 @@ index 06f8666..2accd90 100644 +/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/mysql.if b/mysql.if -index 687af38..5381f1b 100644 +index 687af38bb..5381f1b39 100644 --- a/mysql.if +++ b/mysql.if @@ -1,23 +1,4 @@ @@ -57879,7 +57879,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..a89f6d6 100644 +index 7584bbe7c..a89f6d665 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -58205,7 +58205,7 @@ index 7584bbe..a89f6d6 100644 +userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/mythtv.fc b/mythtv.fc new file mode 100644 -index 0000000..d62cf88 +index 000000000..d62cf886e --- /dev/null +++ b/mythtv.fc @@ -0,0 +1,9 @@ @@ -58220,7 +58220,7 @@ index 0000000..d62cf88 +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0) diff --git a/mythtv.if b/mythtv.if new file mode 100644 -index 0000000..e2403dd +index 000000000..e2403dd50 --- /dev/null +++ b/mythtv.if @@ -0,0 +1,152 @@ @@ -58378,7 +58378,7 @@ index 0000000..e2403dd +') diff --git a/mythtv.te b/mythtv.te new file mode 100644 -index 0000000..0e585e3 +index 000000000..0e585e3c5 --- /dev/null +++ b/mythtv.te @@ -0,0 +1,47 @@ @@ -58431,7 +58431,7 @@ index 0000000..0e585e3 +') diff --git a/naemon.fc b/naemon.fc new file mode 100644 -index 0000000..85407d3 +index 000000000..85407d337 --- /dev/null +++ b/naemon.fc @@ -0,0 +1,11 @@ @@ -58448,7 +58448,7 @@ index 0000000..85407d3 +/var/run/naemon(/.*)? gen_context(system_u:object_r:naemon_var_run_t,s0) diff --git a/naemon.if b/naemon.if new file mode 100644 -index 0000000..e904df0 +index 000000000..e904df027 --- /dev/null +++ b/naemon.if @@ -0,0 +1,305 @@ @@ -58759,7 +58759,7 @@ index 0000000..e904df0 +') diff --git a/naemon.te b/naemon.te new file mode 100644 -index 0000000..79f1250 +index 000000000..79f1250eb --- /dev/null +++ b/naemon.te @@ -0,0 +1,59 @@ @@ -58823,7 +58823,7 @@ index 0000000..79f1250 + +fs_getattr_xattr_fs(naemon_t) diff --git a/nagios.fc b/nagios.fc -index d78dfc3..c781b72 100644 +index d78dfc38d..c781b72bb 100644 --- a/nagios.fc +++ b/nagios.fc @@ -1,88 +1,113 @@ @@ -59016,7 +59016,7 @@ index d78dfc3..c781b72 100644 +/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) + diff --git a/nagios.if b/nagios.if -index 0641e97..f3b1111 100644 +index 0641e970f..f3b111172 100644 --- a/nagios.if +++ b/nagios.if @@ -1,12 +1,13 @@ @@ -59331,7 +59331,7 @@ index 0641e97..f3b1111 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..00af8b3 100644 +index 7b3e682e6..00af8b3b9 100644 --- a/nagios.te +++ b/nagios.te @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0) @@ -59807,7 +59807,7 @@ index 7b3e682..00af8b3 100644 optional_policy(` diff --git a/namespace.fc b/namespace.fc new file mode 100644 -index 0000000..ce51c8d +index 000000000..ce51c8d4f --- /dev/null +++ b/namespace.fc @@ -0,0 +1,3 @@ @@ -59816,7 +59816,7 @@ index 0000000..ce51c8d + diff --git a/namespace.if b/namespace.if new file mode 100644 -index 0000000..8d7c751 +index 000000000..8d7c75157 --- /dev/null +++ b/namespace.if @@ -0,0 +1,48 @@ @@ -59870,7 +59870,7 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..814e62e +index 000000000..814e62e4f --- /dev/null +++ b/namespace.te @@ -0,0 +1,41 @@ @@ -59916,7 +59916,7 @@ index 0000000..814e62e +userdom_relabelto_user_home_files(namespace_init_t) +userdom_filetrans_home_content(namespace_init_t) diff --git a/ncftool.if b/ncftool.if -index db9578f..4309e3d 100644 +index db9578f4e..4309e3da5 100644 --- a/ncftool.if +++ b/ncftool.if @@ -38,9 +38,11 @@ interface(`ncftool_domtrans',` @@ -59932,7 +59932,7 @@ index db9578f..4309e3d 100644 ') + diff --git a/ncftool.te b/ncftool.te -index 71f30ba..d616860 100644 +index 71f30ba60..d61686078 100644 --- a/ncftool.te +++ b/ncftool.te @@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t; @@ -59991,7 +59991,7 @@ index 71f30ba..d616860 100644 optional_policy(` diff --git a/nessus.te b/nessus.te -index fe1068b..98166ee 100644 +index fe1068ba5..98166ee0b 100644 --- a/nessus.te +++ b/nessus.te @@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t) @@ -60020,7 +60020,7 @@ index fe1068b..98166ee 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index 94b9734..448a7e8 100644 +index 94b973407..448a7e836 100644 --- a/networkmanager.fc +++ b/networkmanager.fc @@ -1,44 +1,46 @@ @@ -60092,7 +60092,7 @@ index 94b9734..448a7e8 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..c7d9376 100644 +index 86dc29dfa..c7d9376d5 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -60635,7 +60635,7 @@ index 86dc29d..c7d9376 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..4419e35 100644 +index 55f20095e..4419e3531 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -61092,7 +61092,7 @@ index 55f2009..4419e35 100644 term_dontaudit_use_console(wpa_cli_t) diff --git a/ninfod.fc b/ninfod.fc new file mode 100644 -index 0000000..cc31b9f +index 000000000..cc31b9f27 --- /dev/null +++ b/ninfod.fc @@ -0,0 +1,6 @@ @@ -61104,7 +61104,7 @@ index 0000000..cc31b9f + diff --git a/ninfod.if b/ninfod.if new file mode 100644 -index 0000000..409de8c +index 000000000..409de8c3e --- /dev/null +++ b/ninfod.if @@ -0,0 +1,80 @@ @@ -61190,7 +61190,7 @@ index 0000000..409de8c +') diff --git a/ninfod.te b/ninfod.te new file mode 100644 -index 0000000..b3aa3ce +index 000000000..b3aa3ce13 --- /dev/null +++ b/ninfod.te @@ -0,0 +1,36 @@ @@ -61231,7 +61231,7 @@ index 0000000..b3aa3ce + +sysnet_dns_name_resolve(ninfod_t) diff --git a/nis.fc b/nis.fc -index 8aa1bfa..cd0e015 100644 +index 8aa1bfa28..cd0e015f8 100644 --- a/nis.fc +++ b/nis.fc @@ -2,21 +2,26 @@ @@ -61266,7 +61266,7 @@ index 8aa1bfa..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index 46e55c3..afe399a 100644 +index 46e55c3ff..afe399a0e 100644 --- a/nis.if +++ b/nis.if @@ -1,4 +1,4 @@ @@ -61536,7 +61536,7 @@ index 46e55c3..afe399a 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b035..5145db5 100644 +index 3a6b0352e..5145db555 100644 --- a/nis.te +++ b/nis.te @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) @@ -61848,7 +61848,7 @@ index 3a6b035..5145db5 100644 sysnet_read_config(ypxfr_t) diff --git a/nova.fc b/nova.fc new file mode 100644 -index 0000000..b5fab0e +index 000000000..b5fab0e6a --- /dev/null +++ b/nova.fc @@ -0,0 +1,25 @@ @@ -61879,7 +61879,7 @@ index 0000000..b5fab0e +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..e328327 +index 000000000..e32832705 --- /dev/null +++ b/nova.if @@ -0,0 +1,47 @@ @@ -61932,7 +61932,7 @@ index 0000000..e328327 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..2259a51 +index 000000000..2259a5192 --- /dev/null +++ b/nova.te @@ -0,0 +1,203 @@ @@ -62140,7 +62140,7 @@ index 0000000..2259a51 +') + diff --git a/nscd.fc b/nscd.fc -index ba64485..429bd79 100644 +index ba6448507..429bd799c 100644 --- a/nscd.fc +++ b/nscd.fc @@ -1,13 +1,15 @@ @@ -62165,7 +62165,7 @@ index ba64485..429bd79 100644 + +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) diff --git a/nscd.if b/nscd.if -index 8f2ab09..8ca8a6f 100644 +index 8f2ab09f5..8ca8a6f26 100644 --- a/nscd.if +++ b/nscd.if @@ -1,8 +1,8 @@ @@ -62482,7 +62482,7 @@ index 8f2ab09..8ca8a6f 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index bcd7d0a..0188086 100644 +index bcd7d0a7d..0188086f9 100644 --- a/nscd.te +++ b/nscd.te @@ -4,33 +4,34 @@ gen_require(` @@ -62672,7 +62672,7 @@ index bcd7d0a..0188086 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b6..6b300d5 100644 +index 4f2b1b663..6b300d54f 100644 --- a/nsd.fc +++ b/nsd.fc @@ -1,16 +1,19 @@ @@ -62706,7 +62706,7 @@ index 4f2b1b6..6b300d5 100644 + +/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0) diff --git a/nsd.if b/nsd.if -index a9c60ff..ad4f14a 100644 +index a9c60ff87..ad4f14ad6 100644 --- a/nsd.if +++ b/nsd.if @@ -1,8 +1,8 @@ @@ -62795,7 +62795,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..1e55673 100644 +index 47bb1d204..1e5567367 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -62987,7 +62987,7 @@ index 47bb1d2..1e55673 100644 cron_system_entry(nsd_crond_t, nsd_exec_t) ') diff --git a/nslcd.fc b/nslcd.fc -index 402100e..ce913b2 100644 +index 402100e40..ce913b244 100644 --- a/nslcd.fc +++ b/nslcd.fc @@ -1,7 +1,4 @@ @@ -63003,7 +63003,7 @@ index 402100e..ce913b2 100644 +/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/nslcd.if b/nslcd.if -index 97df768..852d1c6 100644 +index 97df768d9..852d1c6c7 100644 --- a/nslcd.if +++ b/nslcd.if @@ -1,4 +1,4 @@ @@ -63121,7 +63121,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a..1be3b6b 100644 +index 421bf1a56..1be3b6b30 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) @@ -63182,7 +63182,7 @@ index 421bf1a..1be3b6b 100644 + diff --git a/nsplugin.fc b/nsplugin.fc new file mode 100644 -index 0000000..22e6c96 +index 000000000..22e6c963c --- /dev/null +++ b/nsplugin.fc @@ -0,0 +1,11 @@ @@ -63199,7 +63199,7 @@ index 0000000..22e6c96 +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/nsplugin.if b/nsplugin.if new file mode 100644 -index 0000000..bceb527 +index 000000000..bceb5271e --- /dev/null +++ b/nsplugin.if @@ -0,0 +1,474 @@ @@ -63679,7 +63679,7 @@ index 0000000..bceb527 +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 0000000..7d839fe +index 000000000..7d839fe6e --- /dev/null +++ b/nsplugin.te @@ -0,0 +1,318 @@ @@ -64002,7 +64002,7 @@ index 0000000..7d839fe + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index 8ec7859..c696f67 100644 +index 8ec78595b..c696f6765 100644 --- a/ntop.te +++ b/ntop.te @@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t) @@ -64051,7 +64051,7 @@ index 8ec7859..c696f67 100644 ') diff --git a/ntp.fc b/ntp.fc -index af3c91e..3e5f9cf 100644 +index af3c91e70..3e5f9cfa6 100644 --- a/ntp.fc +++ b/ntp.fc @@ -11,9 +11,13 @@ @@ -64069,7 +64069,7 @@ index af3c91e..3e5f9cf 100644 /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/ntp.if b/ntp.if -index e96a309..4245308 100644 +index e96a309a5..42453089c 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -64311,7 +64311,7 @@ index e96a309..4245308 100644 +') + diff --git a/ntp.te b/ntp.te -index f81b113..4e9e52e 100644 +index f81b113c7..4e9e52e1c 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -64440,7 +64440,7 @@ index f81b113..4e9e52e 100644 udev_read_db(ntpd_t) ') diff --git a/numad.fc b/numad.fc -index 3488bb0..1f97624 100644 +index 3488bb0d3..1f9762420 100644 --- a/numad.fc +++ b/numad.fc @@ -1,7 +1,7 @@ @@ -64456,7 +64456,7 @@ index 3488bb0..1f97624 100644 -/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) +/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/numad.if b/numad.if -index 0d3c270..f307835 100644 +index 0d3c270b9..f307835ce 100644 --- a/numad.if +++ b/numad.if @@ -1,39 +1,93 @@ @@ -64572,7 +64572,7 @@ index 0d3c270..f307835 100644 + ') ') diff --git a/numad.te b/numad.te -index b0a1be4..303a927 100644 +index b0a1be482..303a9279f 100644 --- a/numad.te +++ b/numad.te @@ -8,37 +8,44 @@ policy_module(numad, 1.1.0) @@ -64633,7 +64633,7 @@ index b0a1be4..303a927 100644 + virt_ptrace(numad_t) +') diff --git a/nut.fc b/nut.fc -index 379af96..fac7d7b 100644 +index 379af962c..fac7d7bc9 100644 --- a/nut.fc +++ b/nut.fc @@ -1,23 +1,16 @@ @@ -64668,7 +64668,7 @@ index 379af96..fac7d7b 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..c554eb6 100644 +index 57c0161ed..c554eb6e1 100644 --- a/nut.if +++ b/nut.if @@ -1,39 +1,60 @@ @@ -64759,7 +64759,7 @@ index 57c0161..c554eb6 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..605b54b 100644 +index 5b2cb0d59..605b54b72 100644 --- a/nut.te +++ b/nut.te @@ -7,154 +7,155 @@ policy_module(nut, 1.3.0) @@ -64993,7 +64993,7 @@ index 5b2cb0d..605b54b 100644 + sysnet_dns_name_resolve(nutups_cgi_script_t) ') diff --git a/nx.if b/nx.if -index 251d681..50ae2a9 100644 +index 251d6816a..50ae2a94b 100644 --- a/nx.if +++ b/nx.if @@ -35,7 +35,9 @@ interface(`nx_read_home_files',` @@ -65030,7 +65030,7 @@ index 251d681..50ae2a9 100644 + filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") +') diff --git a/nx.te b/nx.te -index 091f872..62a0b12 100644 +index 091f87272..62a0b1229 100644 --- a/nx.te +++ b/nx.te @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) @@ -65075,7 +65075,7 @@ index 091f872..62a0b12 100644 sysnet_read_config(nx_server_t) diff --git a/oav.te b/oav.te -index b09c4c4..995c3f6 100644 +index b09c4c412..995c3f6a6 100644 --- a/oav.te +++ b/oav.te @@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t) @@ -65087,14 +65087,14 @@ index b09c4c4..995c3f6 100644 files_search_var_lib(scannerdaemon_t) diff --git a/obex.fc b/obex.fc -index 03fa560..000c5fe 100644 +index 03fa56040..000c5fe7b 100644 --- a/obex.fc +++ b/obex.fc @@ -1 +1 @@ -/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) +/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) diff --git a/obex.if b/obex.if -index 8635ea2..eec20b4 100644 +index 8635ea205..eec20b413 100644 --- a/obex.if +++ b/obex.if @@ -1,15 +1,50 @@ @@ -65241,7 +65241,7 @@ index 8635ea2..eec20b4 100644 + obex_dbus_chat($2) ') diff --git a/obex.te b/obex.te -index cd29ea8..d01d2c8 100644 +index cd29ea899..d01d2c8e6 100644 --- a/obex.te +++ b/obex.te @@ -1,4 +1,4 @@ @@ -65287,7 +65287,7 @@ index cd29ea8..d01d2c8 100644 ') ') diff --git a/oddjob.fc b/oddjob.fc -index dd1d9ef..c48733a 100644 +index dd1d9ef5a..c48733aa4 100644 --- a/oddjob.fc +++ b/oddjob.fc @@ -1,10 +1,12 @@ @@ -65309,7 +65309,7 @@ index dd1d9ef..c48733a 100644 -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if -index c87bd2a..6180fba 100644 +index c87bd2a30..6180fba1f 100644 --- a/oddjob.if +++ b/oddjob.if @@ -1,4 +1,8 @@ @@ -65550,7 +65550,7 @@ index c87bd2a..6180fba 100644 + allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ') diff --git a/oddjob.te b/oddjob.te -index e403097..c60887d 100644 +index e403097c6..c60887de2 100644 --- a/oddjob.te +++ b/oddjob.te @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) @@ -65659,7 +65659,7 @@ index e403097..c60887d 100644 +userdom_stream_connect(oddjob_mkhomedir_t) + diff --git a/openct.te b/openct.te -index 3b6920e..577c90b 100644 +index 3b6920e31..577c90b03 100644 --- a/openct.te +++ b/openct.te @@ -21,6 +21,7 @@ files_pid_file(openct_var_run_t) @@ -65703,7 +65703,7 @@ index 3b6920e..577c90b 100644 diff --git a/opendnssec.fc b/opendnssec.fc new file mode 100644 -index 0000000..08d0e79 +index 000000000..08d0e793d --- /dev/null +++ b/opendnssec.fc @@ -0,0 +1,14 @@ @@ -65723,7 +65723,7 @@ index 0000000..08d0e79 +/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) diff --git a/opendnssec.if b/opendnssec.if new file mode 100644 -index 0000000..7c08157 +index 000000000..7c081576b --- /dev/null +++ b/opendnssec.if @@ -0,0 +1,228 @@ @@ -65957,7 +65957,7 @@ index 0000000..7c08157 +') diff --git a/opendnssec.te b/opendnssec.te new file mode 100644 -index 0000000..3a760d7 +index 000000000..3a760d741 --- /dev/null +++ b/opendnssec.te @@ -0,0 +1,69 @@ @@ -66032,7 +66032,7 @@ index 0000000..3a760d7 + diff --git a/openfortivpn.fc b/openfortivpn.fc new file mode 100644 -index 0000000..2e4dd3f +index 000000000..2e4dd3ffe --- /dev/null +++ b/openfortivpn.fc @@ -0,0 +1,4 @@ @@ -66042,7 +66042,7 @@ index 0000000..2e4dd3f +/var/lib/NetworkManager-fortisslvpn(/.