diff --git a/policy-F16.patch b/policy-F16.patch
index 1b5e1ca..e0f0e9c 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -47,76 +47,6 @@ index 16e8b13..87925e6 100644
.EX
httpd_sys_content_ra_t
.EE
-diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 0ef9b12..bf24160 100644
---- a/policy/flask/access_vectors
-+++ b/policy/flask/access_vectors
-@@ -153,6 +153,8 @@ inherits file
- search
- rmdir
- open
-+ audit_access
-+ execmod
- }
-
- class file
-@@ -162,10 +164,16 @@ inherits file
- entrypoint
- execmod
- open
-+ audit_access
- }
-
- class lnk_file
- inherits file
-+{
-+ open
-+ audit_access
-+ execmod
-+}
-
- class chr_file
- inherits file
-@@ -174,24 +182,31 @@ inherits file
- entrypoint
- execmod
- open
-+ audit_access
- }
-
- class blk_file
- inherits file
- {
- open
-+ audit_access
-+ execmod
- }
-
- class sock_file
- inherits file
- {
- open
-+ audit_access
-+ execmod
- }
-
- class fifo_file
- inherits file
- {
- open
-+ audit_access
-+ execmod
- }
-
- class fd
-@@ -363,6 +378,7 @@ class security
- setbool
- setsecparam
- setcheckreqprot
-+ read_policy
- }
-
-
diff --git a/policy/global_booleans b/policy/global_booleans
index 111d004..9df7b5e 100644
--- a/policy/global_booleans
@@ -218,7 +148,7 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index 358ce7c..6a0b4e8 100644
+index df8e0fa..ed7a0c1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats)
@@ -246,19 +176,6 @@ index 358ce7c..6a0b4e8 100644
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
-@@ -86,10 +90,10 @@ mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
- # new file labels must be dominated by the relabeling subject clearance
--mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
- ( h1 dom h2 );
-
--mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
- mlsconstrain process { transition dyntransition }
@@ -101,6 +105,9 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -567,15 +484,11 @@ index 2c2cdb6..73b3814 100644
+ role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
-index 9de382b..a806715 100644
+index 6b02433..1e28e62 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
-@@ -31,11 +31,11 @@ auth_var_filetrans_cache(certwatch_t)
-
- logging_send_syslog_msg(certwatch_t)
-
--miscfiles_read_generic_certs(certwatch_t)
-+miscfiles_read_all_certs(certwatch_t)
+@@ -34,8 +34,8 @@ logging_send_syslog_msg(certwatch_t)
+ miscfiles_read_all_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
@@ -1195,69 +1108,14 @@ index 0e19d80..a3a38b1 100644
netutils_domtrans_ping(mrtg_t)
-diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
-new file mode 100644
-index 0000000..ae4045e
---- /dev/null
-+++ b/policy/modules/admin/ncftool.fc
-@@ -0,0 +1,2 @@
-+
-+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
-new file mode 100644
-index 0000000..8c2e044
---- /dev/null
+index 75ee31d..a28ab46 100644
+--- a/policy/modules/admin/ncftool.if
+++ b/policy/modules/admin/ncftool.if
-@@ -0,0 +1,78 @@
-+
-+## policy for ncftool
-+
-+########################################
-+##
-+## Execute a domain transition to run ncftool.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ncftool_domtrans',`
-+ gen_require(`
-+ type ncftool_t, ncftool_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
-+')
-+
-+########################################
-+##
-+## Execute ncftool in the ncftool domain, and
-+## allow the specified role the ncftool domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the ncftool domain.
-+##
-+##
-+#
-+interface(`ncftool_run',`
-+ gen_require(`
-+ type ncftool_t;
-+ ')
-+
-+ ncftool_domtrans($1)
-+ role $2 types ncftool_t;
-+
-+ optional_policy(`
-+ brctl_run(ncftool_t, $2)
-+ ')
-+')
+@@ -46,3 +46,31 @@ interface(`ncftool_run',`
+ brctl_run(ncftool_t, $2)
+ ')
+ ')
+
+########################################
+##
@@ -1286,100 +1144,48 @@ index 0000000..8c2e044
+ ps_process_pattern($2, ncftool_t)
+ allow $2 ncftool_t:process signal;
+')
-+
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
-new file mode 100644
-index 0000000..73ffa81
---- /dev/null
+index ec29391..41b58fd 100644
+--- a/policy/modules/admin/ncftool.te
+++ b/policy/modules/admin/ncftool.te
-@@ -0,0 +1,87 @@
-+policy_module(ncftool, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type ncftool_t;
-+type ncftool_exec_t;
-+application_domain(ncftool_t, ncftool_exec_t)
-+domain_obj_id_change_exemption(ncftool_t)
-+domain_system_change_exemption(ncftool_t)
-+role system_r types ncftool_t;
-+
-+########################################
-+#
-+# ncftool local policy
-+#
-+
-+allow ncftool_t self:capability { net_admin sys_ptrace };
+@@ -18,9 +18,13 @@ role system_r types ncftool_t;
+ #
+
+ allow ncftool_t self:capability { net_admin sys_ptrace };
+
-+allow ncftool_t self:process signal;
+ allow ncftool_t self:process signal;
+
-+allow ncftool_t self:fifo_file manage_fifo_file_perms;
-+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+ allow ncftool_t self:fifo_file manage_fifo_file_perms;
+ allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
-+allow ncftool_t self:tcp_socket create_stream_socket_perms;
-+
-+kernel_read_kernel_sysctls(ncftool_t)
-+kernel_read_modprobe_sysctls(ncftool_t)
-+kernel_read_network_state(ncftool_t)
-+kernel_read_system_state(ncftool_t)
-+kernel_request_load_module(ncftool_t)
-+kernel_rw_net_sysctls(ncftool_t)
-+
-+corecmd_exec_bin(ncftool_t)
-+corecmd_exec_shell(ncftool_t)
-+
-+domain_read_all_domains_state(ncftool_t)
-+
-+dev_read_sysfs(ncftool_t)
-+
+ allow ncftool_t self:tcp_socket create_stream_socket_perms;
+ allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+
+@@ -38,10 +42,14 @@ domain_read_all_domains_state(ncftool_t)
+
+ dev_read_sysfs(ncftool_t)
+
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
-+files_read_etc_files(ncftool_t)
-+files_read_etc_runtime_files(ncftool_t)
-+files_read_usr_files(ncftool_t)
-+
+ files_read_etc_files(ncftool_t)
+ files_read_etc_runtime_files(ncftool_t)
+ files_read_usr_files(ncftool_t)
+
+term_use_all_inherited_terms(ncftool_t)
+
-+miscfiles_read_localization(ncftool_t)
-+
-+sysnet_delete_dhcpc_pid(ncftool_t)
-+sysnet_domtrans_dhcpc(ncftool_t)
-+sysnet_domtrans_ifconfig(ncftool_t)
-+sysnet_etc_filetrans_config(ncftool_t)
-+sysnet_manage_config(ncftool_t)
-+sysnet_read_dhcpc_state(ncftool_t)
+ miscfiles_read_localization(ncftool_t)
+
+ sysnet_delete_dhcpc_pid(ncftool_t)
+@@ -50,6 +58,8 @@ sysnet_domtrans_ifconfig(ncftool_t)
+ sysnet_etc_filetrans_config(ncftool_t)
+ sysnet_manage_config(ncftool_t)
+ sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
-+sysnet_read_dhcpc_pid(ncftool_t)
-+sysnet_signal_dhcpc(ncftool_t)
-+
-+userdom_read_user_tmp_files(ncftool_t)
-+
-+optional_policy(`
-+ consoletype_exec(ncftool_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(ncftool_t)
-+')
-+
-+optional_policy(`
-+ iptables_initrc_domtrans(ncftool_t)
-+')
-+
-+optional_policy(`
-+ netutils_domtrans(ncftool_t)
-+')
-+
-+optional_policy(`
-+ modutils_list_module_config(ncftool_t)
-+ modutils_read_module_config(ncftool_t)
-+ modutils_domtrans_insmod(ncftool_t)
-+')
+ sysnet_read_dhcpc_pid(ncftool_t)
+ sysnet_signal_dhcpc(ncftool_t)
+
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..a818e14 100644