*)? gen_context(system_u:object_r:openfortivpn_var_lib_t,s0) diff --git a/openfortivpn.if b/openfortivpn.if new file mode 100644 -index 0000000..7581b52 +index 000000000..7581b52a0 --- /dev/null +++ b/openfortivpn.if @@ -0,0 +1,113 @@ @@ -66161,7 +66161,7 @@ index 0000000..7581b52 +') diff --git a/openfortivpn.te b/openfortivpn.te new file mode 100644 -index 0000000..5a3c62b +index 000000000..5a3c62b83 --- /dev/null +++ b/openfortivpn.te @@ -0,0 +1,67 @@ @@ -66233,7 +66233,7 @@ index 0000000..5a3c62b + ppp_kill(openfortivpn_t) +') diff --git a/openhpi.te b/openhpi.te -index 8de6191..1a01e99 100644 +index 8de619112..1a01e99f2 100644 --- a/openhpi.te +++ b/openhpi.te @@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir) @@ -66260,7 +66260,7 @@ index 8de6191..1a01e99 100644 +') diff --git a/openhpid.fc b/openhpid.fc new file mode 100644 -index 0000000..df219e6 +index 000000000..df219e6ef --- /dev/null +++ b/openhpid.fc @@ -0,0 +1,10 @@ @@ -66276,7 +66276,7 @@ index 0000000..df219e6 +/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) diff --git a/openhpid.if b/openhpid.if new file mode 100644 -index 0000000..598789a +index 000000000..598789a3b --- /dev/null +++ b/openhpid.if @@ -0,0 +1,159 @@ @@ -66441,7 +66441,7 @@ index 0000000..598789a + diff --git a/openhpid.te b/openhpid.te new file mode 100644 -index 0000000..a0e0eaf +index 000000000..a0e0eafce --- /dev/null +++ b/openhpid.te @@ -0,0 +1,67 @@ @@ -66514,21 +66514,21 @@ index 0000000..a0e0eaf +') diff --git a/openshift-origin.fc b/openshift-origin.fc new file mode 100644 -index 0000000..30ca148 +index 000000000..30ca148ee --- /dev/null +++ b/openshift-origin.fc @@ -0,0 +1 @@ +# Left Blank diff --git a/openshift-origin.if b/openshift-origin.if new file mode 100644 -index 0000000..3eb6a30 +index 000000000..3eb6a3057 --- /dev/null +++ b/openshift-origin.if @@ -0,0 +1 @@ +## diff --git a/openshift-origin.te b/openshift-origin.te new file mode 100644 -index 0000000..a437f80 +index 000000000..a437f80ca --- /dev/null +++ b/openshift-origin.te @@ -0,0 +1,13 @@ @@ -66547,7 +66547,7 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..5a2f97e +index 000000000..5a2f97ef6 --- /dev/null +++ b/openshift.fc @@ -0,0 +1,30 @@ @@ -66583,7 +66583,7 @@ index 0000000..5a2f97e +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..c20cac3 +index 000000000..c20cac397 --- /dev/null +++ b/openshift.if @@ -0,0 +1,697 @@ @@ -67286,7 +67286,7 @@ index 0000000..c20cac3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..a98990f +index 000000000..a98990f3a --- /dev/null +++ b/openshift.te @@ -0,0 +1,634 @@ @@ -67926,7 +67926,7 @@ index 0000000..a98990f +') diff --git a/opensm.fc b/opensm.fc new file mode 100644 -index 0000000..51650fa +index 000000000..51650fa65 --- /dev/null +++ b/opensm.fc @@ -0,0 +1,7 @@ @@ -67939,7 +67939,7 @@ index 0000000..51650fa +/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0) diff --git a/opensm.if b/opensm.if new file mode 100644 -index 0000000..45de664 +index 000000000..45de66477 --- /dev/null +++ b/opensm.if @@ -0,0 +1,224 @@ @@ -68169,7 +68169,7 @@ index 0000000..45de664 +') diff --git a/opensm.te b/opensm.te new file mode 100644 -index 0000000..87c86ed +index 000000000..87c86edb9 --- /dev/null +++ b/opensm.te @@ -0,0 +1,46 @@ @@ -68220,7 +68220,7 @@ index 0000000..87c86ed + +logging_send_syslog_msg(opensm_t) diff --git a/openvpn.fc b/openvpn.fc -index 300213f..4cdfe09 100644 +index 300213f83..4cdfe097c 100644 --- a/openvpn.fc +++ b/openvpn.fc @@ -1,10 +1,13 @@ @@ -68238,7 +68238,7 @@ index 300213f..4cdfe09 100644 /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) diff --git a/openvpn.if b/openvpn.if -index 6837e9a..8d6e33b 100644 +index 6837e9a2b..8d6e33b00 100644 --- a/openvpn.if +++ b/openvpn.if @@ -23,6 +23,25 @@ interface(`openvpn_domtrans',` @@ -68328,7 +68328,7 @@ index 6837e9a..8d6e33b 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a3..91dead6 100644 +index 63957a362..91dead6e7 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -68520,7 +68520,7 @@ index 63957a3..91dead6 100644 + can_exec(openvpn_t, openvpn_unconfined_script_exec_t) +') diff --git a/openvswitch.fc b/openvswitch.fc -index 45d7cc5..c5b9607 100644 +index 45d7cc508..c5b9607c1 100644 --- a/openvswitch.fc +++ b/openvswitch.fc @@ -1,12 +1,16 @@ @@ -68548,7 +68548,7 @@ index 45d7cc5..c5b9607 100644 -/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) +/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) diff --git a/openvswitch.if b/openvswitch.if -index 9b15730..cb00f20 100644 +index 9b157305b..cb00f200a 100644 --- a/openvswitch.if +++ b/openvswitch.if @@ -1,13 +1,14 @@ @@ -68821,7 +68821,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..9e70db7 100644 +index 44dbc99ab..9e70db7ef 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -68958,7 +68958,7 @@ index 44dbc99..9e70db7 100644 +') diff --git a/openwsman.fc b/openwsman.fc new file mode 100644 -index 0000000..00d0643 +index 000000000..00d0643d9 --- /dev/null +++ b/openwsman.fc @@ -0,0 +1,7 @@ @@ -68971,7 +68971,7 @@ index 0000000..00d0643 +/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0) diff --git a/openwsman.if b/openwsman.if new file mode 100644 -index 0000000..747853a +index 000000000..747853a1a --- /dev/null +++ b/openwsman.if @@ -0,0 +1,79 @@ @@ -69056,7 +69056,7 @@ index 0000000..747853a +') diff --git a/openwsman.te b/openwsman.te new file mode 100644 -index 0000000..3bcd32c +index 000000000..3bcd32cdf --- /dev/null +++ b/openwsman.te @@ -0,0 +1,74 @@ @@ -69136,7 +69136,7 @@ index 0000000..3bcd32c + diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 -index 0000000..5655fac +index 000000000..5655facf0 --- /dev/null +++ b/oracleasm.fc @@ -0,0 +1,8 @@ @@ -69150,7 +69150,7 @@ index 0000000..5655fac +/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0) diff --git a/oracleasm.if b/oracleasm.if new file mode 100644 -index 0000000..6ae382c +index 000000000..6ae382cb9 --- /dev/null +++ b/oracleasm.if @@ -0,0 +1,75 @@ @@ -69231,7 +69231,7 @@ index 0000000..6ae382c + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 0000000..41f3e07 +index 000000000..41f3e07b1 --- /dev/null +++ b/oracleasm.te @@ -0,0 +1,66 @@ @@ -69303,7 +69303,7 @@ index 0000000..41f3e07 +') diff --git a/osad.fc b/osad.fc new file mode 100644 -index 0000000..cf911d5 +index 000000000..cf911d54e --- /dev/null +++ b/osad.fc @@ -0,0 +1,7 @@ @@ -69316,7 +69316,7 @@ index 0000000..cf911d5 +/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0) diff --git a/osad.if b/osad.if new file mode 100644 -index 0000000..05648bd +index 000000000..05648bd2a --- /dev/null +++ b/osad.if @@ -0,0 +1,165 @@ @@ -69487,7 +69487,7 @@ index 0000000..05648bd +') diff --git a/osad.te b/osad.te new file mode 100644 -index 0000000..b372f68 +index 000000000..b372f683a --- /dev/null +++ b/osad.te @@ -0,0 +1,56 @@ @@ -69548,7 +69548,7 @@ index 0000000..b372f68 + rpm_domtrans(osad_t) +') diff --git a/pacemaker.fc b/pacemaker.fc -index 2f0ad56..d4da0b8 100644 +index 2f0ad56d6..d4da0b8d0 100644 --- a/pacemaker.fc +++ b/pacemaker.fc @@ -1,5 +1,7 @@ @@ -69560,7 +69560,7 @@ index 2f0ad56..d4da0b8 100644 /var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) diff --git a/pacemaker.if b/pacemaker.if -index 9682d9a..f1f421f 100644 +index 9682d9af8..f1f421f9e 100644 --- a/pacemaker.if +++ b/pacemaker.if @@ -1,9 +1,167 @@ @@ -69769,7 +69769,7 @@ index 9682d9a..f1f421f 100644 + ') ') diff --git a/pacemaker.te b/pacemaker.te -index 6e6efb6..d56c049 100644 +index 6e6efb642..d56c04963 100644 --- a/pacemaker.te +++ b/pacemaker.te @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0) @@ -69870,7 +69870,7 @@ index 6e6efb6..d56c049 100644 + rgmanager_execute_lib(pacemaker_t) ') diff --git a/pads.if b/pads.if -index 6e097c9..503c97a 100644 +index 6e097c919..503c97a2d 100644 --- a/pads.if +++ b/pads.if @@ -17,15 +17,19 @@ @@ -69896,7 +69896,7 @@ index 6e097c9..503c97a 100644 domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; diff --git a/pads.te b/pads.te -index 078adc4..f0c65e5 100644 +index 078adc478..f0c65e5de 100644 --- a/pads.te +++ b/pads.te @@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t) @@ -69934,7 +69934,7 @@ index 078adc4..f0c65e5 100644 sysnet_dns_name_resolve(pads_t) diff --git a/passenger.fc b/passenger.fc -index 2c389ea..9155bd0 100644 +index 2c389ea7c..9155bd0dd 100644 --- a/passenger.fc +++ b/passenger.fc @@ -1,10 +1,12 @@ @@ -69958,7 +69958,7 @@ index 2c389ea..9155bd0 100644 + +/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/passenger.if b/passenger.if -index bf59ef7..0e33327 100644 +index bf59ef731..0e333279c 100644 --- a/passenger.if +++ b/passenger.if @@ -15,17 +15,17 @@ interface(`passenger_domtrans',` @@ -70130,7 +70130,7 @@ index bf59ef7..0e33327 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..e73b8a6 100644 +index 08ec33bf2..e73b8a63d 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -70261,7 +70261,7 @@ index 08ec33b..e73b8a6 100644 + rpm_read_db(passenger_t) ') diff --git a/pcmcia.te b/pcmcia.te -index 8176e4a..2df1789 100644 +index 8176e4aa4..2df178919 100644 --- a/pcmcia.te +++ b/pcmcia.te @@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) @@ -70288,7 +70288,7 @@ index 8176e4a..2df1789 100644 diff --git a/pcp.fc b/pcp.fc new file mode 100644 -index 0000000..de7c78c +index 000000000..de7c78ca0 --- /dev/null +++ b/pcp.fc @@ -0,0 +1,33 @@ @@ -70327,7 +70327,7 @@ index 0000000..de7c78c +/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..abb250d +index 000000000..abb250dba --- /dev/null +++ b/pcp.if @@ -0,0 +1,160 @@ @@ -70493,7 +70493,7 @@ index 0000000..abb250d +') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..3729152 +index 000000000..372915272 --- /dev/null +++ b/pcp.te @@ -0,0 +1,313 @@ @@ -70811,7 +70811,7 @@ index 0000000..3729152 +') + diff --git a/pcscd.if b/pcscd.if -index 43d50f9..6b1544f 100644 +index 43d50f95b..6b1544f62 100644 --- a/pcscd.if +++ b/pcscd.if @@ -17,6 +17,8 @@ interface(`pcscd_domtrans',` @@ -70833,7 +70833,7 @@ index 43d50f9..6b1544f 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..a8026bd 100644 +index 1fb196410..a8026bdbf 100644 --- a/pcscd.te +++ b/pcscd.te @@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") @@ -70915,7 +70915,7 @@ index 1fb1964..a8026bd 100644 + diff --git a/pdns.fc b/pdns.fc new file mode 100644 -index 0000000..22bc51b +index 000000000..22bc51be6 --- /dev/null +++ b/pdns.fc @@ -0,0 +1,6 @@ @@ -70927,7 +70927,7 @@ index 0000000..22bc51b +/etc/pdns(/.*)? gen_context(system_u:object_r:pdns_conf_t,s0) diff --git a/pdns.if b/pdns.if new file mode 100644 -index 0000000..02df03a +index 000000000..02df03ad6 --- /dev/null +++ b/pdns.if @@ -0,0 +1,81 @@ @@ -71014,7 +71014,7 @@ index 0000000..02df03a +') diff --git a/pdns.te b/pdns.te new file mode 100644 -index 0000000..509d898 +index 000000000..509d89837 --- /dev/null +++ b/pdns.te @@ -0,0 +1,82 @@ @@ -71101,7 +71101,7 @@ index 0000000..509d898 + ') +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..feaa8e1 100644 +index dfd46e412..feaa8e174 100644 --- a/pegasus.fc +++ b/pegasus.fc @@ -1,15 +1,33 @@ @@ -71147,7 +71147,7 @@ index dfd46e4..feaa8e1 100644 +/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if -index d2fc677..86dce34 100644 +index d2fc677c1..86dce34a2 100644 --- a/pegasus.if +++ b/pegasus.if @@ -1,52 +1,60 @@ @@ -71248,7 +71248,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..8cccfd7 100644 +index 608f454d8..8cccfd762 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -71783,7 +71783,7 @@ index 608f454..8cccfd7 100644 ') diff --git a/pesign.fc b/pesign.fc new file mode 100644 -index 0000000..7b54c39 +index 000000000..7b54c3926 --- /dev/null +++ b/pesign.fc @@ -0,0 +1,6 @@ @@ -71795,7 +71795,7 @@ index 0000000..7b54c39 +/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) diff --git a/pesign.if b/pesign.if new file mode 100644 -index 0000000..4d531cb +index 000000000..4d531cb9d --- /dev/null +++ b/pesign.if @@ -0,0 +1,99 @@ @@ -71900,7 +71900,7 @@ index 0000000..4d531cb +') diff --git a/pesign.te b/pesign.te new file mode 100644 -index 0000000..513887d +index 000000000..513887d18 --- /dev/null +++ b/pesign.te @@ -0,0 +1,43 @@ @@ -71948,7 +71948,7 @@ index 0000000..513887d +miscfiles_read_certs(pesign_t) +miscfiles_read_localization(pesign_t) diff --git a/pingd.if b/pingd.if -index 21a6ecb..b99e4cb 100644 +index 21a6ecbe7..b99e4cb0b 100644 --- a/pingd.if +++ b/pingd.if @@ -55,7 +55,8 @@ interface(`pingd_manage_config',` @@ -71977,7 +71977,7 @@ index 21a6ecb..b99e4cb 100644 domain_system_change_exemption($1) role_transition $2 pingd_initrc_exec_t system_r; diff --git a/pingd.te b/pingd.te -index ab01060..778c8eb 100644 +index ab0106027..778c8eb12 100644 --- a/pingd.te +++ b/pingd.te @@ -10,7 +10,7 @@ type pingd_exec_t; @@ -72004,7 +72004,7 @@ index ab01060..778c8eb 100644 -miscfiles_read_localization(pingd_t) diff --git a/piranha.fc b/piranha.fc new file mode 100644 -index 0000000..20ea9f5 +index 000000000..20ea9f54b --- /dev/null +++ b/piranha.fc @@ -0,0 +1,24 @@ @@ -72034,7 +72034,7 @@ index 0000000..20ea9f5 + diff --git a/piranha.if b/piranha.if new file mode 100644 -index 0000000..cf54103 +index 000000000..cf54103b6 --- /dev/null +++ b/piranha.if @@ -0,0 +1,187 @@ @@ -72227,7 +72227,7 @@ index 0000000..cf54103 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..a989aea +index 000000000..a989aea2e --- /dev/null +++ b/piranha.te @@ -0,0 +1,292 @@ @@ -72524,7 +72524,7 @@ index 0000000..a989aea + +sysnet_read_config(piranha_domain) diff --git a/pkcs.fc b/pkcs.fc -index 9a72226..b296894 100644 +index 9a72226e3..b2968942f 100644 --- a/pkcs.fc +++ b/pkcs.fc @@ -4,4 +4,8 @@ @@ -72537,7 +72537,7 @@ index 9a72226..b296894 100644 + /var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) diff --git a/pkcs.if b/pkcs.if -index 69be2aa..2d7b3f6 100644 +index 69be2aaf2..2d7b3f656 100644 --- a/pkcs.if +++ b/pkcs.if @@ -19,7 +19,7 @@ @@ -72560,7 +72560,7 @@ index 69be2aa..2d7b3f6 100644 admin_pattern($1, pkcs_slotd_var_run_t) diff --git a/pkcs.te b/pkcs.te -index 8eb3f7b..81ee57d 100644 +index 8eb3f7bc1..81ee57df4 100644 --- a/pkcs.te +++ b/pkcs.te @@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1) @@ -72631,7 +72631,7 @@ index 8eb3f7b..81ee57d 100644 +userdom_read_all_users_state(pkcs_slotd_t) diff --git a/pkcs11proxyd.fc b/pkcs11proxyd.fc new file mode 100644 -index 0000000..ca1160a +index 000000000..ca1160af2 --- /dev/null +++ b/pkcs11proxyd.fc @@ -0,0 +1,7 @@ @@ -72644,7 +72644,7 @@ index 0000000..ca1160a +/var/run/pkcs11proxyd\.socket -s gen_context(system_u:object_r:pkcs11proxyd_var_run_t,s0) diff --git a/pkcs11proxyd.if b/pkcs11proxyd.if new file mode 100644 -index 0000000..1fa6db2 +index 000000000..1fa6db2ea --- /dev/null +++ b/pkcs11proxyd.if @@ -0,0 +1,175 @@ @@ -72825,7 +72825,7 @@ index 0000000..1fa6db2 +') diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te new file mode 100644 -index 0000000..a2cb118 +index 000000000..a2cb118ba --- /dev/null +++ b/pkcs11proxyd.te @@ -0,0 +1,42 @@ @@ -72873,7 +72873,7 @@ index 0000000..a2cb118 + diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..47cd0f8 +index 000000000..47cd0f8ba --- /dev/null +++ b/pki.fc @@ -0,0 +1,57 @@ @@ -72936,7 +72936,7 @@ index 0000000..47cd0f8 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..f18fcc6 +index 000000000..f18fcc68f --- /dev/null +++ b/pki.if @@ -0,0 +1,479 @@ @@ -73421,7 +73421,7 @@ index 0000000..f18fcc6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..cde75a2 +index 000000000..cde75a219 --- /dev/null +++ b/pki.te @@ -0,0 +1,285 @@ @@ -73711,7 +73711,7 @@ index 0000000..cde75a2 +') + diff --git a/plymouthd.fc b/plymouthd.fc -index 735500f..2ba6832 100644 +index 735500fd1..2ba6832cc 100644 --- a/plymouthd.fc +++ b/plymouthd.fc @@ -1,15 +1,14 @@ @@ -73739,7 +73739,7 @@ index 735500f..2ba6832 100644 -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 30e751f..61feb3a 100644 +index 30e751f18..61feb3a81 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -1,4 +1,4 @@ @@ -74052,7 +74052,7 @@ index 30e751f..61feb3a 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..ac0b7a5 100644 +index 3078ce905..ac0b7a546 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -74173,7 +74173,7 @@ index 3078ce9..ac0b7a5 100644 hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te -index 9123f71..232e28a 100644 +index 9123f7152..232e28a75 100644 --- a/podsleuth.te +++ b/podsleuth.te @@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) @@ -74212,7 +74212,7 @@ index 9123f71..232e28a 100644 optional_policy(` dbus_system_bus_client(podsleuth_t) diff --git a/policykit.fc b/policykit.fc -index 1d76c72..93d09d9 100644 +index 1d76c7288..93d09d92f 100644 --- a/policykit.fc +++ b/policykit.fc @@ -1,23 +1,22 @@ @@ -74257,7 +74257,7 @@ index 1d76c72..93d09d9 100644 -/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policykit.if b/policykit.if -index 032a84d..be00a65 100644 +index 032a84d1c..be00a65f1 100644 --- a/policykit.if +++ b/policykit.if @@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',` @@ -74497,7 +74497,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778..fb9b69a 100644 +index ee91778f7..fb9b69ae9 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) @@ -74836,7 +74836,7 @@ index ee91778..fb9b69a 100644 ') - diff --git a/polipo.fc b/polipo.fc -index d35614b..11f77ee 100644 +index d35614b78..11f77ee32 100644 --- a/polipo.fc +++ b/polipo.fc @@ -1,15 +1,16 @@ @@ -74860,7 +74860,7 @@ index d35614b..11f77ee 100644 -/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) +/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0) diff --git a/polipo.if b/polipo.if -index ae27bb7..10a7787 100644 +index ae27bb7fe..10a778780 100644 --- a/polipo.if +++ b/polipo.if @@ -1,8 +1,8 @@ @@ -75109,7 +75109,7 @@ index ae27bb7..10a7787 100644 + allow $1 polipo_unit_file_t:service all_service_perms; ') diff --git a/polipo.te b/polipo.te -index 9764bfe..8870de7 100644 +index 9764bfef8..8870de713 100644 --- a/polipo.te +++ b/polipo.te @@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1) @@ -75353,7 +75353,7 @@ index 9764bfe..8870de7 100644 -miscfiles_read_localization(polipo_daemon) diff --git a/portage.if b/portage.if -index 67e8c12..058c994 100644 +index 67e8c12c4..058c99481 100644 --- a/portage.if +++ b/portage.if @@ -67,9 +67,10 @@ interface(`portage_compile_domain',` @@ -75369,7 +75369,7 @@ index 67e8c12..058c994 100644 allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/portage.te b/portage.te -index b410c67..f1ec41d 100644 +index b410c67c1..f1ec41d39 100644 --- a/portage.te +++ b/portage.te @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) @@ -75398,7 +75398,7 @@ index b410c67..f1ec41d 100644 fs_search_auto_mountpoints(portage_fetch_t) diff --git a/portmap.fc b/portmap.fc -index cd45831..69406ee 100644 +index cd45831ca..69406ee17 100644 --- a/portmap.fc +++ b/portmap.fc @@ -4,9 +4,14 @@ @@ -75417,7 +75417,7 @@ index cd45831..69406ee 100644 /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/portmap.te b/portmap.te -index 18b255e..e75c4ec 100644 +index 18b255e7a..e75c4ec24 100644 --- a/portmap.te +++ b/portmap.te @@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) @@ -75459,7 +75459,7 @@ index 18b255e..e75c4ec 100644 +userdom_use_inherited_user_terminals(portmap_helper_t) userdom_dontaudit_use_all_users_fds(portmap_helper_t) diff --git a/portreserve.fc b/portreserve.fc -index 1b2b4f9..575b7d6 100644 +index 1b2b4f908..575b7d69b 100644 --- a/portreserve.fc +++ b/portreserve.fc @@ -1,6 +1,6 @@ @@ -75471,7 +75471,7 @@ index 1b2b4f9..575b7d6 100644 /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) diff --git a/portreserve.if b/portreserve.if -index 5ad5291..7f1ae2a 100644 +index 5ad529154..7f1ae2a78 100644 --- a/portreserve.if +++ b/portreserve.if @@ -105,8 +105,11 @@ interface(`portreserve_admin',` @@ -75488,7 +75488,7 @@ index 5ad5291..7f1ae2a 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 00b01e2..10b4512 100644 +index 00b01e2ea..10b45127a 100644 --- a/portreserve.te +++ b/portreserve.te @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } @@ -75510,7 +75510,7 @@ index 00b01e2..10b4512 100644 +auth_use_nsswitch(portreserve_t) + diff --git a/portslave.te b/portslave.te -index cbe36c1..8ebeb87 100644 +index cbe36c1d0..8ebeb87d2 100644 --- a/portslave.te +++ b/portslave.te @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t) @@ -75531,7 +75531,7 @@ index cbe36c1..8ebeb87 100644 auth_domtrans_chk_passwd(portslave_t) diff --git a/postfix.fc b/postfix.fc -index c0e8785..3070aa0 100644 +index c0e878537..3070aa066 100644 --- a/postfix.fc +++ b/postfix.fc @@ -1,38 +1,38 @@ @@ -75624,7 +75624,7 @@ index c0e8785..3070aa0 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) diff --git a/postfix.if b/postfix.if -index ded95ec..db49c57 100644 +index ded95ec3a..db49c5774 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -76509,7 +76509,7 @@ index ded95ec..db49c57 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..87a1d85 100644 +index 5cfb83eca..87a1d852a 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -77476,7 +77476,7 @@ index 5cfb83e..87a1d85 100644 + udev_read_db(postfix_domain) +') diff --git a/postfixpolicyd.if b/postfixpolicyd.if -index 5de8173..985b877 100644 +index 5de817368..985b877ab 100644 --- a/postfixpolicyd.if +++ b/postfixpolicyd.if @@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` @@ -77493,7 +77493,7 @@ index 5de8173..985b877 100644 init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/postfixpolicyd.te b/postfixpolicyd.te -index ea1582a..0c1a059 100644 +index ea1582a3a..0c1a05983 100644 --- a/postfixpolicyd.te +++ b/postfixpolicyd.te @@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; @@ -77517,7 +77517,7 @@ index ea1582a..0c1a059 100644 - sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/postgrey.if b/postgrey.if -index b9e71b5..a7502cd 100644 +index b9e71b537..a7502cd0e 100644 --- a/postgrey.if +++ b/postgrey.if @@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',` @@ -77554,7 +77554,7 @@ index b9e71b5..a7502cd 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805..2ff8a1e 100644 +index fd58805e5..2ff8a1e4c 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -77604,7 +77604,7 @@ index fd58805..2ff8a1e 100644 sysnet_read_config(postgrey_t) diff --git a/ppp.fc b/ppp.fc -index efcb653..ff2c96a 100644 +index efcb6532d..ff2c96adb 100644 --- a/ppp.fc +++ b/ppp.fc @@ -1,30 +1,45 @@ @@ -77676,7 +77676,7 @@ index efcb653..ff2c96a 100644 +/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/ppp.if b/ppp.if -index cd8b8b9..2cfa88a 100644 +index cd8b8b9cb..2cfa88a2d 100644 --- a/ppp.if +++ b/ppp.if @@ -1,110 +1,91 @@ @@ -78167,7 +78167,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..0b38ca5 100644 +index d616ca3e3..0b38ca5d6 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -78529,7 +78529,7 @@ index d616ca3..0b38ca5 100644 optional_policy(` diff --git a/prelink.fc b/prelink.fc -index a90d623..62af9a4 100644 +index a90d6231f..62af9a4a0 100644 --- a/prelink.fc +++ b/prelink.fc @@ -1,11 +1,11 @@ @@ -78550,7 +78550,7 @@ index a90d623..62af9a4 100644 +/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/prelink.if b/prelink.if -index 20d4697..e6605c1 100644 +index 20d469793..e6605c100 100644 --- a/prelink.if +++ b/prelink.if @@ -2,7 +2,7 @@ @@ -78691,7 +78691,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index 8e26216..c1d33ac 100644 +index 8e262163b..c1d33acdf 100644 --- a/prelink.te +++ b/prelink.te @@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0) @@ -78907,7 +78907,7 @@ index 8e26216..c1d33ac 100644 + ') +') diff --git a/prelude.fc b/prelude.fc -index 8dbc763..b580f85 100644 +index 8dbc76372..b580f852b 100644 --- a/prelude.fc +++ b/prelude.fc @@ -12,7 +12,7 @@ @@ -78920,7 +78920,7 @@ index 8dbc763..b580f85 100644 /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) diff --git a/prelude.if b/prelude.if -index c83a838..f41a4f7 100644 +index c83a838d7..f41a4f7dd 100644 --- a/prelude.if +++ b/prelude.if @@ -1,13 +1,13 @@ @@ -79081,7 +79081,7 @@ index c83a838..f41a4f7 100644 admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index 8f44609..dd70653 100644 +index 8f4460928..dd7065356 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -79253,7 +79253,7 @@ index 8f44609..dd70653 100644 ') ') diff --git a/privoxy.if b/privoxy.if -index bdcee30..34f3143 100644 +index bdcee30f5..34f314344 100644 --- a/privoxy.if +++ b/privoxy.if @@ -23,8 +23,11 @@ interface(`privoxy_admin',` @@ -79270,7 +79270,7 @@ index bdcee30..34f3143 100644 init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff --git a/privoxy.te b/privoxy.te -index ec21f80..a9f650a 100644 +index ec21f80d7..a9f650a1f 100644 --- a/privoxy.te +++ b/privoxy.te @@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t) @@ -79291,7 +79291,7 @@ index ec21f80..a9f650a 100644 userdom_dontaudit_search_user_home_dirs(privoxy_t) diff --git a/procmail.fc b/procmail.fc -index bdff6c9..4b36a13 100644 +index bdff6c931..4b36a13de 100644 --- a/procmail.fc +++ b/procmail.fc @@ -1,6 +1,7 @@ @@ -79306,7 +79306,7 @@ index bdff6c9..4b36a13 100644 +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/procmail.if b/procmail.if -index 00edeab..166e9c3 100644 +index 00edeab17..166e9c333 100644 --- a/procmail.if +++ b/procmail.if @@ -1,4 +1,4 @@ @@ -79471,7 +79471,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index cc426e6..91a1f53 100644 +index cc426e62a..91a1f537e 100644 --- a/procmail.te +++ b/procmail.te @@ -14,7 +14,7 @@ type procmail_home_t; @@ -79669,7 +79669,7 @@ index cc426e6..91a1f53 100644 +') diff --git a/prosody.fc b/prosody.fc new file mode 100644 -index 0000000..c056a2f +index 000000000..c056a2fb3 --- /dev/null +++ b/prosody.fc @@ -0,0 +1,10 @@ @@ -79685,7 +79685,7 @@ index 0000000..c056a2f +/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0) diff --git a/prosody.if b/prosody.if new file mode 100644 -index 0000000..8231f4f +index 000000000..8231f4ff5 --- /dev/null +++ b/prosody.if @@ -0,0 +1,255 @@ @@ -79946,7 +79946,7 @@ index 0000000..8231f4f +') diff --git a/prosody.te b/prosody.te new file mode 100644 -index 0000000..5a9f1d4 +index 000000000..5a9f1d42c --- /dev/null +++ b/prosody.te @@ -0,0 +1,99 @@ @@ -80050,7 +80050,7 @@ index 0000000..5a9f1d4 + sasl_connect(prosody_t) +') diff --git a/psad.if b/psad.if -index d4dcf78..3cce82e 100644 +index d4dcf782c..3cce82e50 100644 --- a/psad.if +++ b/psad.if @@ -93,9 +93,8 @@ interface(`psad_manage_config',` @@ -80209,7 +80209,7 @@ index d4dcf78..3cce82e 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te -index b5d717b..9fd153b 100644 +index b5d717b09..9fd153b1c 100644 --- a/psad.te +++ b/psad.te @@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t) @@ -80247,7 +80247,7 @@ index b5d717b..9fd153b 100644 optional_policy(` diff --git a/ptchown.te b/ptchown.te -index 28d2abc..c2cfb5e 100644 +index 28d2abc03..c2cfb5eaa 100644 --- a/ptchown.te +++ b/ptchown.te @@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t; @@ -80265,7 +80265,7 @@ index 28d2abc..c2cfb5e 100644 -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) diff --git a/publicfile.te b/publicfile.te -index 3246bef..dd66a21 100644 +index 3246befff..dd66a21cb 100644 --- a/publicfile.te +++ b/publicfile.te @@ -17,7 +17,7 @@ files_type(publicfile_content_t) @@ -80278,7 +80278,7 @@ index 3246bef..dd66a21 100644 allow publicfile_t publicfile_content_t:dir list_dir_perms; allow publicfile_t publicfile_content_t:file read_file_perms; diff --git a/pulseaudio.fc b/pulseaudio.fc -index 6864479..0e7d875 100644 +index 6864479a7..0e7d87513 100644 --- a/pulseaudio.fc +++ b/pulseaudio.fc @@ -1,9 +1,14 @@ @@ -80301,7 +80301,7 @@ index 6864479..0e7d875 100644 +/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/pulseaudio.if b/pulseaudio.if -index 45843b5..4d1adac 100644 +index 45843b55c..4d1adace5 100644 --- a/pulseaudio.if +++ b/pulseaudio.if @@ -2,43 +2,47 @@ @@ -80703,7 +80703,7 @@ index 45843b5..4d1adac 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 6643b49..dd0c3d3 100644 +index 6643b49c2..dd0c3d371 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0) @@ -81004,7 +81004,7 @@ index 6643b49..dd0c3d3 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..3b08cfd 100644 +index d68e26d1f..3b08cfd9d 100644 --- a/puppet.fc +++ b/puppet.fc @@ -1,18 +1,23 @@ @@ -81045,7 +81045,7 @@ index d68e26d..3b08cfd 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..bef7217 100644 +index 7cb8b1f9c..bef72173b 100644 --- a/puppet.if +++ b/puppet.if @@ -1,4 +1,32 @@ @@ -81387,7 +81387,7 @@ index 7cb8b1f..bef7217 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..d5d0cfc 100644 +index 618dcfeed..d5d0cfcb8 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -81910,7 +81910,7 @@ index 618dcfe..d5d0cfc 100644 + usermanage_access_check_useradd(puppetmaster_t) +') diff --git a/pwauth.fc b/pwauth.fc -index 7e7b444..e2f8687 100644 +index 7e7b44434..e2f8687db 100644 --- a/pwauth.fc +++ b/pwauth.fc @@ -1,3 +1,3 @@ @@ -81920,7 +81920,7 @@ index 7e7b444..e2f8687 100644 -/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) +/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) diff --git a/pwauth.if b/pwauth.if -index 1148dce..86d25ea 100644 +index 1148dce1a..86d25ea26 100644 --- a/pwauth.if +++ b/pwauth.if @@ -1,72 +1,74 @@ @@ -82032,7 +82032,7 @@ index 1148dce..86d25ea 100644 + allow $2 pwauth_t:process signal; ') diff --git a/pwauth.te b/pwauth.te -index 3078e34..215df88 100644 +index 3078e349e..215df880c 100644 --- a/pwauth.te +++ b/pwauth.te @@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0) @@ -82080,7 +82080,7 @@ index 3078e34..215df88 100644 - -miscfiles_read_localization(pwauth_t) diff --git a/pxe.te b/pxe.te -index 06bec9b..1b32632 100644 +index 06bec9ba9..1b32632dc 100644 --- a/pxe.te +++ b/pxe.te @@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t) @@ -82101,7 +82101,7 @@ index 06bec9b..1b32632 100644 diff --git a/pyicqt.fc b/pyicqt.fc deleted file mode 100644 -index 0c143e3..0000000 +index 0c143e3e8..000000000 --- a/pyicqt.fc +++ /dev/null @@ -1,11 +0,0 @@ @@ -82118,7 +82118,7 @@ index 0c143e3..0000000 -/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/pyicqt.if b/pyicqt.if deleted file mode 100644 -index 0ccea82..0000000 +index 0ccea828a..000000000 --- a/pyicqt.if +++ /dev/null @@ -1,45 +0,0 @@ @@ -82169,7 +82169,7 @@ index 0ccea82..0000000 -') diff --git a/pyicqt.te b/pyicqt.te deleted file mode 100644 -index f2863de..0000000 +index f2863ded4..000000000 --- a/pyicqt.te +++ /dev/null @@ -1,92 +0,0 @@ @@ -82266,7 +82266,7 @@ index f2863de..0000000 - seutil_sigchld_newrole(pyicqt_t) -') diff --git a/pyzor.fc b/pyzor.fc -index af13139..a927c5a 100644 +index af13139a1..a927c5a15 100644 --- a/pyzor.fc +++ b/pyzor.fc @@ -1,12 +1,13 @@ @@ -82291,7 +82291,7 @@ index af13139..a927c5a 100644 +/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) /var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/pyzor.if b/pyzor.if -index 593c03d..2c411af 100644 +index 593c03d09..2c411af3e 100644 --- a/pyzor.if +++ b/pyzor.if @@ -2,7 +2,7 @@ @@ -82421,7 +82421,7 @@ index 593c03d..2c411af 100644 + admin_pattern($1, pyzor_var_lib_t) ') diff --git a/pyzor.te b/pyzor.te -index 2439d13..d7bd6e9 100644 +index 2439d1304..d7bd6e9a1 100644 --- a/pyzor.te +++ b/pyzor.te @@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0) @@ -82661,7 +82661,7 @@ index 2439d13..d7bd6e9 100644 + logging_send_syslog_msg(pyzord_t) +') diff --git a/qemu.fc b/qemu.fc -index 86ea53c..a2dcf7b 100644 +index 86ea53ce1..a2dcf7bb2 100644 --- a/qemu.fc +++ b/qemu.fc @@ -1,4 +1,4 @@ @@ -82671,7 +82671,7 @@ index 86ea53c..a2dcf7b 100644 /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/qemu.if b/qemu.if -index eaf56b8..8894726 100644 +index eaf56b8b0..889472688 100644 --- a/qemu.if +++ b/qemu.if @@ -1,19 +1,21 @@ @@ -83070,7 +83070,7 @@ index eaf56b8..8894726 100644 + allow $1 qemu_exec_t:file getattr; ') diff --git a/qemu.te b/qemu.te -index 4f90743..958c0ef 100644 +index 4f9074343..958c0ef1e 100644 --- a/qemu.te +++ b/qemu.te @@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0) @@ -83212,7 +83212,7 @@ index 4f90743..958c0ef 100644 + xserver_stream_connect(qemu_t) ') diff --git a/qmail.fc b/qmail.fc -index e53fe5a..edee505 100644 +index e53fe5a97..edee505d7 100644 --- a/qmail.fc +++ b/qmail.fc @@ -1,22 +1,6 @@ @@ -83283,7 +83283,7 @@ index e53fe5a..edee505 100644 -/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/qmail.if b/qmail.if -index e4f0000..05e219e 100644 +index e4f0000e5..05e219e13 100644 --- a/qmail.if +++ b/qmail.if @@ -1,12 +1,12 @@ @@ -83482,7 +83482,7 @@ index e4f0000..05e219e 100644 + allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/qmail.te b/qmail.te -index 8742944..53a2fe5 100644 +index 87429441c..53a2fe597 100644 --- a/qmail.te +++ b/qmail.te @@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1) @@ -83754,7 +83754,7 @@ index 8742944..53a2fe5 100644 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; diff --git a/qpid.if b/qpid.if -index fe2adf8..f7e9c70 100644 +index fe2adf8ae..f7e9c70b0 100644 --- a/qpid.if +++ b/qpid.if @@ -1,4 +1,4 @@ @@ -84038,7 +84038,7 @@ index fe2adf8..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 83eb09e..8f641fc 100644 +index 83eb09ef6..8f641fc92 100644 --- a/qpid.te +++ b/qpid.te @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -84121,7 +84121,7 @@ index 83eb09e..8f641fc 100644 +') + diff --git a/quantum.fc b/quantum.fc -index 70ab68b..b985b65 100644 +index 70ab68b02..b985b6570 100644 --- a/quantum.fc +++ b/quantum.fc @@ -1,10 +1,34 @@ @@ -84167,7 +84167,7 @@ index 70ab68b..b985b65 100644 +/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) +/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) diff --git a/quantum.if b/quantum.if -index afc0068..589a7fd 100644 +index afc00688d..589a7fdde 100644 --- a/quantum.if +++ b/quantum.if @@ -2,41 +2,295 @@ @@ -84484,7 +84484,7 @@ index afc0068..589a7fd 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..97a9b7e 100644 +index 8644d8b3f..97a9b7e76 100644 --- a/quantum.te +++ b/quantum.te @@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0) @@ -84734,7 +84734,7 @@ index 8644d8b..97a9b7e 100644 + udev_domtrans(neutron_t) +') diff --git a/quota.fc b/quota.fc -index cadabe3..54ba01d 100644 +index cadabe360..54ba01d0d 100644 --- a/quota.fc +++ b/quota.fc @@ -1,6 +1,5 @@ @@ -84784,7 +84784,7 @@ index cadabe3..54ba01d 100644 -/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) diff --git a/quota.if b/quota.if -index da64218..3fb8575 100644 +index da6421861..3fb8575ca 100644 --- a/quota.if +++ b/quota.if @@ -1,4 +1,4 @@ @@ -85017,7 +85017,7 @@ index da64218..3fb8575 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') diff --git a/quota.te b/quota.te -index f47c8e8..ba74734 100644 +index f47c8e81f..ba74734da 100644 --- a/quota.te +++ b/quota.te @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) @@ -85148,7 +85148,7 @@ index f47c8e8..ba74734 100644 + dbus_connect_system_bus(quota_nld_t) ') diff --git a/rabbitmq.fc b/rabbitmq.fc -index c5ad6de..44135d4 100644 +index c5ad6de76..44135d4d0 100644 --- a/rabbitmq.fc +++ b/rabbitmq.fc @@ -1,7 +1,8 @@ @@ -85163,7 +85163,7 @@ index c5ad6de..44135d4 100644 /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) diff --git a/rabbitmq.if b/rabbitmq.if -index 2c3d338..7d49554 100644 +index 2c3d33896..7d49554eb 100644 --- a/rabbitmq.if +++ b/rabbitmq.if @@ -38,12 +38,12 @@ interface(`rabbitmq_domtrans',` @@ -85183,7 +85183,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..37aa9a7 100644 +index dc3b0ed87..37aa9a784 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) @@ -85407,7 +85407,7 @@ index dc3b0ed..37aa9a7 100644 -miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/radius.fc b/radius.fc -index d447e85..76ed794 100644 +index d447e8548..76ed794ce 100644 --- a/radius.fc +++ b/radius.fc @@ -9,7 +9,9 @@ @@ -85422,7 +85422,7 @@ index d447e85..76ed794 100644 /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) /var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) diff --git a/radius.if b/radius.if -index 4460582..4c66c25 100644 +index 44605825c..4c66c2502 100644 --- a/radius.if +++ b/radius.if @@ -14,6 +14,30 @@ interface(`radius_use',` @@ -85484,7 +85484,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..193195e 100644 +index 403a4fed1..193195e3c 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -85631,7 +85631,7 @@ index 403a4fe..193195e 100644 udev_read_db(radiusd_t) ') diff --git a/radvd.if b/radvd.if -index ac7058d..48739ac 100644 +index ac7058d1e..48739ac1b 100644 --- a/radvd.if +++ b/radvd.if @@ -1,5 +1,24 @@ @@ -85673,7 +85673,7 @@ index ac7058d..48739ac 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te -index 6d162e4..502ca16 100644 +index 6d162e4e6..502ca16ba 100644 --- a/radvd.te +++ b/radvd.te @@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t) @@ -85695,7 +85695,7 @@ index 6d162e4..502ca16 100644 userdom_dontaudit_search_user_home_dirs(radvd_t) diff --git a/raid.fc b/raid.fc -index 5806046..2a4769f 100644 +index 5806046b1..2a4769ff4 100644 --- a/raid.fc +++ b/raid.fc @@ -3,6 +3,12 @@ @@ -85723,7 +85723,7 @@ index 5806046..2a4769f 100644 + /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f..00e699d 100644 +index 951db7f1b..00e699da4 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -85939,7 +85939,7 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..55294ac 100644 +index c99753f2c..55294acec 100644 --- a/raid.te +++ b/raid.te @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; @@ -86125,7 +86125,7 @@ index c99753f..55294ac 100644 +') diff --git a/rasdaemon.fc b/rasdaemon.fc new file mode 100644 -index 0000000..8e31dd0 +index 000000000..8e31dd042 --- /dev/null +++ b/rasdaemon.fc @@ -0,0 +1,9 @@ @@ -86140,7 +86140,7 @@ index 0000000..8e31dd0 +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0) diff --git a/rasdaemon.if b/rasdaemon.if new file mode 100644 -index 0000000..d57006d +index 000000000..d57006d9c --- /dev/null +++ b/rasdaemon.if @@ -0,0 +1,157 @@ @@ -86303,7 +86303,7 @@ index 0000000..d57006d +') diff --git a/rasdaemon.te b/rasdaemon.te new file mode 100644 -index 0000000..dcdca44 +index 000000000..dcdca4448 --- /dev/null +++ b/rasdaemon.te @@ -0,0 +1,51 @@ @@ -86359,7 +86359,7 @@ index 0000000..dcdca44 +') + diff --git a/razor.fc b/razor.fc -index 6723f4d..6e26673 100644 +index 6723f4d3b..6e2667392 100644 --- a/razor.fc +++ b/razor.fc @@ -1,9 +1,9 @@ @@ -86379,7 +86379,7 @@ index 6723f4d..6e26673 100644 +#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) +#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/razor.if b/razor.if -index 1e4b523..fee3b7c 100644 +index 1e4b523bf..fee3b7cd1 100644 --- a/razor.if +++ b/razor.if @@ -1,72 +1,147 @@ @@ -86607,7 +86607,7 @@ index 1e4b523..fee3b7c 100644 ## ## diff --git a/razor.te b/razor.te -index 68455f9..38f6968 100644 +index 68455f909..38f69685c 100644 --- a/razor.te +++ b/razor.te @@ -5,135 +5,124 @@ policy_module(razor, 2.4.0) @@ -86863,7 +86863,7 @@ index 68455f9..38f6968 100644 + ') ') diff --git a/rdisc.fc b/rdisc.fc -index e9765c0..ea21331 100644 +index e9765c0f2..ea21331d8 100644 --- a/rdisc.fc +++ b/rdisc.fc @@ -1,3 +1,3 @@ @@ -86872,7 +86872,7 @@ index e9765c0..ea21331 100644 /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/rdisc.if b/rdisc.if -index 170ef52..28ccc4a 100644 +index 170ef52fb..28ccc4a75 100644 --- a/rdisc.if +++ b/rdisc.if @@ -18,3 +18,58 @@ interface(`rdisc_exec',` @@ -86935,7 +86935,7 @@ index 170ef52..28ccc4a 100644 + ') +') diff --git a/rdisc.te b/rdisc.te -index 9196c1d..b775931 100644 +index 9196c1dbb..b7759316f 100644 --- a/rdisc.te +++ b/rdisc.te @@ -9,6 +9,9 @@ type rdisc_t; @@ -86970,7 +86970,7 @@ index 9196c1d..b775931 100644 userdom_dontaudit_use_unpriv_user_fds(rdisc_t) diff --git a/readahead.fc b/readahead.fc -index f01b32f..46279e8 100644 +index f01b32fe2..46279e853 100644 --- a/readahead.fc +++ b/readahead.fc @@ -1,7 +1,11 @@ @@ -86987,7 +86987,7 @@ index f01b32f..46279e8 100644 +/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) /var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/readahead.if b/readahead.if -index 661bb88..06f69c4 100644 +index 661bb88fd..06f69c4ad 100644 --- a/readahead.if +++ b/readahead.if @@ -19,3 +19,27 @@ interface(`readahead_domtrans',` @@ -87019,7 +87019,7 @@ index 661bb88..06f69c4 100644 +') + diff --git a/readahead.te b/readahead.te -index c0b02c9..af81d71 100644 +index c0b02c91c..af81d71a7 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -87107,7 +87107,7 @@ index c0b02c9..af81d71 100644 userdom_dontaudit_search_user_home_dirs(readahead_t) diff --git a/realmd.fc b/realmd.fc -index 04babe3..3b92679 100644 +index 04babe3d5..3b92679bb 100644 --- a/realmd.fc +++ b/realmd.fc @@ -1 +1,5 @@ @@ -87118,7 +87118,7 @@ index 04babe3..3b92679 100644 + +/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) diff --git a/realmd.if b/realmd.if -index bff31df..1663054 100644 +index bff31dfd2..1663054d9 100644 --- a/realmd.if +++ b/realmd.if @@ -1,8 +1,9 @@ @@ -87255,7 +87255,7 @@ index bff31df..1663054 100644 + +') diff --git a/realmd.te b/realmd.te -index 5bc878b..5736203 100644 +index 5bc878b29..573620309 100644 --- a/realmd.te +++ b/realmd.te @@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0) @@ -87434,7 +87434,7 @@ index 5bc878b..5736203 100644 + unconfined_domain_noaudit(realmd_consolehelper_t) ') diff --git a/redis.fc b/redis.fc -index e240ac9..b9707aa 100644 +index e240ac99c..b9707aaf8 100644 --- a/redis.fc +++ b/redis.fc @@ -1,9 +1,13 @@ @@ -87456,7 +87456,7 @@ index e240ac9..b9707aa 100644 + +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/redis.if b/redis.if -index 16c8ecb..4e021ec 100644 +index 16c8ecbe3..4e021eca7 100644 --- a/redis.if +++ b/redis.if @@ -1,9 +1,225 @@ @@ -87720,7 +87720,7 @@ index 16c8ecb..4e021ec 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd417..61de827 100644 +index 25cd4175f..61de8277a 100644 --- a/redis.te +++ b/redis.te @@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t) @@ -87778,14 +87778,14 @@ index 25cd417..61de827 100644 - sysnet_dns_name_resolve(redis_t) diff --git a/remotelogin.fc b/remotelogin.fc -index 327baf0..d8691bd 100644 +index 327baf059..d8691bd14 100644 --- a/remotelogin.fc +++ b/remotelogin.fc @@ -1 +1,2 @@ + # Remote login currently has no file contexts. diff --git a/remotelogin.if b/remotelogin.if -index a9ce68e..92520aa 100644 +index a9ce68e33..92520aa92 100644 --- a/remotelogin.if +++ b/remotelogin.if @@ -1,4 +1,4 @@ @@ -87856,7 +87856,7 @@ index a9ce68e..92520aa 100644 + allow $1 remote_login_t:process signull; ') diff --git a/remotelogin.te b/remotelogin.te -index ae30871..15a669c 100644 +index ae308717f..15a669cd4 100644 --- a/remotelogin.te +++ b/remotelogin.te @@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t) @@ -87972,7 +87972,7 @@ index ae30871..15a669c 100644 ') diff --git a/resmgr.te b/resmgr.te -index f6eb358..b631919 100644 +index f6eb358ad..b6319191c 100644 --- a/resmgr.te +++ b/resmgr.te @@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t) @@ -88002,7 +88002,7 @@ index f6eb358..b631919 100644 optional_policy(` diff --git a/rgmanager.fc b/rgmanager.fc -index 5421af0..91e69b8 100644 +index 5421af0b6..91e69b869 100644 --- a/rgmanager.fc +++ b/rgmanager.fc @@ -1,12 +1,22 @@ @@ -88036,7 +88036,7 @@ index 5421af0..91e69b8 100644 +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/rgmanager.if b/rgmanager.if -index 1c2f9aa..a4133dc 100644 +index 1c2f9aa12..a4133dc92 100644 --- a/rgmanager.if +++ b/rgmanager.if @@ -1,13 +1,13 @@ @@ -88228,7 +88228,7 @@ index 1c2f9aa..a4133dc 100644 + allow $1 rgmanager_var_lib_t:dir search_dir_perms; +') diff --git a/rgmanager.te b/rgmanager.te -index c8a1e16..f9d6fb3 100644 +index c8a1e16e4..f9d6fb341 100644 --- a/rgmanager.te +++ b/rgmanager.te @@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0) @@ -88447,7 +88447,7 @@ index c8a1e16..f9d6fb3 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..6baf5cd 100644 +index 47de2d681..6baf5cdae 100644 --- a/rhcs.fc +++ b/rhcs.fc @@ -1,31 +1,104 @@ @@ -88579,7 +88579,7 @@ index 47de2d6..6baf5cd 100644 +/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..beb2872 100644 +index c8bdea28d..beb2872e3 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -89464,7 +89464,7 @@ index c8bdea2..beb2872 100644 + allow $1 haproxy_unit_file_t:service {status start}; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..0dbfae6 100644 +index 6cf79c449..0dbfae6d5 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -90069,7 +90069,7 @@ index 6cf79c4..0dbfae6 100644 ') diff --git a/rhev.fc b/rhev.fc new file mode 100644 -index 0000000..013d1d9 +index 000000000..013d1d964 --- /dev/null +++ b/rhev.fc @@ -0,0 +1,14 @@ @@ -90089,7 +90089,7 @@ index 0000000..013d1d9 +/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) diff --git a/rhev.if b/rhev.if new file mode 100644 -index 0000000..bf11e25 +index 000000000..bf11e2563 --- /dev/null +++ b/rhev.if @@ -0,0 +1,76 @@ @@ -90171,7 +90171,7 @@ index 0000000..bf11e25 +') diff --git a/rhev.te b/rhev.te new file mode 100644 -index 0000000..8b7aa12 +index 000000000..8b7aa12d8 --- /dev/null +++ b/rhev.te @@ -0,0 +1,128 @@ @@ -90304,7 +90304,7 @@ index 0000000..8b7aa12 + ') +') diff --git a/rhgb.if b/rhgb.if -index 1a134a7..793a29f 100644 +index 1a134a72e..793a29f88 100644 --- a/rhgb.if +++ b/rhgb.if @@ -1,4 +1,4 @@ @@ -90408,7 +90408,7 @@ index 1a134a7..793a29f 100644 allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/rhgb.te b/rhgb.te -index 3f32e4b..f97ea42 100644 +index 3f32e4bb3..f97ea42f8 100644 --- a/rhgb.te +++ b/rhgb.te @@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t) @@ -90441,7 +90441,7 @@ index 3f32e4b..f97ea42 100644 diff --git a/rhnsd.fc b/rhnsd.fc new file mode 100644 -index 0000000..860a91d +index 000000000..860a91df8 --- /dev/null +++ b/rhnsd.fc @@ -0,0 +1,9 @@ @@ -90456,7 +90456,7 @@ index 0000000..860a91d +/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0) diff --git a/rhnsd.if b/rhnsd.if new file mode 100644 -index 0000000..a161c70 +index 000000000..a161c70f9 --- /dev/null +++ b/rhnsd.if @@ -0,0 +1,120 @@ @@ -90582,7 +90582,7 @@ index 0000000..a161c70 +') diff --git a/rhnsd.te b/rhnsd.te new file mode 100644 -index 0000000..b947f09 +index 000000000..b947f092a --- /dev/null +++ b/rhnsd.te @@ -0,0 +1,48 @@ @@ -90635,7 +90635,7 @@ index 0000000..b947f09 + rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.fc b/rhsmcertd.fc -index 8c02804..896c8c6 100644 +index 8c0280418..896c8c67f 100644 --- a/rhsmcertd.fc +++ b/rhsmcertd.fc @@ -2,6 +2,8 @@ @@ -90648,7 +90648,7 @@ index 8c02804..896c8c6 100644 /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905..4b17c93 100644 +index 6dbc905b3..4b17c933e 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -90907,7 +90907,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..75b615f 100644 +index d32e1a279..75b615f81 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -91047,7 +91047,7 @@ index d32e1a2..75b615f 100644 + unconfined_server_signull(rhsmcertd_t) ') diff --git a/ricci.if b/ricci.if -index 2ab3ed1..23d579c 100644 +index 2ab3ed1d4..23d579cde 100644 --- a/ricci.if +++ b/ricci.if @@ -1,13 +1,13 @@ @@ -91280,7 +91280,7 @@ index 2ab3ed1..23d579c 100644 role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 0ba2569..161850d 100644 +index 0ba2569a5..161850d41 100644 --- a/ricci.te +++ b/ricci.te @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) @@ -91446,14 +91446,14 @@ index 0ba2569..161850d 100644 ccs_stream_connect(ricci_modstorage_t) diff --git a/rkhunter.fc b/rkhunter.fc new file mode 100644 -index 0000000..645a9cc +index 000000000..645a9cc1a --- /dev/null +++ b/rkhunter.fc @@ -0,0 +1 @@ +/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0) diff --git a/rkhunter.if b/rkhunter.if new file mode 100644 -index 0000000..0be4cee +index 000000000..0be4ceec0 --- /dev/null +++ b/rkhunter.if @@ -0,0 +1,39 @@ @@ -91498,7 +91498,7 @@ index 0000000..0be4cee +') diff --git a/rkhunter.te b/rkhunter.te new file mode 100644 -index 0000000..44de480 +index 000000000..44de48092 --- /dev/null +++ b/rkhunter.te @@ -0,0 +1,4 @@ @@ -91508,7 +91508,7 @@ index 0000000..44de480 +files_type(rkhunter_var_lib_t) diff --git a/rkt.fc b/rkt.fc new file mode 100644 -index 0000000..1941457 +index 000000000..19414579e --- /dev/null +++ b/rkt.fc @@ -0,0 +1,11 @@ @@ -91525,7 +91525,7 @@ index 0000000..1941457 +/var/lib/rkt(/.*)? gen_context(system_u:object_r:rkt_var_lib_t,s0) diff --git a/rkt.if b/rkt.if new file mode 100644 -index 0000000..8f367ed +index 000000000..8f367ed44 --- /dev/null +++ b/rkt.if @@ -0,0 +1,177 @@ @@ -91708,7 +91708,7 @@ index 0000000..8f367ed +') diff --git a/rkt.te b/rkt.te new file mode 100644 -index 0000000..4e962a7 +index 000000000..4e962a7bf --- /dev/null +++ b/rkt.te @@ -0,0 +1,38 @@ @@ -91751,7 +91751,7 @@ index 0000000..4e962a7 + +sysnet_dns_name_resolve(rkt_t) diff --git a/rlogin.fc b/rlogin.fc -index f111877..e361ee9 100644 +index f11187720..e361ee9e2 100644 --- a/rlogin.fc +++ b/rlogin.fc @@ -1,5 +1,7 @@ @@ -91765,7 +91765,7 @@ index f111877..e361ee9 100644 /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/rlogin.if b/rlogin.if -index 050479d..0e1b364 100644 +index 050479dea..0e1b364fb 100644 --- a/rlogin.if +++ b/rlogin.if @@ -29,7 +29,7 @@ interface(`rlogin_domtrans',` @@ -91778,7 +91778,7 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index ee27948..34d2ee9 100644 +index ee2794858..34d2ee96f 100644 --- a/rlogin.te +++ b/rlogin.te @@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t) @@ -91870,7 +91870,7 @@ index ee27948..34d2ee9 100644 kerberos_use(rlogind_t) ') diff --git a/rngd.fc b/rngd.fc -index fa19aa8..90eb481 100644 +index fa19aa8de..90eb481c1 100644 --- a/rngd.fc +++ b/rngd.fc @@ -1,5 +1,7 @@ @@ -91882,7 +91882,7 @@ index fa19aa8..90eb481 100644 /var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0) diff --git a/rngd.if b/rngd.if -index 13f788f..10e2033 100644 +index 13f788fd5..10e203301 100644 --- a/rngd.if +++ b/rngd.if @@ -2,6 +2,29 @@ @@ -91947,7 +91947,7 @@ index 13f788f..10e2033 100644 + allow $1 rngd_unit_file_t:service all_service_perms; ') diff --git a/rngd.te b/rngd.te -index a7b7717..41bca3b 100644 +index a7b7717b7..41bca3bb8 100644 --- a/rngd.te +++ b/rngd.te @@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) @@ -91973,7 +91973,7 @@ index a7b7717..41bca3b 100644 -miscfiles_read_localization(rngd_t) diff --git a/rolekit.fc b/rolekit.fc new file mode 100644 -index 0000000..504b6e1 +index 000000000..504b6e13e --- /dev/null +++ b/rolekit.fc @@ -0,0 +1,3 @@ @@ -91982,7 +91982,7 @@ index 0000000..504b6e1 +/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0) diff --git a/rolekit.if b/rolekit.if new file mode 100644 -index 0000000..b11fb8f +index 000000000..b11fb8f6d --- /dev/null +++ b/rolekit.if @@ -0,0 +1,120 @@ @@ -92108,7 +92108,7 @@ index 0000000..b11fb8f +') diff --git a/rolekit.te b/rolekit.te new file mode 100644 -index 0000000..da94453 +index 000000000..da944537b --- /dev/null +++ b/rolekit.te @@ -0,0 +1,47 @@ @@ -92160,7 +92160,7 @@ index 0000000..da94453 + domain_named_filetrans(rolekit_t) +') diff --git a/roundup.fc b/roundup.fc -index 6f05cd0..dc2a9aa 100644 +index 6f05cd06a..dc2a9aaee 100644 --- a/roundup.fc +++ b/roundup.fc @@ -2,4 +2,4 @@ @@ -92170,7 +92170,7 @@ index 6f05cd0..dc2a9aa 100644 -/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) +/var/lib/roundup(/.