--- a/policy/modules/admin/netutils.fc
@@ -1541,6 +1347,46 @@ index e0791b9..373882d 100644
+ term_dontaudit_use_all_ttys(traceroute_t)
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
+diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
+index f68b573..59ee69c 100644
+--- a/policy/modules/admin/passenger.if
++++ b/policy/modules/admin/passenger.if
+@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+ ')
++
++#####################################
++##
++## Manage passenger var_run content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_pid_content',`
++ gen_require(`
++ type passenger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++')
+diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
+index 3470036..30e0f64 100644
+--- a/policy/modules/admin/passenger.te
++++ b/policy/modules/admin/passenger.te
+@@ -1,4 +1,4 @@
+-policy_module(passanger, 1.0.0)
++policy_module(passenger, 1.0.0)
+
+ ########################################
+ #
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -1565,7 +1411,7 @@ index db46387..b665b08 100644
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
-index 8aaa46d..8714d7f 100644
+index 9a2c2a1..adde889 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -183,7 +183,7 @@ interface(`portage_compile_domain',`
@@ -1578,7 +1424,7 @@ index 8aaa46d..8714d7f 100644
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
-index c633aea..d1e56f6 100644
+index 7f1d18e..a68d519 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -43,7 +43,7 @@ type portage_db_t;
@@ -1604,7 +1450,7 @@ index c633aea..d1e56f6 100644
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
-@@ -254,7 +256,7 @@ miscfiles_read_localization(portage_fetch_t)
+@@ -255,7 +257,7 @@ miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
@@ -2349,116 +2195,45 @@ index c8ef84b..40ceffb 100644
optional_policy(`
mount_exec(sectoolm_t)
-diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
-index 029cb7e..48d1363 100644
---- a/policy/modules/admin/shorewall.fc
-+++ b/policy/modules/admin/shorewall.fc
-@@ -11,4 +11,6 @@
- /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-
-+/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
-+
- /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
-index 0948921..f198119 100644
+index 781ad7e..7ed03a3 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
-@@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
- domtrans_pattern($1, shorewall_exec_t, shorewall_t)
- ')
-
-+######################################
-+##
-+## Execute a domain transition to run shorewall.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`shorewall_domtrans_lib',`
-+ gen_require(`
-+ type shorewall_t, shorewall_var_lib_t;
-+ ')
-+
-+ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
-+')
-+
- #######################################
- ##
- ## Read shorewall etc configuration files.
-@@ -117,6 +135,25 @@ interface(`shorewall_rw_lib_files',`
+@@ -98,9 +98,9 @@ interface(`shorewall_rw_pid_files',`
+ ## Read shorewall /var/lib files.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`shorewall_read_lib_files',`
+@@ -115,12 +115,12 @@ interface(`shorewall_read_lib_files',`
#######################################
##
-+## Read shorewall tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`shorewall_read_tmp_files',`
-+ gen_require(`
-+ type shorewall_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
-+')
-+
-+#######################################
-+##
- ## All of the rules required to administrate
- ## an shorewall environment
+-## Read and write shorewall /var/lib files.
++## Read and write shorewall /var/lib files.
##
-@@ -134,9 +171,10 @@ interface(`shorewall_rw_lib_files',`
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
#
- interface(`shorewall_admin',`
- gen_require(`
-- type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
-+ type shorewall_t, shorewall_lock_t;
-+ type shorewall_log_t;
- type shorewall_initrc_exec_t, shorewall_var_lib_t;
-- type shorewall_tmp_t;
-+ type shorewall_tmp_t, shorewall_etc_t;
- ')
-
- allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -147,18 +185,18 @@ interface(`shorewall_admin',`
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, shorewall_etc_t)
-
-- files_search_locks($1)
-+ files_list_locks($1)
- admin_pattern($1, shorewall_lock_t)
-
-- files_search_pids($1)
-- admin_pattern($1, shorewall_var_run_t)
--
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, shorewall_var_lib_t)
-
-- files_search_tmp($1)
-+ logging_list_logs($1)
-+ admin_pattern($1, shorewall_log_t)
-+
-+ files_list_tmp($1)
- admin_pattern($1, shorewall_tmp_t)
- ')
+ interface(`shorewall_rw_lib_files',`
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
-index c17b6a6..8ddae98 100644
+index 95bce88..d1edd79 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
-@@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -2466,9 +2241,9 @@ index c17b6a6..8ddae98 100644
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
- kernel_read_kernel_sysctls(shorewall_t)
- kernel_read_network_state(shorewall_t)
-@@ -80,13 +83,20 @@ fs_getattr_all_fs(shorewall_t)
+ allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+@@ -83,13 +86,20 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
@@ -3347,55 +3122,10 @@ index 48cf11b..9787bd4 100644
-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
+/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
-diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
-index 1f42250..3d36ae2 100644
---- a/policy/modules/apps/awstats.te
-+++ b/policy/modules/apps/awstats.te
-@@ -70,6 +70,10 @@ optional_policy(`
- nscd_dontaudit_search_pid(awstats_t)
- ')
-
-+optional_policy(`
-+ squid_read_log(awstats_t)
-+')
-+
- ########################################
- #
- # awstats cgi script policy
-diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
-index 47d81d1..046a9de 100644
---- a/policy/modules/apps/calamaris.te
-+++ b/policy/modules/apps/calamaris.te
-@@ -66,8 +66,6 @@ miscfiles_read_localization(calamaris_t)
-
- userdom_dontaudit_list_user_home_dirs(calamaris_t)
-
--squid_read_log(calamaris_t)
--
- optional_policy(`
- apache_search_sys_content(calamaris_t)
- ')
-@@ -79,3 +77,7 @@ optional_policy(`
- optional_policy(`
- mta_send_mail(calamaris_t)
- ')
-+
-+optional_policy(`
-+ squid_read_log(calamaris_t)
-+')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
-index 1403835..128f634 100644
+index 46ea44f..f7183ef 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
-@@ -27,7 +27,7 @@ ubac_constrained(cdrecord_t)
- #
-
- allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
--allow cdrecord_t self:process { getcap getsched setsched sigkill };
-+allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
- allow cdrecord_t self:unix_dgram_socket create_socket_perms;
- allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
@@ -56,7 +56,7 @@ logging_send_syslog_msg(cdrecord_t)
miscfiles_read_localization(cdrecord_t)
@@ -3668,7 +3398,7 @@ index 0000000..0fbe8cc
+ sandbox_use_ptys(chrome_sandbox_t)
+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index e51e7f5..8e0405f 100644