*)? gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/roundup.if b/roundup.if -index 975bb6a..ce4f5ea 100644 +index 975bb6a45..ce4f5ead8 100644 --- a/roundup.if +++ b/roundup.if @@ -23,8 +23,11 @@ interface(`roundup_admin',` @@ -92187,7 +92187,7 @@ index 975bb6a..ce4f5ea 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/roundup.te b/roundup.te -index ccb5991..fa10c5a 100644 +index ccb5991ed..fa10c5a2d 100644 --- a/roundup.te +++ b/roundup.te @@ -38,10 +38,10 @@ files_pid_filetrans(roundup_t, roundup_var_run_t, file) @@ -92228,7 +92228,7 @@ index ccb5991..fa10c5a 100644 optional_policy(` diff --git a/rpc.fc b/rpc.fc -index a6fb30c..97ef313 100644 +index a6fb30cb3..97ef313df 100644 --- a/rpc.fc +++ b/rpc.fc @@ -1,12 +1,25 @@ @@ -92280,7 +92280,7 @@ index a6fb30c..97ef313 100644 +/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c2..79a2a9c 100644 +index 0bf13c220..79a2a9c48 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -92766,7 +92766,7 @@ index 0bf13c2..79a2a9c 100644 + allow $1 gssd_t:process { noatsecure rlimitinh }; +') diff --git a/rpc.te b/rpc.te -index 2da9fca..49c37e8 100644 +index 2da9fca2f..49c37e8ea 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -93135,7 +93135,7 @@ index 2da9fca..49c37e8 100644 ') diff --git a/rpcbind.fc b/rpcbind.fc -index d31220e..0b6894a 100644 +index d31220e08..0b6894a67 100644 --- a/rpcbind.fc +++ b/rpcbind.fc @@ -1,8 +1,12 @@ @@ -93152,7 +93152,7 @@ index d31220e..0b6894a 100644 /var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) diff --git a/rpcbind.if b/rpcbind.if -index 3b5e9ee..ff1163f 100644 +index 3b5e9eed6..ff1163ff6 100644 --- a/rpcbind.if +++ b/rpcbind.if @@ -1,4 +1,4 @@ @@ -93306,7 +93306,7 @@ index 3b5e9ee..ff1163f 100644 + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index 54de77c..db13fcf 100644 +index 54de77ccd..db13fcff8 100644 --- a/rpcbind.te +++ b/rpcbind.te @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t) @@ -93370,7 +93370,7 @@ index 54de77c..db13fcf 100644 ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..6ba4338 100644 +index ebe91fc70..6ba4338cb 100644 --- a/rpm.fc +++ b/rpm.fc @@ -1,61 +1,80 @@ @@ -93498,7 +93498,7 @@ index ebe91fc..6ba4338 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..b15d901 100644 +index ef3b22507..b15d901a4 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -94138,7 +94138,7 @@ index ef3b225..b15d901 100644 admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) diff --git a/rpm.te b/rpm.te -index 6fc360e..2f24b1e 100644 +index 6fc360e60..2f24b1e0c 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -94641,7 +94641,7 @@ index 6fc360e..2f24b1e 100644 + usermanage_run_useradd(rpm_script_t, rpm_script_roles) ') diff --git a/rshd.fc b/rshd.fc -index 9ad0d58..6a4db03 100644 +index 9ad0d58dc..6a4db031f 100644 --- a/rshd.fc +++ b/rshd.fc @@ -1,3 +1,4 @@ @@ -94650,7 +94650,7 @@ index 9ad0d58..6a4db03 100644 /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/rshd.if b/rshd.if -index 7ad29c0..2e87d76 100644 +index 7ad29c046..2e87d76b4 100644 --- a/rshd.if +++ b/rshd.if @@ -2,7 +2,7 @@ @@ -94671,7 +94671,7 @@ index 7ad29c0..2e87d76 100644 domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te -index 864e089..a28dccd 100644 +index 864e089a0..a28dccd64 100644 --- a/rshd.te +++ b/rshd.te @@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1) @@ -94772,7 +94772,7 @@ index 864e089..a28dccd 100644 ') diff --git a/rssh.te b/rssh.te -index 5c5465f..6005932 100644 +index 5c5465feb..60059323f 100644 --- a/rssh.te +++ b/rssh.te @@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) @@ -94801,7 +94801,7 @@ index 5c5465f..6005932 100644 - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/rsync.fc b/rsync.fc -index d25301b..f3eeec7 100644 +index d25301b85..f3eeec7b6 100644 --- a/rsync.fc +++ b/rsync.fc @@ -1,7 +1,8 @@ @@ -94816,7 +94816,7 @@ index d25301b..f3eeec7 100644 /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if -index f1140ef..642e062 100644 +index f1140efe4..642e062f4 100644 --- a/rsync.if +++ b/rsync.if @@ -1,16 +1,32 @@ @@ -95094,7 +95094,7 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..b27a479 100644 +index abeb302a7..b27a47979 100644 --- a/rsync.te +++ b/rsync.te @@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0) @@ -95341,7 +95341,7 @@ index abeb302..b27a479 100644 ') diff --git a/rtas.fc b/rtas.fc new file mode 100644 -index 0000000..8d12521 +index 000000000..8d12521d2 --- /dev/null +++ b/rtas.fc @@ -0,0 +1,14 @@ @@ -95361,7 +95361,7 @@ index 0000000..8d12521 + diff --git a/rtas.if b/rtas.if new file mode 100644 -index 0000000..92cc49d +index 000000000..92cc49d7f --- /dev/null +++ b/rtas.if @@ -0,0 +1,163 @@ @@ -95530,7 +95530,7 @@ index 0000000..92cc49d +') diff --git a/rtas.te b/rtas.te new file mode 100644 -index 0000000..9a5164c +index 000000000..9a5164c7e --- /dev/null +++ b/rtas.te @@ -0,0 +1,95 @@ @@ -95630,7 +95630,7 @@ index 0000000..9a5164c + unconfined_domain(rtas_errd_t) +') diff --git a/rtkit.if b/rtkit.if -index e904ec4..e0dd20e 100644 +index e904ec472..e0dd20eeb 100644 --- a/rtkit.if +++ b/rtkit.if @@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',` @@ -95717,7 +95717,7 @@ index e904ec4..e0dd20e 100644 + ') ') diff --git a/rtkit.te b/rtkit.te -index 7eea21f..7140646 100644 +index 7eea21f3f..714064633 100644 --- a/rtkit.te +++ b/rtkit.te @@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t) @@ -95730,7 +95730,7 @@ index 7eea21f..7140646 100644 dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) diff --git a/rwho.if b/rwho.if -index 0360ff0..e6cb34f 100644 +index 0360ff013..e6cb34f71 100644 --- a/rwho.if +++ b/rwho.if @@ -139,8 +139,11 @@ interface(`rwho_admin',` @@ -95747,7 +95747,7 @@ index 0360ff0..e6cb34f 100644 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te -index 7fb75f4..9ccbd95 100644 +index 7fb75f457..9ccbd95c2 100644 --- a/rwho.te +++ b/rwho.te @@ -16,7 +16,7 @@ type rwho_log_t; @@ -95789,7 +95789,7 @@ index 7fb75f4..9ccbd95 100644 +userdom_getattr_user_terminals(rwho_t) + diff --git a/samba.fc b/samba.fc -index b8b66ff..a93346e 100644 +index b8b66ff4d..a93346efe 100644 --- a/samba.fc +++ b/samba.fc @@ -1,42 +1,55 @@ @@ -95890,7 +95890,7 @@ index b8b66ff..a93346e 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb..a34db48 100644 +index 50d07fb2e..a34db489c 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -96750,7 +96750,7 @@ index 50d07fb..a34db48 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..c7a4751 100644 +index 2b7c441e7..c7a475130 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -98098,7 +98098,7 @@ index 2b7c441..c7a4751 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index e18b0a2..1b1db01 100644 +index e18b0a284..1b1db014d 100644 --- a/sambagui.te +++ b/sambagui.te @@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t; @@ -98140,7 +98140,7 @@ index e18b0a2..1b1db01 100644 samba_domtrans_nmbd(sambagui_t) ') diff --git a/samhain.if b/samhain.if -index f0236d6..37665a1 100644 +index f0236d67d..37665a1b6 100644 --- a/samhain.if +++ b/samhain.if @@ -23,6 +23,8 @@ template(`samhain_service_template',` @@ -98153,7 +98153,7 @@ index f0236d6..37665a1 100644 ######################################## diff --git a/samhain.te b/samhain.te -index c41ce4b..8837e4c 100644 +index c41ce4bff..8837e4c41 100644 --- a/samhain.te +++ b/samhain.te @@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) @@ -98176,14 +98176,14 @@ index c41ce4b..8837e4c 100644 # diff --git a/sandbox.fc b/sandbox.fc new file mode 100644 -index 0000000..b7db254 +index 000000000..b7db25411 --- /dev/null +++ b/sandbox.fc @@ -0,0 +1 @@ +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..cc29a06 +index 000000000..cc29a063b --- /dev/null +++ b/sandbox.if @@ -0,0 +1,96 @@ @@ -98285,7 +98285,7 @@ index 0000000..cc29a06 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..402257c +index 000000000..402257c49 --- /dev/null +++ b/sandbox.te @@ -0,0 +1,66 @@ @@ -98357,7 +98357,7 @@ index 0000000..402257c + diff --git a/sandboxX.fc b/sandboxX.fc new file mode 100644 -index 0000000..6caef63 +index 000000000..6caef6326 --- /dev/null +++ b/sandboxX.fc @@ -0,0 +1,2 @@ @@ -98365,7 +98365,7 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..98dc14e +index 000000000..98dc14ef6 --- /dev/null +++ b/sandboxX.if @@ -0,0 +1,401 @@ @@ -98772,7 +98772,7 @@ index 0000000..98dc14e +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..22e956f +index 000000000..22e956fe3 --- /dev/null +++ b/sandboxX.te @@ -0,0 +1,512 @@ @@ -99289,7 +99289,7 @@ index 0000000..22e956f +userdom_dontaudit_open_user_ptys(sandbox_x_domain) + diff --git a/sanlock.fc b/sanlock.fc -index 3df2a0f..7264d8a 100644 +index 3df2a0f14..7264d8ae1 100644 --- a/sanlock.fc +++ b/sanlock.fc @@ -1,7 +1,18 @@ @@ -99315,7 +99315,7 @@ index 3df2a0f..7264d8a 100644 -/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) +/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0) diff --git a/sanlock.if b/sanlock.if -index cd6c213..6d3cdc4 100644 +index cd6c213d2..6d3cdc4d9 100644 --- a/sanlock.if +++ b/sanlock.if @@ -1,4 +1,6 @@ @@ -99548,7 +99548,7 @@ index cd6c213..6d3cdc4 100644 + ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465..ee3b993 100644 +index 0045465a0..ee3b9930a 100644 --- a/sanlock.te +++ b/sanlock.te @@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0) @@ -99747,7 +99747,7 @@ index 0045465..ee3b993 100644 + wdmd_stream_connect(sanlk_resetd_t) ') diff --git a/sasl.fc b/sasl.fc -index 54f41c2..7e58679 100644 +index 54f41c2b7..7e5867968 100644 --- a/sasl.fc +++ b/sasl.fc @@ -1,7 +1,12 @@ @@ -99766,7 +99766,7 @@ index 54f41c2..7e58679 100644 +/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/sasl.if b/sasl.if -index 8c3c151..93b7227 100644 +index 8c3c151cb..93b722789 100644 --- a/sasl.if +++ b/sasl.if @@ -1,4 +1,4 @@ @@ -99802,7 +99802,7 @@ index 8c3c151..93b7227 100644 domain_system_change_exemption($1) role_transition $2 saslauthd_initrc_exec_t system_r; diff --git a/sasl.te b/sasl.te -index 6c3bc20..eb05a49 100644 +index 6c3bc2059..eb05a4920 100644 --- a/sasl.te +++ b/sasl.te @@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1) @@ -99918,7 +99918,7 @@ index 6c3bc20..eb05a49 100644 optional_policy(` diff --git a/sbd.fc b/sbd.fc new file mode 100644 -index 0000000..41768ee +index 000000000..41768eed0 --- /dev/null +++ b/sbd.fc @@ -0,0 +1,7 @@ @@ -99931,7 +99931,7 @@ index 0000000..41768ee +/var/run/sbd.* -- gen_context(system_u:object_r:sbd_var_run_t,s0) diff --git a/sbd.if b/sbd.if new file mode 100644 -index 0000000..7a058a8 +index 000000000..7a058a82a --- /dev/null +++ b/sbd.if @@ -0,0 +1,126 @@ @@ -100063,7 +100063,7 @@ index 0000000..7a058a8 +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 0000000..55576aa +index 000000000..55576aaf6 --- /dev/null +++ b/sbd.te @@ -0,0 +1,55 @@ @@ -100123,7 +100123,7 @@ index 0000000..55576aa + +') diff --git a/sblim.fc b/sblim.fc -index 68a550d..e976fc6 100644 +index 68a550d54..e976fc62e 100644 --- a/sblim.fc +++ b/sblim.fc @@ -1,6 +1,10 @@ @@ -100138,7 +100138,7 @@ index 68a550d..e976fc6 100644 /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if -index 98c9e0a..562666e 100644 +index 98c9e0a88..562666e06 100644 --- a/sblim.if +++ b/sblim.if @@ -1,8 +1,36 @@ @@ -100332,7 +100332,7 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..5719ae9 100644 +index 299756bc8..5719ae912 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -100507,7 +100507,7 @@ index 299756b..5719ae9 100644 + virt_getattr_images(sblim_sfcbd_t) +') diff --git a/screen.fc b/screen.fc -index e7c2cf7..435aaa6 100644 +index e7c2cf74f..435aaa61c 100644 --- a/screen.fc +++ b/screen.fc @@ -2,8 +2,10 @@ HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) @@ -100526,7 +100526,7 @@ index e7c2cf7..435aaa6 100644 +/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/screen.if b/screen.if -index be5cce2..b81f5df 100644 +index be5cce2d3..b81f5dfef 100644 --- a/screen.if +++ b/screen.if @@ -1,4 +1,4 @@ @@ -100666,7 +100666,7 @@ index be5cce2..b81f5df 100644 +') + diff --git a/screen.te b/screen.te -index 5466a73..33598f3 100644 +index 5466a7327..33598f3b3 100644 --- a/screen.te +++ b/screen.te @@ -5,9 +5,7 @@ policy_module(screen, 2.6.0) @@ -100808,7 +100808,7 @@ index 5466a73..33598f3 100644 - fs_read_nfs_symlinks(screen_domain) -') diff --git a/sectoolm.fc b/sectoolm.fc -index 64a2394..3f1dac5 100644 +index 64a239453..3f1dac59a 100644 --- a/sectoolm.fc +++ b/sectoolm.fc @@ -1,5 +1,4 @@ @@ -100820,7 +100820,7 @@ index 64a2394..3f1dac5 100644 +/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) +/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/sectoolm.if b/sectoolm.if -index c78a569..9007451 100644 +index c78a569c3..900745118 100644 --- a/sectoolm.if +++ b/sectoolm.if @@ -1,24 +1,2 @@ @@ -100850,7 +100850,7 @@ index c78a569..9007451 100644 - allow sectoolm_t $2:unix_dgram_socket sendto; -') diff --git a/sectoolm.te b/sectoolm.te -index 4bc8c13..e05d74d 100644 +index 4bc8c13ea..e05d74d48 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0) @@ -100943,7 +100943,7 @@ index 4bc8c13..e05d74d 100644 prelink_domtrans(sectoolm_t) ') diff --git a/sendmail.fc b/sendmail.fc -index d14b6bf..da5d41d 100644 +index d14b6bfc7..da5d41d5c 100644 --- a/sendmail.fc +++ b/sendmail.fc @@ -1,7 +1,8 @@ @@ -100961,7 +100961,7 @@ index d14b6bf..da5d41d 100644 +/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/sendmail.if b/sendmail.if -index 35ad2a7..afdc7da 100644 +index 35ad2a733..afdc7da29 100644 --- a/sendmail.if +++ b/sendmail.if @@ -1,4 +1,4 @@ @@ -101254,7 +101254,7 @@ index 35ad2a7..afdc7da 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b4..8ba2995 100644 +index 12700b413..8ba299515 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -101442,7 +101442,7 @@ index 12700b4..8ba2995 100644 unconfined_domain(unconfined_sendmail_t) ') diff --git a/sensord.fc b/sensord.fc -index 8185d5a..9be989a 100644 +index 8185d5a6b..9be989a08 100644 --- a/sensord.fc +++ b/sensord.fc @@ -1,5 +1,9 @@ @@ -101456,7 +101456,7 @@ index 8185d5a..9be989a 100644 + /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/sensord.if b/sensord.if -index d204752..85631b3 100644 +index d204752b3..85631b346 100644 --- a/sensord.if +++ b/sensord.if @@ -1,35 +1,81 @@ @@ -101554,7 +101554,7 @@ index d204752..85631b3 100644 + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..ddb249d 100644 +index 5e82fd616..ddb249dfb 100644 --- a/sensord.te +++ b/sensord.te @@ -9,27 +9,38 @@ type sensord_t; @@ -101600,7 +101600,7 @@ index 5e82fd6..ddb249d 100644 -miscfiles_read_localization(sensord_t) diff --git a/setroubleshoot.fc b/setroubleshoot.fc -index 0b3a971..397a522 100644 +index 0b3a971f4..397a5225b 100644 --- a/setroubleshoot.fc +++ b/setroubleshoot.fc @@ -1,9 +1,9 @@ @@ -101618,7 +101618,7 @@ index 0b3a971..397a522 100644 -/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) +/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/setroubleshoot.if b/setroubleshoot.if -index 3a9a70b..903109c 100644 +index 3a9a70bef..903109c98 100644 --- a/setroubleshoot.if +++ b/setroubleshoot.if @@ -1,9 +1,8 @@ @@ -101721,7 +101721,7 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..4985c02 100644 +index ce6793506..4985c026f 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -7,68 +7,111 @@ policy_module(setroubleshoot, 1.12.1) @@ -101991,7 +101991,7 @@ index ce67935..4985c02 100644 +') diff --git a/sge.fc b/sge.fc new file mode 100644 -index 0000000..160ddc2 +index 000000000..160ddc2b8 --- /dev/null +++ b/sge.fc @@ -0,0 +1,6 @@ @@ -102003,7 +102003,7 @@ index 0000000..160ddc2 + diff --git a/sge.if b/sge.if new file mode 100644 -index 0000000..c9d2d9c +index 000000000..c9d2d9c42 --- /dev/null +++ b/sge.if @@ -0,0 +1,24 @@ @@ -102033,7 +102033,7 @@ index 0000000..c9d2d9c + diff --git a/sge.te b/sge.te new file mode 100644 -index 0000000..1c1ec06 +index 000000000..1c1ec06e5 --- /dev/null +++ b/sge.te @@ -0,0 +1,196 @@ @@ -102234,7 +102234,7 @@ index 0000000..1c1ec06 + nslcd_stream_connect(sge_domain) +') diff --git a/shorewall.if b/shorewall.if -index 1aeef8a..d5ce40a 100644 +index 1aeef8ac3..d5ce40a96 100644 --- a/shorewall.if +++ b/shorewall.if @@ -1,4 +1,4 @@ @@ -102417,7 +102417,7 @@ index 1aeef8a..d5ce40a 100644 admin_pattern($1, shorewall_etc_t) diff --git a/shorewall.te b/shorewall.te -index 7710b9f..04af4ec 100644 +index 7710b9f76..04af4ec4d 100644 --- a/shorewall.te +++ b/shorewall.te @@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t) @@ -102487,7 +102487,7 @@ index 7710b9f..04af4ec 100644 ulogd_search_log(shorewall_t) ') diff --git a/shutdown.fc b/shutdown.fc -index a91f33b..631dbc1 100644 +index a91f33b0f..631dbc1dc 100644 --- a/shutdown.fc +++ b/shutdown.fc @@ -8,4 +8,4 @@ @@ -102497,7 +102497,7 @@ index a91f33b..631dbc1 100644 -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/shutdown.if b/shutdown.if -index d1706bf..3aa7c9f 100644 +index d1706bf87..3aa7c9fd1 100644 --- a/shutdown.if +++ b/shutdown.if @@ -1,30 +1,4 @@ @@ -102653,7 +102653,7 @@ index d1706bf..3aa7c9f 100644 ## ## diff --git a/shutdown.te b/shutdown.te -index e2544e1..2196974 100644 +index e2544e147..2196974f5 100644 --- a/shutdown.te +++ b/shutdown.te @@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t) @@ -102702,7 +102702,7 @@ index e2544e1..2196974 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index 7292dc0..26fc8f4 100644 +index 7292dc064..26fc8f4bc 100644 --- a/slocate.te +++ b/slocate.te @@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t) @@ -102736,7 +102736,7 @@ index 7292dc0..26fc8f4 100644 +') + diff --git a/slpd.if b/slpd.if -index ca32e89..98278dd 100644 +index ca32e8946..98278dd2c 100644 --- a/slpd.if +++ b/slpd.if @@ -2,6 +2,43 @@ @@ -102804,7 +102804,7 @@ index ca32e89..98278dd 100644 + ') diff --git a/slpd.te b/slpd.te -index 731512a..4ce76cd 100644 +index 731512a66..4ce76cd9c 100644 --- a/slpd.te +++ b/slpd.te @@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t) @@ -102841,7 +102841,7 @@ index 731512a..4ce76cd 100644 + +sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te -index 59eb07f..4626942 100644 +index 59eb07fa9..4626942ae 100644 --- a/slrnpull.te +++ b/slrnpull.te @@ -13,7 +13,7 @@ type slrnpull_var_run_t; @@ -102871,7 +102871,7 @@ index 59eb07f..4626942 100644 userdom_dontaudit_search_user_home_dirs(slrnpull_t) diff --git a/smartmon.if b/smartmon.if -index e0644b5..ea347cc 100644 +index e0644b5cf..ea347ccd5 100644 --- a/smartmon.if +++ b/smartmon.if @@ -42,9 +42,13 @@ interface(`smartmon_admin',` @@ -102890,7 +102890,7 @@ index e0644b5..ea347cc 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582..052179c 100644 +index 9cf6582d2..052179c3f 100644 --- a/smartmon.te +++ b/smartmon.te @@ -38,7 +38,7 @@ ifdef(`enable_mls',` @@ -102971,7 +102971,7 @@ index 9cf6582..052179c 100644 + virt_read_images(fsdaemon_t) ') diff --git a/smokeping.fc b/smokeping.fc -index 3359819..a231ecb 100644 +index 335981945..a231ecb56 100644 --- a/smokeping.fc +++ b/smokeping.fc @@ -2,7 +2,7 @@ @@ -102984,7 +102984,7 @@ index 3359819..a231ecb 100644 /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) diff --git a/smokeping.if b/smokeping.if -index 1fa51c1..82e111c 100644 +index 1fa51c11f..82e111c80 100644 --- a/smokeping.if +++ b/smokeping.if @@ -158,8 +158,11 @@ interface(`smokeping_admin',` @@ -103001,7 +103001,7 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index ec031a0..61a9f8c 100644 +index ec031a031..61a9f8c08 100644 --- a/smokeping.te +++ b/smokeping.te @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) @@ -103061,7 +103061,7 @@ index ec031a0..61a9f8c 100644 + netutils_domtrans_ping(smokeping_cgi_script_t) ') diff --git a/smoltclient.te b/smoltclient.te -index b3f2c6f..4e629a1 100644 +index b3f2c6f26..4e629a10b 100644 --- a/smoltclient.te +++ b/smoltclient.te @@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t) @@ -103100,7 +103100,7 @@ index b3f2c6f..4e629a1 100644 ') diff --git a/smsd.fc b/smsd.fc new file mode 100644 -index 0000000..4c3fcec +index 000000000..4c3fcec7d --- /dev/null +++ b/smsd.fc @@ -0,0 +1,11 @@ @@ -103117,7 +103117,7 @@ index 0000000..4c3fcec +/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) diff --git a/smsd.if b/smsd.if new file mode 100644 -index 0000000..52450c7 +index 000000000..52450c700 --- /dev/null +++ b/smsd.if @@ -0,0 +1,240 @@ @@ -103363,7 +103363,7 @@ index 0000000..52450c7 +') diff --git a/smsd.te b/smsd.te new file mode 100644 -index 0000000..d971935 +index 000000000..d971935b4 --- /dev/null +++ b/smsd.te @@ -0,0 +1,75 @@ @@ -103443,7 +103443,7 @@ index 0000000..d971935 + +term_use_usb_ttys(smsd_t) diff --git a/smstools.if b/smstools.if -index cbfe369..6594af3 100644 +index cbfe369a6..6594af373 100644 --- a/smstools.if +++ b/smstools.if @@ -1,5 +1,81 @@ @@ -103539,7 +103539,7 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..34f7846 +index 000000000..34f7846b3 --- /dev/null +++ b/snapper.fc @@ -0,0 +1,16 @@ @@ -103561,7 +103561,7 @@ index 0000000..34f7846 +/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 -index 0000000..88490d5 +index 000000000..88490d5c6 --- /dev/null +++ b/snapper.if @@ -0,0 +1,99 @@ @@ -103666,7 +103666,7 @@ index 0000000..88490d5 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..5c2cbe0 +index 000000000..5c2cbe02d --- /dev/null +++ b/snapper.te @@ -0,0 +1,83 @@ @@ -103754,7 +103754,7 @@ index 0000000..5c2cbe0 + snapper_relabel_snapshots(snapperd_t) +') diff --git a/snmp.fc b/snmp.fc -index 2f0a2f2..1569e33 100644 +index 2f0a2f205..1569e3369 100644 --- a/snmp.fc +++ b/snmp.fc @@ -1,6 +1,6 @@ @@ -103781,7 +103781,7 @@ index 2f0a2f2..1569e33 100644 +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/snmp.if b/snmp.if -index 7a9cc9d..23cb658 100644 +index 7a9cc9df7..23cb6589e 100644 --- a/snmp.if +++ b/snmp.if @@ -57,8 +57,7 @@ interface(`snmp_udp_chat',` @@ -103918,7 +103918,7 @@ index 7a9cc9d..23cb658 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 9dcaeb8..e8446db 100644 +index 9dcaeb875..e8446db05 100644 --- a/snmp.te +++ b/snmp.te @@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t) @@ -104019,7 +104019,7 @@ index 9dcaeb8..e8446db 100644 ') diff --git a/snort.if b/snort.if -index 7d86b34..5f58180 100644 +index 7d86b3485..5f581804e 100644 --- a/snort.if +++ b/snort.if @@ -42,8 +42,11 @@ interface(`snort_admin',` @@ -104051,7 +104051,7 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 1af72df..d545f2a 100644 +index 1af72df55..d545f2aea 100644 --- a/snort.te +++ b/snort.te @@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t) @@ -104116,7 +104116,7 @@ index 1af72df..d545f2a 100644 userdom_dontaudit_use_unpriv_user_fds(snort_t) diff --git a/sosreport.if b/sosreport.if -index 634c6b4..f6db7a7 100644 +index 634c6b4fa..f6db7a796 100644 --- a/sosreport.if +++ b/sosreport.if @@ -42,7 +42,7 @@ interface(`sosreport_run',` @@ -104152,7 +104152,7 @@ index 634c6b4..f6db7a7 100644 +') + diff --git a/sosreport.te b/sosreport.te -index f2f507d..0ac6752 100644 +index f2f507dae..0ac6752b4 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -104371,7 +104371,7 @@ index f2f507d..0ac6752 100644 optional_policy(` diff --git a/soundserver.if b/soundserver.if -index a5abc5a..b9eff74 100644 +index a5abc5a8d..b9eff74cb 100644 --- a/soundserver.if +++ b/soundserver.if @@ -38,9 +38,13 @@ interface(`soundserver_admin',` @@ -104390,7 +104390,7 @@ index a5abc5a..b9eff74 100644 domain_system_change_exemption($1) role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te -index 0919e0c..df28aad 100644 +index 0919e0c86..df28aadba 100644 --- a/soundserver.te +++ b/soundserver.te @@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t) @@ -104428,7 +104428,7 @@ index 0919e0c..df28aad 100644 userdom_dontaudit_use_unpriv_user_fds(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc -index e9bd097..5724bcf 100644 +index e9bd097b7..5724bcf0f 100644 --- a/spamassassin.fc +++ b/spamassassin.fc @@ -1,20 +1,27 @@ @@ -104493,7 +104493,7 @@ index e9bd097..5724bcf 100644 +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if -index 1499b0b..e695a62 100644 +index 1499b0bbf..e695a62f3 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -2,39 +2,45 @@ @@ -104948,7 +104948,7 @@ index 1499b0b..e695a62 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..85e9f59 100644 +index cc58e3578..85e9f5961 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -105756,7 +105756,7 @@ index cc58e35..85e9f59 100644 ') diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc new file mode 100644 -index 0000000..545f682 +index 000000000..545f68233 --- /dev/null +++ b/speech-dispatcher.fc @@ -0,0 +1,5 @@ @@ -105767,7 +105767,7 @@ index 0000000..545f682 +/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0) diff --git a/speech-dispatcher.if b/speech-dispatcher.if new file mode 100644 -index 0000000..4cb9104 +index 000000000..4cb910462 --- /dev/null +++ b/speech-dispatcher.if @@ -0,0 +1,143 @@ @@ -105916,7 +105916,7 @@ index 0000000..4cb9104 +') diff --git a/speech-dispatcher.te b/speech-dispatcher.te new file mode 100644 -index 0000000..4739473 +index 000000000..473947312 --- /dev/null +++ b/speech-dispatcher.te @@ -0,0 +1,61 @@ @@ -105982,7 +105982,7 @@ index 0000000..4739473 +dev_read_urand(speech-dispatcher_t) + diff --git a/speedtouch.te b/speedtouch.te -index b38b8b1..eb36653 100644 +index b38b8b180..eb36653b8 100644 --- a/speedtouch.te +++ b/speedtouch.te @@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t) @@ -106003,7 +106003,7 @@ index b38b8b1..eb36653 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 0a8b0f7..80c1d57 100644 +index 0a8b0f7c0..80c1d5756 100644 --- a/squid.fc +++ b/squid.fc @@ -1,20 +1,31 @@ @@ -106045,7 +106045,7 @@ index 0a8b0f7..80c1d57 100644 -/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/squid.if b/squid.if -index 5e1f053..e7820bc 100644 +index 5e1f0534c..e7820bce3 100644 --- a/squid.if +++ b/squid.if @@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',` @@ -106081,7 +106081,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed..9148ef5 100644 +index 03472ed9b..9148ef5ae 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -106261,7 +106261,7 @@ index 03472ed..9148ef5 100644 +') diff --git a/sslh.fc b/sslh.fc new file mode 100644 -index 0000000..1a217f5 +index 000000000..1a217f5ed --- /dev/null +++ b/sslh.fc @@ -0,0 +1,9 @@ @@ -106276,7 +106276,7 @@ index 0000000..1a217f5 +/var/run/sslh.* gen_context(system_u:object_r:sslh_var_run_t,s0) diff --git a/sslh.if b/sslh.if new file mode 100644 -index 0000000..218360d +index 000000000..218360da8 --- /dev/null +++ b/sslh.if @@ -0,0 +1,127 @@ @@ -106409,7 +106409,7 @@ index 0000000..218360d +') diff --git a/sslh.te b/sslh.te new file mode 100644 -index 0000000..821e158 +index 000000000..821e158a5 --- /dev/null +++ b/sslh.te @@ -0,0 +1,100 @@ @@ -106514,7 +106514,7 @@ index 0000000..821e158 +') + diff --git a/sssd.fc b/sssd.fc -index dbb005a..2655c75 100644 +index dbb005aca..2655c75ab 100644 --- a/sssd.fc +++ b/sssd.fc @@ -1,15 +1,30 @@ @@ -106555,7 +106555,7 @@ index dbb005a..2655c75 100644 +/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..aac2584 100644 +index a24045518..aac25848d 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -107052,7 +107052,7 @@ index a240455..aac2584 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..9b13b30 100644 +index 2d8db1fa3..9b13b3058 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) @@ -107250,7 +107250,7 @@ index 2d8db1f..9b13b30 100644 + diff --git a/stapserver.fc b/stapserver.fc new file mode 100644 -index 0000000..0ccce59 +index 000000000..0ccce5918 --- /dev/null +++ b/stapserver.fc @@ -0,0 +1,7 @@ @@ -107263,7 +107263,7 @@ index 0000000..0ccce59 +/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) diff --git a/stapserver.if b/stapserver.if new file mode 100644 -index 0000000..80c6480 +index 000000000..80c648055 --- /dev/null +++ b/stapserver.if @@ -0,0 +1,151 @@ @@ -107422,7 +107422,7 @@ diff --git a/systemtap.te b/stapserver.te similarity index 63% rename from systemtap.te rename to stapserver.te -index ffde368..f33142f 100644 +index ffde36864..f33142fd5 100644 --- a/systemtap.te +++ b/stapserver.te @@ -1,4 +1,4 @@ @@ -107547,7 +107547,7 @@ index ffde368..f33142f 100644 ') + diff --git a/stunnel.fc b/stunnel.fc -index 49dd63c..ae2e798 100644 +index 49dd63ca1..ae2e798f5 100644 --- a/stunnel.fc +++ b/stunnel.fc @@ -5,3 +5,5 @@ @@ -107557,7 +107557,7 @@ index 49dd63c..ae2e798 100644 + +/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0) diff --git a/stunnel.te b/stunnel.te -index 27a8480..5482c75 100644 +index 27a8480bc..5482c7549 100644 --- a/stunnel.te +++ b/stunnel.te @@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t) @@ -107612,7 +107612,7 @@ index 27a8480..5482c75 100644 + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/svnserve.fc b/svnserve.fc -index effffd0..12ca090 100644 +index effffd028..12ca090e1 100644 --- a/svnserve.fc +++ b/svnserve.fc @@ -1,8 +1,13 @@ @@ -107635,7 +107635,7 @@ index effffd0..12ca090 100644 +/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) diff --git a/svnserve.if b/svnserve.if -index 2ac91b6..a97033d 100644 +index 2ac91b6e0..a97033d2b 100644 --- a/svnserve.if +++ b/svnserve.if @@ -1,35 +1,119 @@ @@ -107772,7 +107772,7 @@ index 2ac91b6..a97033d 100644 ') + diff --git a/svnserve.te b/svnserve.te -index 49d688d..451a647 100644 +index 49d688d66..451a64768 100644 --- a/svnserve.te +++ b/svnserve.te @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) @@ -107830,7 +107830,7 @@ index 49d688d..451a647 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..6d897bc +index 000000000..6d897bc25 --- /dev/null +++ b/swift.fc @@ -0,0 +1,36 @@ @@ -107872,7 +107872,7 @@ index 0000000..6d897bc +') diff --git a/swift.if b/swift.if new file mode 100644 -index 0000000..af26807 +index 000000000..af26807a7 --- /dev/null +++ b/swift.if @@ -0,0 +1,156 @@ @@ -108034,7 +108034,7 @@ index 0000000..af26807 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..c2f086f +index 000000000..c2f086fe7 --- /dev/null +++ b/swift.te @@ -0,0 +1,129 @@ @@ -108169,14 +108169,14 @@ index 0000000..c2f086f +') diff --git a/swift_alias.fc b/swift_alias.fc new file mode 100644 -index 0000000..b7db254 +index 000000000..b7db25411 --- /dev/null +++ b/swift_alias.fc @@ -0,0 +1 @@ +# Empty diff --git a/swift_alias.if b/swift_alias.if new file mode 100644 -index 0000000..3fed1a3 +index 000000000..3fed1a374 --- /dev/null +++ b/swift_alias.if @@ -0,0 +1,2 @@ @@ -108184,7 +108184,7 @@ index 0000000..3fed1a3 +## swift_alias policy module diff --git a/swift_alias.te b/swift_alias.te new file mode 100644 -index 0000000..6e39c4f +index 000000000..6e39c4fff --- /dev/null +++ b/swift_alias.te @@ -0,0 +1,26 @@ @@ -108215,7 +108215,7 @@ index 0000000..6e39c4f + + diff --git a/sxid.te b/sxid.te -index 01a9d0a..154872e 100644 +index 01a9d0acd..154872e4b 100644 --- a/sxid.te +++ b/sxid.te @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) @@ -108245,7 +108245,7 @@ index 01a9d0a..154872e 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index b92f677..a2690e3 100644 +index b92f6775a..a2690e315 100644 --- a/sysstat.te +++ b/sysstat.te @@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t) @@ -108302,7 +108302,7 @@ index b92f677..a2690e3 100644 + diff --git a/systemtap.fc b/systemtap.fc deleted file mode 100644 -index 1710cbb..0000000 +index 1710cbbe8..000000000 --- a/systemtap.fc +++ /dev/null @@ -1,11 +0,0 @@ @@ -108319,7 +108319,7 @@ index 1710cbb..0000000 -/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) diff --git a/systemtap.if b/systemtap.if deleted file mode 100644 -index c755e2d..0000000 +index c755e2d93..000000000 --- a/systemtap.if +++ /dev/null @@ -1,45 +0,0 @@ @@ -108370,7 +108370,7 @@ index c755e2d..0000000 -') diff --git