+index 37475dd..7db4a01 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -5941,7 +5671,7 @@ index 4f9dc90..8dc8a5f 100644
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
-index 66beb80..9c45e44 100644
+index 66beb80..702a727 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
@@ -5984,7 +5714,7 @@ index 66beb80..9c45e44 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
-@@ -101,3 +125,76 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -101,3 +125,73 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
nis_use_ypbind(irc_t)
')
@@ -5997,7 +5727,6 @@ index 66beb80..9c45e44 100644
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
-+allow irssi_t self:udp_socket create_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
@@ -6007,28 +5736,26 @@ index 66beb80..9c45e44 100644
+userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irssi_t)
+
++kernel_read_system_state(irssi_t)
++
+corecmd_search_bin(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
++corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
++corenet_tcp_sendrecv_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
-+corenet_all_recvfrom_netlabel(irssi_t)
-+corenet_all_recvfrom_unlabeled(irssi_t)
-+corenet_tcp_sendrecv_generic_if(irssi_t)
-+corenet_tcp_sendrecv_generic_node(irssi_t)
-+corenet_tcp_sendrecv_generic_port(irssi_t)
+corenet_tcp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
-+files_read_etc_files(irssi_t)
+files_read_usr_files(irssi_t)
+
+fs_search_auto_mountpoints(irssi_t)
@@ -6259,36 +5986,10 @@ index 0000000..bb02f40
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index f63c4c2..bf59895 100644
+index 2dde73a..12281bb 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -14,6 +14,7 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
- # system-config-kdump local policy
- #
-
-+allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
- allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
- allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-@@ -33,27 +34,38 @@ files_manage_etc_symlinks(kdumpgui_t)
- # for blkid.tab
- files_manage_etc_runtime_files(kdumpgui_t)
- files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-+files_read_usr_files(kdumpgui_t)
-
- storage_raw_read_fixed_disk(kdumpgui_t)
- storage_raw_write_fixed_disk(kdumpgui_t)
-
- auth_use_nsswitch(kdumpgui_t)
-
--consoletype_exec(kdumpgui_t)
--
--kdump_manage_config(kdumpgui_t)
--kdump_initrc_domtrans(kdumpgui_t)
--
- logging_send_syslog_msg(kdumpgui_t)
-
- miscfiles_read_localization(kdumpgui_t)
+@@ -47,6 +47,12 @@ miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
@@ -6299,23 +6000,10 @@ index f63c4c2..bf59895 100644
+')
+
optional_policy(`
- dev_rw_lvm_control(kdumpgui_t)
- ')
-
- optional_policy(`
-+ gnome_dontaudit_search_config(kdumpgui_t)
-+')
-+
-+optional_policy(`
-+ kdump_manage_config(kdumpgui_t)
-+ kdump_initrc_domtrans(kdumpgui_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(kdumpgui_t)
+ consoletype_exec(kdumpgui_t)
')
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
-index 12b772f..1d203dc 100644
+index b2e27ec..1d203dc 100644
--- a/policy/modules/apps/livecd.if
+++ b/policy/modules/apps/livecd.if
@@ -41,6 +41,8 @@ interface(`livecd_run',`
@@ -6352,17 +6040,8 @@ index 12b772f..1d203dc 100644
## Read livecd temporary files.
##
##
-@@ -82,7 +102,7 @@ interface(`livecd_rw_tmp_files',`
- ')
-
- files_search_tmp($1)
-- allow $1 livecd_tmp_t:file rw_file_perms;
-+ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
- ')
-
- ########################################
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
-index 49abe8e..47a193c 100644
+index a0be4ef..ae36a3f 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
@@ -27,7 +27,7 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -6408,107 +6087,6 @@ index 0bac996..ca2388d 100644
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
-diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
-new file mode 100644
-index 0000000..d56fd69
---- /dev/null
-+++ b/policy/modules/apps/mediawiki.fc
-@@ -0,0 +1,10 @@
-+
-+/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-+/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-+
-+/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
-+
-+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+
-+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if
-new file mode 100644
-index 0000000..1c1d012
---- /dev/null
-+++ b/policy/modules/apps/mediawiki.if
-@@ -0,0 +1,40 @@
-+## Mediawiki policy
-+
-+#######################################
-+##
-+## Allow the specified domain to read
-+## mediawiki tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mediawiki_read_tmp_files',`
-+ gen_require(`
-+ type httpd_mediawiki_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Delete mediawiki tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mediawiki_delete_tmp_files',`
-+ gen_require(`
-+ type httpd_mediawiki_tmp_t;
-+ ')
-+
-+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+')
-diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te
-new file mode 100644
-index 0000000..d9e51a3
---- /dev/null
-+++ b/policy/modules/apps/mediawiki.te
-@@ -0,0 +1,33 @@
-+
-+policy_module(mediawiki, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+apache_content_template(mediawiki)
-+
-+type httpd_mediawiki_tmp_t;
-+files_tmp_file(httpd_mediawiki_tmp_t)
-+
-+########################################
-+#
-+# mediawiki local policy
-+#
-+
-+manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file })
-+
-+files_search_var_lib(httpd_mediawiki_script_t)
-+
-+userdom_read_user_tmp_files(httpd_mediawiki_script_t)
-+
-+miscfiles_read_tetex_data(httpd_mediawiki_script_t)
-+
-+optional_policy(`
-+ apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t)
-+')
-+
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 7b08e13..515a88a 100644
--- a/policy/modules/apps/mono.if
@@ -6573,7 +6151,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..319aac2 100644
+index fbb5c5a..90c34fa 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6585,8 +6163,8 @@ index 9a6d67d..319aac2 100644
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
allow $2 mozilla_t:process signal_perms;
-@@ -48,8 +50,16 @@ interface(`mozilla_role',`
-
+@@ -49,8 +51,16 @@ interface(`mozilla_role',`
+ mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
+ userdom_manage_tmp_role($1, mozilla_t)
@@ -6602,7 +6180,7 @@ index 9a6d67d..319aac2 100644
')
')
-@@ -108,7 +118,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
+@@ -109,7 +119,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
@@ -6611,185 +6189,105 @@ index 9a6d67d..319aac2 100644
')
########################################
-@@ -132,6 +142,24 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
+@@ -228,6 +238,29 @@ interface(`mozilla_run_plugin',`
- ########################################
- ##
-+## Execute mozilla home directory content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mozilla_execute_user_home_files',`
-+ gen_require(`
-+ type mozilla_home_t;
-+ ')
-+
-+ can_exec($1, mozilla_home_t)
-+')
-+
-+########################################
-+##
- ## Execmod mozilla home directory content.
- ##
- ##
-@@ -168,6 +196,82 @@ interface(`mozilla_domtrans',`
-
- ########################################
- ##
-+## Execute a domain transition to run mozilla_plugin.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mozilla_domtrans_plugin',`
-+ gen_require(`
-+ type mozilla_plugin_t, mozilla_plugin_exec_t;
-+ class dbus send_msg;
-+ ')
-+
-+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
-+ allow mozilla_plugin_t $1:process signull;
-+
-+ ps_process_pattern($1, mozilla_plugin_t)
-+ allow $1 mozilla_plugin_t:process { ptrace signal_perms };
-+
-+ allow $1 mozilla_plugin_t:dbus send_msg;
-+ allow mozilla_plugin_t $1:dbus send_msg;
-+
-+ allow $1 mozilla_plugin_t:fd use;
-+')
-+
-+
-+########################################
-+##
-+## Execute mozilla_plugin in the mozilla_plugin domain, and
-+## allow the specified role the mozilla_plugin domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the mozilla_plugin domain.
-+##
-+##
-+#
-+interface(`mozilla_run_plugin',`
-+ gen_require(`
-+ type mozilla_plugin_t;
-+ ')
-+
-+ mozilla_domtrans_plugin($1)
-+ role $2 types mozilla_plugin_t;
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
+
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+')
+
-+########################################
++#######################################
+##
-+## Execute qemu unconfined programs in the role.
++## Execute qemu unconfined programs in the role.
+##
+##
-+##
-+## The role to allow the mozilla_plugin domain.
-+##
++##
++## The role to allow the mozilla_plugin domain.
++##
+##
++##
+#
+interface(`mozilla_role_plugin',`
-+ gen_require(`
-+ type mozilla_plugin_t;
-+ ')
-+
-+ role $1 types mozilla_plugin_t;
-+')
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
+
-+########################################
-+##
- ## Send and receive messages from
- ## mozilla over dbus.
- ##
-@@ -204,3 +308,57 @@ interface(`mozilla_rw_tcp_sockets',`
++ role $1 types mozilla_plugin_t;
+ ')
+ ########################################
+@@ -269,9 +302,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
-+
-+########################################
-+##
-+## Delete mozilla_plugin tmpfs files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`mozilla_plugin_delete_tmpfs_files',`
-+ gen_require(`
-+ type mozilla_plugin_tmpfs_t;
-+ ')
-+
-+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
-+')
-+
-+########################################
+
++#######################################
+##
-+## Read mozilla_plugin tmpfs files
++## Read mozilla_plugin tmpfs files
+##
+##
-+##
-+## Domain allowed access
-+##
++##
++## Domain allowed access
++##
+##
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
-+ gen_require(`
-+ type mozilla_plugin_tmpfs_t;
-+ ')
++ gen_require(`
++ type mozilla_plugin_tmpfs_t;
++ ')
+
-+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
-+########################################
-+##
+ ########################################
+ ##
+-## Read mozilla_plugin tmpfs files
++## Delete mozilla_plugin tmpfs files
+ ##
+ ##
+ ##
+@@ -279,28 +330,28 @@ interface(`mozilla_rw_tcp_sockets',`
+ ##
+ ##
+ #
+-interface(`mozilla_plugin_read_tmpfs_files',`
++interface(`mozilla_plugin_delete_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete mozilla_plugin tmpfs files
+## Dontaudit read/write to a mozilla_plugin leaks
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
-+ gen_require(`
+ gen_require(`
+- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
-+ ')
-+
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
-+')
+ ')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..50e279c 100644
+index 2e9318b..456b38e 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
-@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
-
- ##
- ##
--## Control mozilla content access
-+## allow confined web browsers to read home directory content
- ##
- ##
- gen_tunable(mozilla_read_content, false)
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -6797,47 +6295,29 @@ index 2a91fa8..50e279c 100644
+files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
- type mozilla_tmpfs_t;
-@@ -33,6 +34,17 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
- files_tmpfs_file(mozilla_tmpfs_t)
- ubac_constrained(mozilla_tmpfs_t)
+ type mozilla_plugin_t;
+@@ -33,10 +34,12 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+ role system_r types mozilla_plugin_t;
-+type mozilla_plugin_t;
-+type mozilla_plugin_exec_t;
-+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-+role system_r types mozilla_plugin_t;
-+
-+type mozilla_plugin_tmp_t;
+ type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
-+
-+type mozilla_plugin_tmpfs_t;
+ files_tmp_file(mozilla_plugin_tmp_t)
+ ubac_constrained(mozilla_plugin_tmp_t)
+
+ type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
-+
- ########################################
- #
- # Local policy
-@@ -89,16 +101,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
- corenet_raw_sendrecv_generic_node(mozilla_t)
+ files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ ubac_constrained(mozilla_plugin_tmpfs_t)
+
+@@ -111,6 +114,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
-+corenet_tcp_sendrecv_squid_port(mozilla_t)
+ corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
- corenet_tcp_connect_http_cache_port(mozilla_t)
-+corenet_tcp_connect_squid_port(mozilla_t)
- corenet_tcp_connect_ftp_port(mozilla_t)
- corenet_tcp_connect_ipp_port(mozilla_t)
- corenet_tcp_connect_generic_port(mozilla_t)
- corenet_tcp_connect_soundd_port(mozilla_t)
- corenet_sendrecv_http_client_packets(mozilla_t)
- corenet_sendrecv_http_cache_client_packets(mozilla_t)
-+corenet_sendrecv_squid_client_packets(mozilla_t)
- corenet_sendrecv_ftp_client_packets(mozilla_t)
- corenet_sendrecv_ipp_client_packets(mozilla_t)
- corenet_sendrecv_generic_client_packets(mozilla_t)
-@@ -141,7 +157,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,7 +169,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -6846,7 +6326,7 @@ index 2a91fa8..50e279c 100644
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -238,6 +254,7 @@ optional_policy(`
+@@ -262,6 +266,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -6854,7 +6334,7 @@ index 2a91fa8..50e279c 100644
')
optional_policy(`
-@@ -258,6 +275,11 @@ optional_policy(`
+@@ -282,6 +287,11 @@ optional_policy(`
')
optional_policy(`
@@ -6866,171 +6346,102 @@ index 2a91fa8..50e279c 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +288,214 @@ optional_policy(`
- optional_policy(`
- thunderbird_domtrans(mozilla_t)
- ')
-+
-+########################################
-+#
-+# mozilla_plugin local policy
-+#
-+
-+dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+@@ -297,15 +307,18 @@ optional_policy(`
+ #
+
+ dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+
-+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+ allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
-+allow mozilla_plugin_t self:udp_socket create_socket_perms;
-+allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow mozilla_plugin_t self:udp_socket create_socket_perms;
+-allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-+allow mozilla_plugin_t self:sem create_sem_perms;
-+allow mozilla_plugin_t self:shm create_shm_perms;
+ allow mozilla_plugin_t self:sem create_sem_perms;
+ allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+
-+can_exec(mozilla_plugin_t, mozilla_home_t)
-+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+
-+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+
+ can_exec(mozilla_plugin_t, mozilla_home_t)
+ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +326,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+ manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+ manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
-+
-+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-+
-+can_exec(mozilla_plugin_t, mozilla_exec_t)
-+
-+kernel_read_kernel_sysctls(mozilla_plugin_t)
-+kernel_read_system_state(mozilla_plugin_t)
-+kernel_read_network_state(mozilla_plugin_t)
-+kernel_request_load_module(mozilla_plugin_t)
-+
-+corecmd_exec_bin(mozilla_plugin_t)
-+corecmd_exec_shell(mozilla_plugin_t)
-+
-+corenet_tcp_connect_generic_port(mozilla_plugin_t)
+
+ manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+@@ -332,11 +347,9 @@ kernel_request_load_module(mozilla_plugin_t)
+ corecmd_exec_bin(mozilla_plugin_t)
+ corecmd_exec_shell(mozilla_plugin_t)
+
+-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
+-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
+ corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
-+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
-+corenet_tcp_connect_http_port(mozilla_plugin_t)
-+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-+corenet_tcp_connect_squid_port(mozilla_plugin_t)
-+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-+corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+ corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+ corenet_tcp_connect_http_port(mozilla_plugin_t)
+ corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+@@ -344,6 +357,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+ corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+ corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+ corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
-+
-+dev_read_rand(mozilla_plugin_t)
-+dev_read_urand(mozilla_plugin_t)
-+dev_read_video_dev(mozilla_plugin_t)
-+dev_write_video_dev(mozilla_plugin_t)
-+dev_read_sysfs(mozilla_plugin_t)
-+dev_read_sound(mozilla_plugin_t)
-+dev_write_sound(mozilla_plugin_t)
-+# for nvidia driver
-+dev_rw_xserver_misc(mozilla_plugin_t)
-+dev_dontaudit_rw_dri(mozilla_plugin_t)
-+
-+domain_use_interactive_fds(mozilla_plugin_t)
-+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-+
-+files_read_config_files(mozilla_plugin_t)
-+files_read_usr_files(mozilla_plugin_t)
-+files_list_mnt(mozilla_plugin_t)
-+
-+fs_getattr_all_fs(mozilla_plugin_t)
-+fs_list_dos_dirs(mozilla_plugin_t)
-+fs_read_dos_files(mozilla_plugin_t)
-+
-+application_dontaudit_signull(mozilla_plugin_t)
-+
-+auth_use_nsswitch(mozilla_plugin_t)
-+
-+logging_send_syslog_msg(mozilla_plugin_t)
-+
-+miscfiles_read_localization(mozilla_plugin_t)
-+miscfiles_read_fonts(mozilla_plugin_t)
-+miscfiles_read_generic_certs(mozilla_plugin_t)
-+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
-+
-+sysnet_dns_name_resolve(mozilla_plugin_t)
-+
-+term_getattr_all_ttys(mozilla_plugin_t)
-+term_getattr_all_ptys(mozilla_plugin_t)
-+
-+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+
+ dev_read_rand(mozilla_plugin_t)
+ dev_read_urand(mozilla_plugin_t)
+@@ -385,13 +401,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
+ term_getattr_all_ptys(mozilla_plugin_t)
+
+ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+ userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+ userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+ userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+ userdom_read_user_tmp_files(mozilla_plugin_t)
+ userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
-+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
-+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
-+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
+
-+userdom_list_user_tmp(mozilla_plugin_t)
-+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-+userdom_read_user_tmp_files(mozilla_plugin_t)
-+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
-+userdom_read_user_home_content_files(mozilla_plugin_t)
-+userdom_read_user_home_content_files(mozilla_plugin_t)
-+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+ userdom_read_user_home_content_files(mozilla_plugin_t)
+ userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_dontaudit_write_home_certs(mozilla_plugin_t)
-+
-+tunable_policy(`allow_execmem',`
-+ allow mozilla_plugin_t self:process { execmem execstack };
-+')
-+
-+tunable_policy(`allow_execstack',`
-+ allow mozilla_plugin_t self:process { execstack };
-+')
-+
-+optional_policy(`
-+ alsa_read_rw_config(mozilla_plugin_t)
-+ alsa_read_home_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ consolekit_dbus_chat(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ dbus_connect_session_bus(mozilla_plugin_t)
-+ dbus_system_bus_client(mozilla_plugin_t)
-+ dbus_session_bus_client(mozilla_plugin_t)
-+ dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ git_dontaudit_read_session_content_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_setattr_home_config(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ java_exec(mozilla_plugin_t)
+
+ tunable_policy(`allow_execmem',`
+ allow mozilla_plugin_t self:process { execmem execstack };
+@@ -425,6 +447,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ git_dontaudit_read_session_content_files(mozilla_plugin_t)
+')
+
-+optional_policy(`
-+ mplayer_exec(mozilla_plugin_t)
-+ mplayer_read_user_home_files(mozilla_plugin_t)
-+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ ')
+
+@@ -438,7 +465,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pcscd_stream_connect(mozilla_plugin_t)
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_dirs(mozilla_plugin_t)
@@ -7039,13 +6450,13 @@ index 2a91fa8..50e279c 100644
+ nsplugin_user_home_filetrans(mozilla_plugin_t, file)
+ nsplugin_read_rw_files(mozilla_plugin_t);
+ nsplugin_signal(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ pulseaudio_exec(mozilla_plugin_t)
-+ pulseaudio_stream_connect(mozilla_plugin_t)
-+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
-+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -446,10 +480,27 @@ optional_policy(`
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
+')
+
@@ -7059,28 +6470,17 @@ index 2a91fa8..50e279c 100644
+
+optional_policy(`
+ udev_read_db(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_xdm_pid(mozilla_plugin_t)
-+ xserver_stream_connect(mozilla_plugin_t)
-+ xserver_use_user_fonts(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(mozilla_plugin_t)
-+ fs_manage_nfs_files(mozilla_plugin_t)
-+ fs_manage_nfs_symlinks(mozilla_plugin_t)
-+')
+ ')
+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(mozilla_plugin_t)
-+ fs_manage_cifs_files(mozilla_plugin_t)
-+ fs_manage_cifs_symlinks(mozilla_plugin_t)
-+')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -7126,7 +6526,7 @@ index d8ea41d..8bdc526 100644
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
-index 931304b..92752c4 100644
+index 072a210..7986b0b 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
@@ -7154,7 +6554,7 @@ index 931304b..92752c4 100644
manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -222,10 +224,12 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+@@ -225,10 +227,12 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
fs_list_inotifyfs(mplayer_t)
@@ -7168,7 +6568,7 @@ index 931304b..92752c4 100644
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
-@@ -302,6 +306,10 @@ optional_policy(`
+@@ -305,6 +309,10 @@ optional_policy(`
')
optional_policy(`
@@ -7791,7 +7191,7 @@ index 0000000..37449c0
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..683b225
+index 0000000..20be1c0
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,336 @@
@@ -7991,7 +7391,7 @@ index 0000000..683b225
+')
+
+optional_policy(`
-+ mozilla_execute_user_home_files(nsplugin_t)
++ mozilla_exec_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
@@ -8297,27 +7697,6 @@ index 0000000..a842371
+# Unconfined java local policy
+#
+
-diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
-index a2f6124..9d62060 100644
---- a/policy/modules/apps/podsleuth.te
-+++ b/policy/modules/apps/podsleuth.te
-@@ -27,7 +27,7 @@ ubac_constrained(podsleuth_tmpfs_t)
- # podsleuth local policy
- #
- allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
--allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
-+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
- allow podsleuth_t self:fifo_file rw_file_perms;
- allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
- allow podsleuth_t self:sem create_sem_perms;
-@@ -73,6 +73,7 @@ miscfiles_read_localization(podsleuth_t)
- sysnet_dns_name_resolve(podsleuth_t)
-
- userdom_signal_unpriv_users(podsleuth_t)
-+userdom_signull_unpriv_users(podsleuth_t)
- userdom_read_user_tmpfs_files(podsleuth_t)
-
- optional_policy(`
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 84f23dc..af5b87d 100644
--- a/policy/modules/apps/pulseaudio.fc
@@ -8334,18 +7713,9 @@ index 84f23dc..af5b87d 100644
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 2ba7787..9a5e99c 100644
+index f40c64d..9a5e99c 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
-@@ -17,7 +17,7 @@
- #
- interface(`pulseaudio_role',`
- gen_require(`
-- type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
-+ type pulseaudio_t, pulseaudio_exec_t;
- class dbus { acquire_svc send_msg };
- ')
-
@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
@@ -8357,23 +7727,7 @@ index 2ba7787..9a5e99c 100644
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
-@@ -215,6 +219,7 @@ interface(`pulseaudio_read_home_files',`
-
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- ')
-
- ########################################
-@@ -233,6 +238,7 @@ interface(`pulseaudio_rw_home_files',`
- ')
-
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- userdom_search_user_home_dirs($1)
- ')
-
-@@ -256,3 +262,63 @@ interface(`pulseaudio_manage_home_files',`
+@@ -258,3 +262,63 @@ interface(`pulseaudio_manage_home_files',`
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
@@ -8438,7 +7792,7 @@ index 2ba7787..9a5e99c 100644
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..8610868 100644
+index d1eace5..8522ab4 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -8517,7 +7871,7 @@ index c2d20a2..8610868 100644
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..6c7a005 100644
+index 268d691..6c7a005 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -76,7 +76,7 @@ template(`qemu_domain_template',`
@@ -8604,28 +7958,7 @@ index c1d5f50..6c7a005 100644
')
########################################
-@@ -169,6 +148,7 @@ interface(`qemu_domtrans',`
- ## The role to allow the qemu domain.
- ##
- ##
-+##
- #
- interface(`qemu_run',`
- gen_require(`
-@@ -177,10 +157,8 @@ interface(`qemu_run',`
-
- qemu_domtrans($1)
- role $2 types qemu_t;
--
-- optional_policy(`
-- samba_run_smb(qemu_t, $2, $3)
-- ')
-+ allow qemu_t $1:process signull;
-+ allow $1 qemu_t:process signull;
- ')
-
- ########################################
-@@ -275,6 +253,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -274,6 +253,67 @@ interface(`qemu_domtrans_unconfined',`
########################################
##
@@ -8693,7 +8026,7 @@ index c1d5f50..6c7a005 100644
## Manage qemu temporary dirs.
##
##
-@@ -308,3 +347,22 @@ interface(`qemu_manage_tmp_files',`
+@@ -307,3 +347,22 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -8717,19 +8050,10 @@ index c1d5f50..6c7a005 100644
+ domain_entry_file($1, qemu_exec_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..13057b7 100644
+index 1813e16..c667ed2 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
-@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
-
- ##
- ##
--## Allow qemu to user serial/parallel communication ports
-+## Allow qemu to use serial/parallel communication ports
- ##
- ##
- gen_tunable(qemu_use_comm, false)
-@@ -55,14 +55,15 @@ storage_raw_read_removable_device(qemu_t)
+@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
@@ -8737,23 +8061,7 @@ index 5ef2f7d..13057b7 100644
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-
-- corenet_udp_sendrecv_all_if(qemu_t)
-- corenet_udp_sendrecv_all_nodes(qemu_t)
-+ corenet_udp_sendrecv_generic_if(qemu_t)
-+ corenet_udp_sendrecv_generic_node(qemu_t)
- corenet_udp_sendrecv_all_ports(qemu_t)
-- corenet_udp_bind_all_nodes(qemu_t)
-+ corenet_udp_bind_generic_node(qemu_t)
- corenet_udp_bind_all_ports(qemu_t)
- corenet_tcp_bind_all_ports(qemu_t)
- corenet_tcp_connect_all_ports(qemu_t)
-@@ -90,10 +91,22 @@ tunable_policy(`qemu_use_usb',`
- ')
-
- optional_policy(`
-- samba_domtrans_smbd(qemu_t)
-+ dbus_read_lib_files(qemu_t)
+@@ -99,6 +100,18 @@ optional_policy(`
')
optional_policy(`
@@ -8772,19 +8080,7 @@ index 5ef2f7d..13057b7 100644
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
-@@ -102,6 +115,11 @@ optional_policy(`
- xen_rw_image_files(qemu_t)
- ')
-
-+optional_policy(`
-+ xserver_read_xdm_pid(qemu_t)
-+ xserver_stream_connect(qemu_t)
-+')
-+
- ########################################
- #
- # Unconfined qemu local policy
-@@ -112,6 +130,8 @@ optional_policy(`
+@@ -122,6 +135,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -8801,157 +8097,18 @@ index 4c091ca..a58f123 100644
/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
-diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
-index 7cdac1e..8b920c8 100644
---- a/policy/modules/apps/rssh.if
-+++ b/policy/modules/apps/rssh.if
-@@ -2,6 +2,25 @@
-
- ########################################
- ##
-+## Execute the rssh program
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rssh_exec',`
-+ gen_require(`
-+ type rssh_exec_t;
-+ ')
-+
-+ can_exec($1, rssh_exec_t)
-+')
-+
-+########################################
-+##
- ## Role access for rssh
- ##
- ##
-@@ -64,3 +83,21 @@ interface(`rssh_read_ro_content',`
- read_files_pattern($1, rssh_ro_t, rssh_ro_t)
- read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
- ')
-+
-+########################################
-+##
-+## Execute a domain transition to run rssh_chroot_helper.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rssh_domtrans_chroot_helper',`
-+ gen_require(`
-+ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
-+')
-diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
-index c605046..97b3df2 100644
---- a/policy/modules/apps/rssh.te
-+++ b/policy/modules/apps/rssh.te
-@@ -31,6 +31,10 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
- typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
- userdom_user_home_content(rssh_rw_t)
-
-+type rssh_chroot_helper_t;
-+type rssh_chroot_helper_exec_t;
-+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
-+
- ##############################
- #
- # Local policy
-@@ -78,3 +82,25 @@ ssh_rw_stream_sockets(rssh_t)
- optional_policy(`
- nis_use_ypbind(rssh_t)
- ')
-+
-+########################################
-+#
-+# rssh_chroot_helper local policy
-+#
-+rssh_domtrans_chroot_helper(rssh_t)
-+
-+allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
-+
-+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
-+allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
-+
-+domain_use_interactive_fds(rssh_chroot_helper_t)
-+
-+files_read_etc_files(rssh_chroot_helper_t)
-+
-+auth_use_nsswitch(rssh_chroot_helper_t)
-+
-+logging_send_syslog_msg(rssh_chroot_helper_t)
-+
-+miscfiles_read_localization(rssh_chroot_helper_t)
-+
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index 9ec1478..e3734df 100644
+index f594e12..340c389 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
+files_read_usr_files(sambagui_t)
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
--files_search_usr(sambagui_t)
-+files_read_usr_files(sambagui_t)
-
- auth_use_nsswitch(sambagui_t)
-
-@@ -37,21 +38,32 @@ logging_send_syslog_msg(sambagui_t)
-
- miscfiles_read_localization(sambagui_t)
-
--nscd_dontaudit_search_pid(sambagui_t)
-
--# handling with samba conf files
--samba_append_log(sambagui_t)
--samba_manage_config(sambagui_t)
--samba_manage_var_files(sambagui_t)
--samba_read_secrets(sambagui_t)
--samba_initrc_domtrans(sambagui_t)
--samba_domtrans_smbd(sambagui_t)
--samba_domtrans_nmbd(sambagui_t)
-+userdom_dontaudit_search_admin_dir(sambagui_t)
-
- optional_policy(`
- consoletype_exec(sambagui_t)
- ')
-
- optional_policy(`
-+ nscd_dontaudit_search_pid(sambagui_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(sambagui_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(sambagui_t)
- ')
-+
-+optional_policy(`
-+ # handling with samba conf files
-+ samba_append_log(sambagui_t)
-+ samba_manage_config(sambagui_t)
-+ samba_manage_var_files(sambagui_t)
-+ samba_read_secrets(sambagui_t)
-+ samba_initrc_domtrans(sambagui_t)
-+ samba_domtrans_smbd(sambagui_t)
-+ samba_domtrans_nmbd(sambagui_t)
-+')
+ files_read_usr_files(sambagui_t)
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644
index 0000000..6caef63
@@ -9827,12 +8984,12 @@ index 0000000..d6d2f78
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
-index 1f2cde4..7227631 100644
+index c8254dd..4112daa 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
-@@ -2,6 +2,9 @@
- # /home
+@@ -3,6 +3,9 @@
#
+ HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+
@@ -9841,45 +8998,18 @@ index 1f2cde4..7227631 100644
#
# /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..bd8db22 100644
+index a57e81e..bd8db22 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -50,7 +50,7 @@ template(`screen_role_template',`
- allow $1_screen_t self:udp_socket create_socket_perms;
- # Internal screen networking
- allow $1_screen_t self:fd use;
-- allow $1_screen_t self:unix_stream_socket create_socket_perms;
-+ allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-
- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-@@ -61,9 +61,14 @@ template(`screen_role_template',`
- # Create fifo
- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-+ manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
-
- allow $1_screen_t screen_home_t:dir list_dir_perms;
-+ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
-+ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-+ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+@@ -68,6 +68,7 @@ template(`screen_role_template',`
+ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir)
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-@@ -71,8 +76,10 @@ template(`screen_role_template',`
-
- domtrans_pattern($3, screen_exec_t, $1_screen_t)
- allow $3 $1_screen_t:process { signal sigchld };
-+ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
- allow $1_screen_t $3:process signal;
-
-+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
- manage_dirs_pattern($3, screen_home_t, screen_home_t)
- manage_files_pattern($3, screen_home_t, screen_home_t)
- manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-@@ -81,8 +88,6 @@ template(`screen_role_template',`
+@@ -87,8 +88,6 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -9888,7 +9018,7 @@ index 320df26..bd8db22 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
-@@ -112,6 +117,7 @@ template(`screen_role_template',`
+@@ -118,6 +117,7 @@ template(`screen_role_template',`
# for SSP
dev_read_urand($1_screen_t)
@@ -10038,269 +9168,62 @@ index 7590165..9a7ebe5 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
+')
-diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
-index e43c380..410027f 100644
---- a/policy/modules/apps/slocate.te
-+++ b/policy/modules/apps/slocate.te
-@@ -38,6 +38,7 @@ dev_getattr_all_blk_files(locate_t)
- dev_getattr_all_chr_files(locate_t)
-
- files_list_all(locate_t)
-+files_dontaudit_read_all_symlinks(locate_t)
- files_getattr_all_files(locate_t)
- files_getattr_all_pipes(locate_t)
- files_getattr_all_sockets(locate_t)
-diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
-new file mode 100644
-index 0000000..8075b7b
---- /dev/null
-+++ b/policy/modules/apps/telepathy.fc
-@@ -0,0 +1,18 @@
-+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
-+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
-+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
-+HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
-+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
-+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
-+
-+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
-+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
-+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
-+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
-+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
-+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
-+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
-+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
-+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
-+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-new file mode 100644
-index 0000000..1d0f110
---- /dev/null
+index 3cfb128..de71ea8 100644
+--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,269 @@
+@@ -11,7 +11,6 @@
+ ##
+ ##
+ #
+-#
+ template(`telepathy_domain_template',`
+
+ gen_require(`
+@@ -32,7 +31,7 @@ template(`telepathy_domain_template',`
+ #######################################
+ ##
+ ## Role access for telepathy domains
+-### that executes via dbus-session
++## that executes via dbus-session
+ ##
+ ##
+ ##
+@@ -46,6 +45,7 @@ template(`telepathy_domain_template',`
+ ##
+ #
+ template(`telepathy_role', `
+
-+## Telepathy framework.
+ gen_require(`
+ attribute telepathy_domain;
+ type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
+@@ -179,3 +179,75 @@ interface(`telepathy_salut_stream_connect', `
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+ files_search_tmp($1)
+ ')
+
+#######################################
+##
-+## Creates basic types for telepathy
-+## domain
++## Send DBus messages to and from
++## all Telepathy domain.
+##
-+##
++##
+##
-+## Prefix for the domain.
++## Domain allowed access.
+##
+##
+#
-+#
-+template(`telepathy_domain_template',`
-+
-+ gen_require(`
-+ attribute telepathy_domain;
-+ attribute telepathy_executable;
-+ ')
-+
-+ type telepathy_$1_t, telepathy_domain;
-+ type telepathy_$1_exec_t, telepathy_executable;
-+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
-+ ubac_constrained(telepathy_$1_t)
-+
-+ type telepathy_$1_tmp_t;
-+ files_tmp_file(telepathy_$1_tmp_t)
-+ ubac_constrained(telepathy_$1_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Role access for telepathy domains
-+### that executes via dbus-session
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+template(`telepathy_dbus_session_role', `
-+ gen_require(`
-+ attribute telepathy_domain;
-+ type telepathy_gabble_t;
-+ type telepathy_sofiasip_t;
-+ type telepathy_idle_t;
-+ type telepathy_mission_control_t;
-+ type telepathy_salut_t;
-+ type telepathy_sunshine_t;
-+ type telepathy_stream_engine_t;
-+ type telepathy_msn_t;
-+ type telepathy_gabble_exec_t;
-+ type telepathy_sofiasip_exec_t;
-+ type telepathy_idle_exec_t;
-+ type telepathy_mission_control_exec_t;
-+ type telepathy_salut_exec_t;
-+ type telepathy_sunshine_exec_t;
-+ type telepathy_stream_engine_exec_t;
-+ type telepathy_msn_exec_t;
-+ type telepathy_logger_exec_t;
-+ type telepathy_logger_t;
-+ ')
-+
-+ role $1 types telepathy_domain;
-+
-+ allow $2 telepathy_domain:process { ptrace signal_perms };
-+ ps_process_pattern($2, telepathy_domain)
-+
-+ optional_policy(`
-+ telepathy_dbus_chat($2)
-+ ')
-+
-+ telepathy_gabble_stream_connect($2)
-+ telepathy_msn_stream_connect($2)
-+ telepathy_salut_stream_connect($2)
-+
-+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
-+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
-+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
-+ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
-+ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
-+ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
-+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
-+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
-+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
-+
-+')
-+
-+########################################
-+##
-+## Send DBus messages to and from
-+## all Telepathy domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+interface(`telepathy_dbus_chat', `
-+ gen_require(`
-+ attribute telepathy_domain;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 telepathy_domain:dbus send_msg;
-+ allow telepathy_domain $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Send DBus messages to and from
-+## Telepathy Gabble.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_gabble_dbus_chat', `
-+ gen_require(`
-+ type telepathy_gabble_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 telepathy_gabble_t:dbus send_msg;
-+ allow telepathy_gabble_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Stream connect to Telepathy Gabble
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_gabble_stream_connect', `
-+ gen_require(`
-+ type telepathy_gabble_t, telepathy_gabble_tmp_t;
-+ ')
-+
-+ stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
-+ files_search_tmp($1)
-+')
-+
-+#######################################
-+##
-+## Stream connect to telepathy MSN managers
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_msn_stream_connect', `
-+ gen_require(`
-+ type telepathy_msn_t, telepathy_msn_tmp_t;
-+ ')
-+
-+ stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
-+ files_search_tmp($1)
-+')
-+
-+
-+########################################
-+##
-+## Stream connect to Telepathy Salut
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_salut_stream_connect', `
-+ gen_require(`
-+ type telepathy_salut_t, telepathy_salut_tmp_t;
-+ ')
-+
-+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Read telepathy mission control state.
-+##
-+##
-+##
-+## Prefix to be used.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_mission_control_read_state',`
-+ gen_require(`
-+ type telepathy_mission_control_t;
-+ ')
++ gen_require(`
++ attribute telepathy_domain;
++ class dbus send_msg;
++ ')
+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, telepathy_mission_control_t)
++ allow $1 telepathy_domain:dbus send_msg;
++ allow telepathy_domain $1:dbus send_msg;
+')
+
-+#######################################
++######################################
+##
+## Execute telepathy executable
+## in the specified domain.
@@ -10335,6 +9258,7 @@ index 0000000..1d0f110
+##
+#
+interface(`telepathy_command_domtrans', `
++
+ gen_require(`
+ attribute telepathy_executable;
+ ')
@@ -10344,402 +9268,119 @@ index 0000000..1d0f110
+ type_transition $1 telepathy_executable:process $2;
+
+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
-+ optional_policy(`
++ optional_policy(`
+ telepathy_dbus_chat($1)
+ telepathy_dbus_chat($2)
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-new file mode 100644
-index 0000000..aaaf4e0
---- /dev/null
+index 2533ea0..f41eb44 100644
+--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,385 @@
-+
-+policy_module(telepathy, 1.0.0)
-+
-+########################################
-+#
-+# Declarations.
-+#
-+
-+##
-+##
-+## Allow the Telepathy connection managers
-+## to connect to any generic TCP port.
-+##
-+##
-+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
-+
-+##
-+##
-+## Allow the Telepathy connection managers
-+## to connect to any network port.
-+##
-+##
-+gen_tunable(telepathy_connect_all_ports, true)
-+
-+attribute telepathy_domain;
-+attribute telepathy_executable;
-+
-+telepathy_domain_template(gabble)
-+
-+type telepathy_gabble_cache_home_t;
-+userdom_user_home_content(telepathy_gabble_cache_home_t)
-+
-+telepathy_domain_template(idle)
-+telepathy_domain_template(mission_control)
-+
-+type telepathy_mission_control_home_t;
-+userdom_user_home_content(telepathy_mission_control_home_t)
-+
-+type telepathy_mission_control_cache_home_t;
-+userdom_user_home_content(telepathy_mission_control_cache_home_t)
-+
-+type telepathy_sunshine_home_t;
-+userdom_user_home_content(telepathy_sunshine_home_t)
-+
-+type telepathy_logger_cache_home_t;
-+userdom_user_home_content(telepathy_logger_cache_home_t)
-+
-+type telepathy_logger_data_home_t;
-+userdom_user_home_content(telepathy_logger_data_home_t)
-+
-+telepathy_domain_template(msn)
-+telepathy_domain_template(salut)
-+telepathy_domain_template(sofiasip)
-+telepathy_domain_template(stream_engine)
-+telepathy_domain_template(sunshine)
-+telepathy_domain_template(logger)
-+# New in F16
+@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
+ telepathy_domain_template(idle)
+ telepathy_domain_template(logger)
+
+permissive telepathy_logger_t;
+
-+#######################################
-+#
-+# Telepathy Butterfly and Haze local policy.
-+#
-+
-+allow telepathy_msn_t self:process setsched;
-+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
-+
-+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-+manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
-+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
-+
-+corenet_sendrecv_http_client_packets(telepathy_msn_t)
-+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
-+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
-+corenet_tcp_connect_http_port(telepathy_msn_t)
-+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
-+corenet_tcp_connect_msnp_port(telepathy_msn_t)
-+corenet_tcp_connect_sametime_port(telepathy_msn_t)
-+corenet_tcp_connect_ssdp_port(telepathy_msn_t)
-+corenet_tcp_connect_sip_port(telepathy_msn_t)
-+
-+corecmd_exec_bin(telepathy_msn_t)
-+corecmd_exec_shell(telepathy_msn_t)
-+corecmd_read_bin_symlinks(telepathy_msn_t)
-+
-+files_read_etc_files(telepathy_msn_t)
-+files_read_usr_files(telepathy_msn_t)
-+
-+init_read_state(telepathy_msn_t)
-+
-+libs_exec_ldconfig(telepathy_msn_t)
-+
-+logging_send_syslog_msg(telepathy_msn_t)
-+
-+miscfiles_read_all_certs(telepathy_msn_t)
-+
-+userdom_read_all_users_state(telepathy_msn_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_msn_t)
-+ optional_policy(`
-+ networkmanager_dbus_chat(telepathy_msn_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_msn_t)
-+')
-+
-+#######################################
-+#
-+# Telepathy Gabble local policy.
-+#
-+
-+allow telepathy_gabble_t self:tcp_socket { listen accept };
-+allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto };
-+
-+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
-+manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
-+files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
-+
+ type telepathy_logger_cache_home_t;
+ userdom_user_home_content(telepathy_logger_cache_home_t)
+
+@@ -67,6 +69,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+ manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+ files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
+# ~/.cache/gabble/caps-cache.db-journal
++# optional_policy(`
+optional_policy(`
+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
-+')
-+
-+corenet_sendrecv_commplex_client_packets(telepathy_gabble_t)
-+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
-+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
-+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
-+
-+corenet_tcp_connect_commplex_port(telepathy_gabble_t)
-+corenet_tcp_connect_http_port(telepathy_gabble_t)
-+corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
-+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
-+
-+dev_read_rand(telepathy_gabble_t)
-+
-+files_read_config_files(telepathy_gabble_t)
-+files_read_usr_files(telepathy_gabble_t)
-+