a/targetd.fc b/targetd.fc new file mode 100644 -index 0000000..c1ef053 +index 000000000..c1ef0535f --- /dev/null +++ b/targetd.fc @@ -0,0 +1,5 @@ @@ -108381,7 +108381,7 @@ index 0000000..c1ef053 +/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0) diff --git a/targetd.if b/targetd.if new file mode 100644 -index 0000000..a6e216c +index 000000000..a6e216c73 --- /dev/null +++ b/targetd.if @@ -0,0 +1,167 @@ @@ -108554,7 +108554,7 @@ index 0000000..a6e216c + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 0000000..4cc8557 +index 000000000..4cc8557fc --- /dev/null +++ b/targetd.te @@ -0,0 +1,91 @@ @@ -108650,7 +108650,7 @@ index 0000000..4cc8557 +') + diff --git a/tcpd.te b/tcpd.te -index 2d6d2c2..db18a80 100644 +index 2d6d2c23d..db18a804b 100644 --- a/tcpd.te +++ b/tcpd.te @@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) @@ -108679,7 +108679,7 @@ index 2d6d2c2..db18a80 100644 inetd_domtrans_child(tcpd_t) diff --git a/tcsd.if b/tcsd.if -index b42ec1d..91b8f71 100644 +index b42ec1d83..91b8f71dc 100644 --- a/tcsd.if +++ b/tcsd.if @@ -138,8 +138,11 @@ interface(`tcsd_admin',` @@ -108696,7 +108696,7 @@ index b42ec1d..91b8f71 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index b26d44a..5a79afd 100644 +index b26d44a8c..5a79afdb5 100644 --- a/tcsd.te +++ b/tcsd.te @@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t) @@ -108722,7 +108722,7 @@ index b26d44a..5a79afd 100644 - -miscfiles_read_localization(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc -index 6c7f8f8..03fc880 100644 +index 6c7f8f8a3..03fc88079 100644 --- a/telepathy.fc +++ b/telepathy.fc @@ -1,35 +1,23 @@ @@ -108781,7 +108781,7 @@ index 6c7f8f8..03fc880 100644 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index 42946bc..9f70e4c 100644 +index 42946bc10..9f70e4cf1 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ @@ -109198,7 +109198,7 @@ index 42946bc..9f70e4c 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index 9afcbc9..7b8ddb4 100644 +index 9afcbc95c..7b8ddb489 100644 --- a/telepathy.te +++ b/telepathy.te @@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2) @@ -109769,7 +109769,7 @@ index 9afcbc9..7b8ddb4 100644 xserver_rw_xdm_pipes(telepathy_domain) ') diff --git a/telnet.te b/telnet.te -index d7c8633..0d3d439 100644 +index d7c863369..0d3d4392a 100644 --- a/telnet.te +++ b/telnet.te @@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t) @@ -109839,7 +109839,7 @@ index d7c8633..0d3d439 100644 kerberos_use(telnetd_t) ') diff --git a/tftp.fc b/tftp.fc -index 3dd87da..0d13384 100644 +index 3dd87daf5..0d13384b0 100644 --- a/tftp.fc +++ b/tftp.fc @@ -1,9 +1,9 @@ @@ -109857,7 +109857,7 @@ index 3dd87da..0d13384 100644 -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/tftp.if b/tftp.if -index 9957e30..51af586 100644 +index 9957e300d..51af58690 100644 --- a/tftp.if +++ b/tftp.if @@ -1,8 +1,8 @@ @@ -110143,7 +110143,7 @@ index 9957e30..51af586 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index cfaa2a1..a9bc6f1 100644 +index cfaa2a19c..a9bc6f1ff 100644 --- a/tftp.te +++ b/tftp.te @@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0) @@ -110311,7 +110311,7 @@ index cfaa2a1..a9bc6f1 100644 optional_policy(` diff --git a/tgtd.fc b/tgtd.fc -index 38389e6..ae0f9ab 100644 +index 38389e675..ae0f9ab51 100644 --- a/tgtd.fc +++ b/tgtd.fc @@ -1,7 +1,4 @@ @@ -110327,7 +110327,7 @@ index 38389e6..ae0f9ab 100644 +/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +/var/run/tgtd.* gen_context(system_u:object_r:tgtd_var_run_t,s0) diff --git a/tgtd.if b/tgtd.if -index 5406b6e..dc5b46e 100644 +index 5406b6ee8..dc5b46e28 100644 --- a/tgtd.if +++ b/tgtd.if @@ -97,6 +97,6 @@ interface(`tgtd_admin',` @@ -110339,7 +110339,7 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index d010963..7308fa9 100644 +index d01096386..7308fa94b 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t) @@ -110393,7 +110393,7 @@ index d010963..7308fa9 100644 ') diff --git a/thin.fc b/thin.fc new file mode 100644 -index 0000000..1f8a908 +index 000000000..1f8a9086c --- /dev/null +++ b/thin.fc @@ -0,0 +1,12 @@ @@ -110411,7 +110411,7 @@ index 0000000..1f8a908 +/var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0) diff --git a/thin.if b/thin.if new file mode 100644 -index 0000000..5e3637e +index 000000000..5e3637e63 --- /dev/null +++ b/thin.if @@ -0,0 +1,64 @@ @@ -110481,7 +110481,7 @@ index 0000000..5e3637e +') diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..e66fc8c +index 000000000..e66fc8c34 --- /dev/null +++ b/thin.te @@ -0,0 +1,115 @@ @@ -110602,7 +110602,7 @@ index 0000000..e66fc8c +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 -index 0000000..115bf6c +index 000000000..115bf6c42 --- /dev/null +++ b/thumb.fc @@ -0,0 +1,17 @@ @@ -110625,7 +110625,7 @@ index 0000000..115bf6c +/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..9524b50 +index 000000000..9524b50aa --- /dev/null +++ b/thumb.if @@ -0,0 +1,134 @@ @@ -110765,7 +110765,7 @@ index 0000000..9524b50 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..d366c8b +index 000000000..d366c8b37 --- /dev/null +++ b/thumb.te @@ -0,0 +1,168 @@ @@ -110938,7 +110938,7 @@ index 0000000..d366c8b + corenet_dontaudit_udp_bind_generic_node(thumb_t) +') diff --git a/thunderbird.te b/thunderbird.te -index 5e867da..b25ea6e 100644 +index 5e867da56..b25ea6e08 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) @@ -110993,7 +110993,7 @@ index 5e867da..b25ea6e 100644 ifndef(`enable_mls',` fs_search_removable(thunderbird_t) diff --git a/timidity.te b/timidity.te -index 97cd155..49321a5 100644 +index 97cd15589..49321a5bf 100644 --- a/timidity.te +++ b/timidity.te @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f @@ -111015,7 +111015,7 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tlp.fc b/tlp.fc new file mode 100644 -index 0000000..eef708d +index 000000000..eef708d92 --- /dev/null +++ b/tlp.fc @@ -0,0 +1,7 @@ @@ -111028,7 +111028,7 @@ index 0000000..eef708d +/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0) diff --git a/tlp.if b/tlp.if new file mode 100644 -index 0000000..368e188 +index 000000000..368e18842 --- /dev/null +++ b/tlp.if @@ -0,0 +1,184 @@ @@ -111218,7 +111218,7 @@ index 0000000..368e188 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 0000000..f31ed95 +index 000000000..f31ed95d7 --- /dev/null +++ b/tlp.te @@ -0,0 +1,74 @@ @@ -111297,7 +111297,7 @@ index 0000000..f31ed95 + mount_domtrans(tlp_t) +') diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..a7cb326 100644 +index 585a77f95..a7cb3263d 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1) @@ -111448,7 +111448,7 @@ index 585a77f..a7cb326 100644 + diff --git a/tomcat.fc b/tomcat.fc new file mode 100644 -index 0000000..ae28ea3 +index 000000000..ae28ea326 --- /dev/null +++ b/tomcat.fc @@ -0,0 +1,12 @@ @@ -111466,7 +111466,7 @@ index 0000000..ae28ea3 +/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) diff --git a/tomcat.if b/tomcat.if new file mode 100644 -index 0000000..e5cec8f +index 000000000..e5cec8fda --- /dev/null +++ b/tomcat.if @@ -0,0 +1,396 @@ @@ -111868,7 +111868,7 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..1d0e69b +index 000000000..1d0e69bf8 --- /dev/null +++ b/tomcat.te @@ -0,0 +1,106 @@ @@ -111979,7 +111979,7 @@ index 0000000..1d0e69b + rpm_read_db(tomcat_domain) +') diff --git a/tor.fc b/tor.fc -index dce42ec..b6b67bf 100644 +index dce42ecc5..b6b67bffe 100644 --- a/tor.fc +++ b/tor.fc @@ -5,6 +5,8 @@ @@ -111992,7 +111992,7 @@ index dce42ec..b6b67bf 100644 /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) diff --git a/tor.if b/tor.if -index 61c2e07..3b86095 100644 +index 61c2e07d6..3b860953c 100644 --- a/tor.if +++ b/tor.if @@ -19,6 +19,30 @@ interface(`tor_domtrans',` @@ -112062,7 +112062,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..a395940 100644 +index 5ceacde8c..a3959403d 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,20 @@ policy_module(tor, 1.9.0) @@ -112162,7 +112162,7 @@ index 5ceacde..a395940 100644 seutil_sigchld_newrole(tor_t) ') diff --git a/transproxy.te b/transproxy.te -index 34973ee..1c9a4c6 100644 +index 34973ee4c..1c9a4c613 100644 --- a/transproxy.te +++ b/transproxy.te @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) @@ -112190,7 +112190,7 @@ index 34973ee..1c9a4c6 100644 userdom_dontaudit_use_unpriv_user_fds(transproxy_t) diff --git a/tripwire.te b/tripwire.te -index 03aa6b7..53c0c73 100644 +index 03aa6b7f0..53c0c7366 100644 --- a/tripwire.te +++ b/tripwire.te @@ -47,7 +47,7 @@ role twprint_roles types twprint_t; @@ -112242,7 +112242,7 @@ index 03aa6b7..53c0c73 100644 -userdom_use_user_terminals(siggen_t) +userdom_use_inherited_user_terminals(siggen_t) diff --git a/tuned.if b/tuned.if -index e29db63..061fb98 100644 +index e29db63a2..061fb983c 100644 --- a/tuned.if +++ b/tuned.if @@ -119,9 +119,13 @@ interface(`tuned_admin',` @@ -112261,7 +112261,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..76390e2 100644 +index 393a33073..76390e2f6 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -112405,7 +112405,7 @@ index 393a330..76390e2 100644 + unconfined_domain(tuned_t) +') diff --git a/tvtime.if b/tvtime.if -index 1bb0f7c..372be2f 100644 +index 1bb0f7c78..372be2f21 100644 --- a/tvtime.if +++ b/tvtime.if @@ -1,5 +1,23 @@ @@ -112433,7 +112433,7 @@ index 1bb0f7c..372be2f 100644 ## ## Role access for tvtime diff --git a/tvtime.te b/tvtime.te -index afd2d6c..3ce900e 100644 +index afd2d6c3f..3ce900e99 100644 --- a/tvtime.te +++ b/tvtime.te @@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; @@ -112479,7 +112479,7 @@ index afd2d6c..3ce900e 100644 optional_policy(` xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) diff --git a/tzdata.te b/tzdata.te -index 221c43b..2b9c49a 100644 +index 221c43b84..2b9c49ac1 100644 --- a/tzdata.te +++ b/tzdata.te @@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t) @@ -112496,7 +112496,7 @@ index 221c43b..2b9c49a 100644 optional_policy(` postfix_search_spool(tzdata_t) diff --git a/ucspitcp.te b/ucspitcp.te -index 7745b72..329c3d8 100644 +index 7745b72e6..329c3d899 100644 --- a/ucspitcp.te +++ b/ucspitcp.te @@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t) @@ -112517,7 +112517,7 @@ index 7745b72..329c3d8 100644 sysnet_read_config(ucspitcp_t) diff --git a/udisks2.fc b/udisks2.fc new file mode 100644 -index 0000000..c8aa54d +index 000000000..c8aa54dab --- /dev/null +++ b/udisks2.fc @@ -0,0 +1,8 @@ @@ -112531,7 +112531,7 @@ index 0000000..c8aa54d +/var/run/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_run_t,s0) diff --git a/udisks2.if b/udisks2.if new file mode 100644 -index 0000000..45304ea +index 000000000..45304ea1a --- /dev/null +++ b/udisks2.if @@ -0,0 +1,206 @@ @@ -112743,7 +112743,7 @@ index 0000000..45304ea +') diff --git a/udisks2.te b/udisks2.te new file mode 100644 -index 0000000..617ee56 +index 000000000..617ee56f4 --- /dev/null +++ b/udisks2.te @@ -0,0 +1,58 @@ @@ -112806,7 +112806,7 @@ index 0000000..617ee56 + policykit_dbus_chat(udisks2_t) +') diff --git a/ulogd.if b/ulogd.if -index 9b95c3e..a892845 100644 +index 9b95c3ef7..a892845bb 100644 --- a/ulogd.if +++ b/ulogd.if @@ -123,8 +123,11 @@ interface(`ulogd_admin',` @@ -112823,7 +112823,7 @@ index 9b95c3e..a892845 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index de35e5f..91cac11 100644 +index de35e5f4c..91cac1110 100644 --- a/ulogd.te +++ b/ulogd.te @@ -29,8 +29,11 @@ logging_log_file(ulogd_var_log_t) @@ -112852,7 +112852,7 @@ index de35e5f..91cac11 100644 sysnet_dns_name_resolve(ulogd_t) diff --git a/uml.if b/uml.if -index ab5c1d0..d13105e 100644 +index ab5c1d0da..d13105ea7 100644 --- a/uml.if +++ b/uml.if @@ -32,7 +32,7 @@ interface(`uml_role',` @@ -112865,7 +112865,7 @@ index ab5c1d0..d13105e 100644 allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; diff --git a/uml.te b/uml.te -index b68bd49..da0c691 100644 +index b68bd49ff..da0c6912f 100644 --- a/uml.te +++ b/uml.te @@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t) @@ -112912,7 +112912,7 @@ index b68bd49..da0c691 100644 userdom_dontaudit_search_user_home_dirs(uml_switch_t) diff --git a/updfstab.te b/updfstab.te -index 5ceb912..232e9ac 100644 +index 5ceb91249..232e9ac93 100644 --- a/updfstab.te +++ b/updfstab.te @@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t) @@ -112946,7 +112946,7 @@ index 5ceb912..232e9ac 100644 optional_policy(` dbus_system_bus_client(updfstab_t) diff --git a/uptime.if b/uptime.if -index 01a3234..19f4724 100644 +index 01a3234b6..19f472475 100644 --- a/uptime.if +++ b/uptime.if @@ -19,7 +19,7 @@ @@ -112959,7 +112959,7 @@ index 01a3234..19f4724 100644 ') diff --git a/uptime.te b/uptime.te -index 58397dc..e6b6a34 100644 +index 58397dc31..e6b6a3472 100644 --- a/uptime.te +++ b/uptime.te @@ -16,7 +16,7 @@ type uptimed_initrc_exec_t; @@ -112981,7 +112981,7 @@ index 58397dc..e6b6a34 100644 userdom_dontaudit_search_user_home_dirs(uptimed_t) diff --git a/usbmodules.te b/usbmodules.te -index 279e511..4f79ad6 100644 +index 279e511df..4f79ad697 100644 --- a/usbmodules.te +++ b/usbmodules.te @@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t) @@ -113010,7 +113010,7 @@ index 279e511..4f79ad6 100644 + modutils_read_module_deps(usbmodules_t) +') diff --git a/usbmuxd.fc b/usbmuxd.fc -index 220f6ad..ccbb5da 100644 +index 220f6add1..ccbb5dabc 100644 --- a/usbmuxd.fc +++ b/usbmuxd.fc @@ -1,3 +1,6 @@ @@ -113022,7 +113022,7 @@ index 220f6ad..ccbb5da 100644 + +/var/lib/lockdown(/.*)? gen_context(system_u:object_r:usbmuxd_var_lib_t,s0) diff --git a/usbmuxd.if b/usbmuxd.if -index 1ec5e99..5b6c80b 100644 +index 1ec5e996b..5b6c80bba 100644 --- a/usbmuxd.if +++ b/usbmuxd.if @@ -38,3 +38,67 @@ interface(`usbmuxd_stream_connect',` @@ -113094,7 +113094,7 @@ index 1ec5e99..5b6c80b 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 34a8917..933baa4 100644 +index 34a891755..933baa42d 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,34 +10,58 @@ roleattribute system_r usbmuxd_roles; @@ -113161,7 +113161,7 @@ index 34a8917..933baa4 100644 + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/userhelper.fc b/userhelper.fc -index c416a83..cd83b89 100644 +index c416a833e..cd83b89ee 100644 --- a/userhelper.fc +++ b/userhelper.fc @@ -1,5 +1,10 @@ @@ -113181,7 +113181,7 @@ index c416a83..cd83b89 100644 +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 98b51fd..c7e44ca 100644 +index 98b51fd0b..c7e44cada 100644 --- a/userhelper.if +++ b/userhelper.if @@ -1,4 +1,4 @@ @@ -113507,7 +113507,7 @@ index 98b51fd..c7e44ca 100644 ## ## Execute the consolehelper program diff --git a/userhelper.te b/userhelper.te -index 42cfce0..b7e3e25 100644 +index 42cfce06e..b7e3e2532 100644 --- a/userhelper.te +++ b/userhelper.te @@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1) @@ -113714,7 +113714,7 @@ index 42cfce0..b7e3e25 100644 + fs_search_cifs(consolehelper_domain) ') diff --git a/usernetctl.if b/usernetctl.if -index 7deec55..c542887 100644 +index 7deec55cf..c542887da 100644 --- a/usernetctl.if +++ b/usernetctl.if @@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',` @@ -113726,7 +113726,7 @@ index 7deec55..c542887 100644 ') diff --git a/usernetctl.te b/usernetctl.te -index f973af8..8606439 100644 +index f973af82b..860643991 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0) @@ -113792,7 +113792,7 @@ index f973af8..8606439 100644 ppp_run(usernetctl_t, usernetctl_roles) ') diff --git a/uucp.if b/uucp.if -index af9acc0..cdaf82e 100644 +index af9acc0d3..cdaf82e21 100644 --- a/uucp.if +++ b/uucp.if @@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',` @@ -113828,7 +113828,7 @@ index af9acc0..cdaf82e 100644 admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index 849f607..e01ec6d 100644 +index 849f607b1..e01ec6d2e 100644 --- a/uucp.te +++ b/uucp.te @@ -31,7 +31,7 @@ type uucpd_ro_t; @@ -113901,7 +113901,7 @@ index 849f607..e01ec6d 100644 + postfix_rw_inherited_master_pipes(uux_t) +') diff --git a/uuidd.if b/uuidd.if -index 6e48653..6abf74a 100644 +index 6e4865333..6abf74a90 100644 --- a/uuidd.if +++ b/uuidd.if @@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',` @@ -113929,7 +113929,7 @@ index 6e48653..6abf74a 100644 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/uuidd.te b/uuidd.te -index f8e52fc..b283c25 100644 +index f8e52fc97..b283c25f7 100644 --- a/uuidd.te +++ b/uuidd.te @@ -42,6 +42,4 @@ dev_read_urand(uuidd_t) @@ -113940,7 +113940,7 @@ index f8e52fc..b283c25 100644 -miscfiles_read_localization(uuidd_t) diff --git a/uwimap.te b/uwimap.te -index acdc78a..9e5ee47 100644 +index acdc78ae7..9e5ee472d 100644 --- a/uwimap.te +++ b/uwimap.te @@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t) @@ -113979,7 +113979,7 @@ index acdc78a..9e5ee47 100644 userdom_dontaudit_use_unpriv_user_fds(imapd_t) diff --git a/varnishd.if b/varnishd.if -index 1c35171..2cba4df 100644 +index 1c35171d8..2cba4dfea 100644 --- a/varnishd.if +++ b/varnishd.if @@ -153,12 +153,16 @@ interface(`varnishd_manage_log',` @@ -114016,7 +114016,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..e73bd98 100644 +index 9d4d8cbb0..e73bd982c 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -114066,7 +114066,7 @@ index 9d4d8cb..e73bd98 100644 tunable_policy(`varnishd_connect_any',` corenet_sendrecv_all_client_packets(varnishd_t) diff --git a/vbetool.te b/vbetool.te -index 2a61f75..fa84e40 100644 +index 2a61f7526..fa84e40b9 100644 --- a/vbetool.te +++ b/vbetool.te @@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t; @@ -114088,7 +114088,7 @@ index 2a61f75..fa84e40 100644 tunable_policy(`vbetool_mmap_zero_ignore',` dontaudit vbetool_t self:memprotect mmap_zero; diff --git a/vdagent.if b/vdagent.if -index 31c752e..ef52235 100644 +index 31c752ea6..ef522355b 100644 --- a/vdagent.if +++ b/vdagent.if @@ -24,15 +24,15 @@ interface(`vdagent_domtrans',` @@ -114185,7 +114185,7 @@ index 31c752e..ef52235 100644 init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 87da8a2..b80a6f4 100644 +index 87da8a24d..b80a6f422 100644 --- a/vdagent.te +++ b/vdagent.te @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) @@ -114231,7 +114231,7 @@ index 87da8a2..b80a6f4 100644 dbus_system_bus_client(vdagent_t) diff --git a/vhostmd.if b/vhostmd.if -index 22edd58..c3a5364 100644 +index 22edd58f8..c3a536427 100644 --- a/vhostmd.if +++ b/vhostmd.if @@ -216,9 +216,13 @@ interface(`vhostmd_admin',` @@ -114250,7 +114250,7 @@ index 22edd58..c3a5364 100644 domain_system_change_exemption($1) role_transition $2 vhostmd_initrc_exec_t system_r; diff --git a/vhostmd.te b/vhostmd.te -index 3d11c6a..c5d8428 100644 +index 3d11c6a3d..c5d84287e 100644 --- a/vhostmd.te +++ b/vhostmd.te @@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t) @@ -114286,7 +114286,7 @@ index 3d11c6a..c5d8428 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..9777de2 100644 +index a4f20bcfc..9777de289 100644 --- a/virt.fc +++ b/virt.fc @@ -1,51 +1,109 @@ @@ -114438,7 +114438,7 @@ index a4f20bc..9777de2 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..2a619ba 100644 +index facdee8b3..2a619ba9e 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,111 @@ @@ -116663,7 +116663,7 @@ index facdee8..2a619ba 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf5..5ce41db 100644 +index f03dcf567..5ce41db0d 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,422 @@ @@ -119027,7 +119027,7 @@ index f03dcf5..5ce41db 100644 +allow svirt_sandbox_domain container_ro_file_t:file execmod; +can_exec(svirt_sandbox_domain, container_ro_file_t) diff --git a/vlock.te b/vlock.te -index 6b72968..de409cc 100644 +index 6b72968ea..de409cc61 100644 --- a/vlock.te +++ b/vlock.te @@ -38,7 +38,7 @@ auth_use_pam(vlock_t) @@ -119042,7 +119042,7 @@ index 6b72968..de409cc 100644 +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmtools.fc b/vmtools.fc new file mode 100644 -index 0000000..c5deffb +index 000000000..c5deffb77 --- /dev/null +++ b/vmtools.fc @@ -0,0 +1,5 @@ @@ -119053,7 +119053,7 @@ index 0000000..c5deffb +/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0) diff --git a/vmtools.if b/vmtools.if new file mode 100644 -index 0000000..afd0c97 +index 000000000..afd0c9791 --- /dev/null +++ b/vmtools.if @@ -0,0 +1,123 @@ @@ -119182,7 +119182,7 @@ index 0000000..afd0c97 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..f98f288 +index 000000000..f98f2885b --- /dev/null +++ b/vmtools.te @@ -0,0 +1,100 @@ @@ -119287,7 +119287,7 @@ index 0000000..f98f288 +') + diff --git a/vmware.if b/vmware.if -index 20a1fb2..470ea95 100644 +index 20a1fb296..470ea9528 100644 --- a/vmware.if +++ b/vmware.if @@ -26,7 +26,11 @@ interface(`vmware_role',` @@ -119304,7 +119304,7 @@ index 20a1fb2..470ea95 100644 allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; diff --git a/vmware.te b/vmware.te -index 4ad1894..b589158 100644 +index 4ad18944a..b5891580a 100644 --- a/vmware.te +++ b/vmware.te @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` @@ -119410,7 +119410,7 @@ index 4ad1894..b589158 100644 sysnet_dns_name_resolve(vmware_t) diff --git a/vnstatd.if b/vnstatd.if -index 137ac44..b644854 100644 +index 137ac4458..b644854c9 100644 --- a/vnstatd.if +++ b/vnstatd.if @@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',` @@ -119437,7 +119437,7 @@ index 137ac44..b644854 100644 domain_system_change_exemption($1) role_transition $2 vnstatd_initrc_exec_t system_r; diff --git a/vnstatd.te b/vnstatd.te -index e2220ae..85f393b 100644 +index e2220ae7f..85f393b41 100644 --- a/vnstatd.te +++ b/vnstatd.te @@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; @@ -119494,7 +119494,7 @@ index e2220ae..85f393b 100644 cron_system_entry(vnstat_t, vnstat_exec_t) ') diff --git a/vpn.fc b/vpn.fc -index 524ac2f..076dcc3 100644 +index 524ac2f76..076dcc3e6 100644 --- a/vpn.fc +++ b/vpn.fc @@ -1,7 +1,13 @@ @@ -119515,7 +119515,7 @@ index 524ac2f..076dcc3 100644 -/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/vpn.if b/vpn.if -index 7a7f342..afedcba 100644 +index 7a7f34297..afedcba80 100644 --- a/vpn.if +++ b/vpn.if @@ -1,8 +1,8 @@ @@ -119592,7 +119592,7 @@ index 7a7f342..afedcba 100644 ## ## diff --git a/vpn.te b/vpn.te -index 95b26d1..3d74e70 100644 +index 95b26d126..3d74e70cc 100644 --- a/vpn.te +++ b/vpn.te @@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0) @@ -119707,7 +119707,7 @@ index 95b26d1..3d74e70 100644 + networkmanager_manage_pid_files(vpnc_t) ') diff --git a/w3c.fc b/w3c.fc -index 463c799..227feaf 100644 +index 463c799f4..227feaf34 100644 --- a/w3c.fc +++ b/w3c.fc @@ -1,4 +1,4 @@ @@ -119719,7 +119719,7 @@ index 463c799..227feaf 100644 +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) diff --git a/w3c.te b/w3c.te -index b14d6a9..d7c7938 100644 +index b14d6a948..d7c79382d 100644 --- a/w3c.te +++ b/w3c.te @@ -6,29 +6,37 @@ policy_module(w3c, 1.1.0) @@ -119776,7 +119776,7 @@ index b14d6a9..d7c7938 100644 -sysnet_dns_name_resolve(httpd_w3c_validator_script_t) +sysnet_dns_name_resolve(w3c_validator_script_t) diff --git a/watchdog.fc b/watchdog.fc -index eecd0e0..8df2e8c 100644 +index eecd0e03b..8df2e8ce7 100644 --- a/watchdog.fc +++ b/watchdog.fc @@ -1,7 +1,12 @@ @@ -119793,7 +119793,7 @@ index eecd0e0..8df2e8c 100644 /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.if b/watchdog.if -index 6461a77..8fda2dd 100644 +index 6461a7746..8fda2dd71 100644 --- a/watchdog.if +++ b/watchdog.if @@ -37,3 +37,21 @@ interface(`watchdog_admin',` @@ -119819,7 +119819,7 @@ index 6461a77..8fda2dd 100644 + read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t) +') diff --git a/watchdog.te b/watchdog.te -index 3548317..fc3da17 100644 +index 3548317cf..fc3da17d6 100644 --- a/watchdog.te +++ b/watchdog.te @@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) @@ -119948,7 +119948,7 @@ index 3548317..fc3da17 100644 + ') +') diff --git a/wdmd.fc b/wdmd.fc -index 66f11f7..e051997 100644 +index 66f11f724..e051997a6 100644 --- a/wdmd.fc +++ b/wdmd.fc @@ -1,5 +1,7 @@ @@ -119962,7 +119962,7 @@ index 66f11f7..e051997 100644 -/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) diff --git a/wdmd.if b/wdmd.if -index 1e3aec0..d17ff39 100644 +index 1e3aec07f..d17ff392f 100644 --- a/wdmd.if +++ b/wdmd.if @@ -1,29 +1,47 @@ @@ -120106,7 +120106,7 @@ index 1e3aec0..d17ff39 100644 + ') diff --git a/wdmd.te b/wdmd.te -index 4815a93..24dcf51 100644 +index 4815a93f4..24dcf5174 100644 --- a/wdmd.te +++ b/wdmd.te @@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) @@ -120131,7 +120131,7 @@ index 4815a93..24dcf51 100644 + rhcs_rw_cluster_tmpfs(wdmd_t) ') diff --git a/webadm.te b/webadm.te -index 2a6cae7..6d0a2a1 100644 +index 2a6cae773..6d0a2a1c5 100644 --- a/webadm.te +++ b/webadm.te @@ -25,6 +25,9 @@ role webadm_r; @@ -120169,7 +120169,7 @@ index 2a6cae7..6d0a2a1 100644 tunable_policy(`webadm_manage_user_files',` userdom_manage_user_home_content_files(webadm_t) diff --git a/webalizer.fc b/webalizer.fc -index 64baf67..76c753b 100644 +index 64baf679e..76c753b1a 100644 --- a/webalizer.fc +++ b/webalizer.fc @@ -6,4 +6,4 @@ @@ -120179,7 +120179,7 @@ index 64baf67..76c753b 100644 -/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) +/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0) diff --git a/webalizer.te b/webalizer.te -index ae919b9..cdd9359 100644 +index ae919b9a5..cdd9359d1 100644 --- a/webalizer.te +++ b/webalizer.te @@ -33,7 +33,7 @@ files_type(webalizer_write_t) @@ -120235,7 +120235,7 @@ index ae919b9..cdd9359 100644 optional_policy(` diff --git a/wine.if b/wine.if -index fd2b6cc..9c4f14b 100644 +index fd2b6cc1e..9c4f14b88 100644 --- a/wine.if +++ b/wine.if @@ -1,46 +1,58 @@ @@ -120410,7 +120410,7 @@ index fd2b6cc..9c4f14b 100644 +') + diff --git a/wine.te b/wine.te -index 491b87b..2a79df4 100644 +index 491b87b44..2a79df407 100644 --- a/wine.te +++ b/wine.te @@ -14,10 +14,11 @@ policy_module(wine, 1.11.0) @@ -120512,7 +120512,7 @@ index 491b87b..2a79df4 100644 ') + diff --git a/wireshark.te b/wireshark.te -index ff6ef38..436d3bf 100644 +index ff6ef3859..436d3bf5a 100644 --- a/wireshark.te +++ b/wireshark.te @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) @@ -120567,7 +120567,7 @@ index ff6ef38..436d3bf 100644 optional_policy(` userhelper_use_fd(wireshark_t) diff --git a/wm.fc b/wm.fc -index 304ae09..c1d10a1 100644 +index 304ae09d3..c1d10a11b 100644 --- a/wm.fc +++ b/wm.fc @@ -1,4 +1,4 @@ @@ -120577,7 +120577,7 @@ index 304ae09..c1d10a1 100644 -/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/wm.if b/wm.if -index 95f888d..48fe249 100644 +index 95f888d16..48fe249e1 100644 --- a/wm.if +++ b/wm.if @@ -1,4 +1,4 @@ @@ -120712,7 +120712,7 @@ index 95f888d..48fe249 100644 - allow $1_wm_t $2:dbus send_msg; -') diff --git a/wm.te b/wm.te -index 638d10f..5fb9960 100644 +index 638d10fc6..5fb996008 100644 --- a/wm.te +++ b/wm.te @@ -1,12 +1,12 @@ @@ -120826,7 +120826,7 @@ index 638d10f..5fb9960 100644 + xserver_manage_core_devices(wm_domain) +') diff --git a/xen.fc b/xen.fc -index 42d83b0..651d1cb 100644 +index 42d83b02f..651d1cb61 100644 --- a/xen.fc +++ b/xen.fc @@ -1,38 +1,42 @@ @@ -120889,7 +120889,7 @@ index 42d83b0..651d1cb 100644 -/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/xen.if b/xen.if -index f93558c..16e29c1 100644 +index f93558c5a..16e29c141 100644 --- a/xen.if +++ b/xen.if @@ -1,13 +1,13 @@ @@ -121156,7 +121156,7 @@ index f93558c..16e29c1 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 6f736a9..c1ba3ba 100644 +index 6f736a993..c1ba3ba4b 100644 --- a/xen.te +++ b/xen.te @@ -4,39 +4,31 @@ policy_module(xen, 1.13.0) @@ -121856,7 +121856,7 @@ index 6f736a9..c1ba3ba 100644 - fs_manage_xenfs_files(xm_ssh_t) -') diff --git a/xfs.te b/xfs.te -index 0928c5d..b9bcf88 100644 +index 0928c5d6a..b9bcf8824 100644 --- a/xfs.te +++ b/xfs.te @@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t) @@ -121893,7 +121893,7 @@ index 0928c5d..b9bcf88 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..12dc86b 100644 +index a64aad347..12dc86b2f 100644 --- a/xguest.te +++ b/xguest.te @@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0) @@ -122153,7 +122153,7 @@ index a64aad3..12dc86b 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/xprint.te b/xprint.te -index 3c44d84..ce5e69d 100644 +index 3c44d8493..ce5e69d69 100644 --- a/xprint.te +++ b/xprint.te @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) @@ -122183,7 +122183,7 @@ index 3c44d84..ce5e69d 100644 sysnet_read_config(xprint_t) diff --git a/xscreensaver.te b/xscreensaver.te -index 04096a0..98a8205 100644 +index 04096a050..98a8205a7 100644 --- a/xscreensaver.te +++ b/xscreensaver.te @@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms; @@ -122207,7 +122207,7 @@ index 04096a0..98a8205 100644 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/yam.te b/yam.te -index 2695db2..c1ec893 100644 +index 2695db25c..c1ec89384 100644 --- a/yam.te +++ b/yam.te @@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t) @@ -122235,7 +122235,7 @@ index 2695db2..c1ec893 100644 userdom_search_user_home_dirs(yam_t) diff --git a/zabbix.fc b/zabbix.fc -index c3b5a81..c384947 100644 +index c3b5a819e..c384947f3 100644 --- a/zabbix.fc +++ b/zabbix.fc @@ -4,12 +4,22 @@ @@ -122264,7 +122264,7 @@ index c3b5a81..c384947 100644 /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/zabbix.if b/zabbix.if -index dd63de0..38ce620 100644 +index dd63de028..38ce6208e 100644 --- a/zabbix.if +++ b/zabbix.if @@ -1,4 +1,4 @@ @@ -122426,7 +122426,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..bf2ae51 100644 +index 7f496c617..bf2ae51d0 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -122732,7 +122732,7 @@ index 7f496c6..bf2ae51 100644 + unconfined_domain(zabbix_script_t) +') diff --git a/zarafa.fc b/zarafa.fc -index faf99ed..44e94fa 100644 +index faf99ed51..44e94fad9 100644 --- a/zarafa.fc +++ b/zarafa.fc @@ -1,33 +1,34 @@ @@ -122787,7 +122787,7 @@ index faf99ed..44e94fa 100644 +/var/run/zarafa-search\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/zarafa.if b/zarafa.if -index 36e32df..3d08962 100644 +index 36e32df6d..3d089626e 100644 --- a/zarafa.if +++ b/zarafa.if @@ -1,55 +1,59 @@ @@ -122974,7 +122974,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index 3fded1c..8bea5e8 100644 +index 3fded1c4d..8bea5e820 100644 --- a/zarafa.te +++ b/zarafa.te @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0) @@ -123212,7 +123212,7 @@ index 3fded1c..8bea5e8 100644 -miscfiles_read_localization(zarafa_domain) +dev_read_sysfs(zarafa_domain) diff --git a/zebra.fc b/zebra.fc -index 28ee4ca..bc37f76 100644 +index 28ee4cac9..bc37f7691 100644 --- a/zebra.fc +++ b/zebra.fc @@ -1,21 +1,34 @@ @@ -123264,7 +123264,7 @@ index 28ee4ca..bc37f76 100644 -/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) +/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/zebra.if b/zebra.if -index 3416401..e364caf 100644 +index 34164017b..e364caf4b 100644 --- a/zebra.if +++ b/zebra.if @@ -1,8 +1,8 @@ @@ -123372,7 +123372,7 @@ index 3416401..e364caf 100644 + allow $1 zebra_unit_file_t:service all_service_perms; ') diff --git a/zebra.te b/zebra.te -index 2e80d04..5bf04b2 100644 +index 2e80d04fc..5bf04b2d0 100644 --- a/zebra.te +++ b/zebra.te @@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0) @@ -123526,7 +123526,7 @@ index 2e80d04..5bf04b2 100644 +') diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 -index 0000000..ceaa219 +index 000000000..ceaa219dc --- /dev/null +++ b/zoneminder.fc @@ -0,0 +1,13 @@ @@ -123545,7 +123545,7 @@ index 0000000..ceaa219 +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..fb0519e +index 000000000..fb0519ebf --- /dev/null +++ b/zoneminder.if @@ -0,0 +1,374 @@ @@ -123925,7 +123925,7 @@ index 0000000..fb0519e + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..c9ad1b3 +index 000000000..c9ad1b330 --- /dev/null +++ b/zoneminder.te @@ -0,0 +1,187 @@ @@ -124117,7 +124117,7 @@ index 0000000..c9ad1b3 + ') +') diff --git a/zosremote.if b/zosremote.if -index b14698c..16e1581 100644 +index b14698c4f..16e1581a0 100644 --- a/zosremote.if +++ b/zosremote.if @@ -35,6 +35,7 @@ interface(`zosremote_domtrans',` @@ -124129,7 +124129,7 @@ index b14698c..16e1581 100644 interface(`zosremote_run',` gen_require(` diff --git a/zosremote.te b/zosremote.te -index bc6a5db..0abdceb 100644 +index bc6a5db70..0abdcebcb 100644 --- a/zosremote.te +++ b/zosremote.te @@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen }; diff --git a/selinux-policy.spec b/selinux-policy.spec index 272febf..1b4e09c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 269%{?dist} +Release: 270%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -683,6 +683,9 @@ exit 0 %endif %changelog +* Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270 +- refpolicy: Infiniband pkeys and endport + * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269 - Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524) - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy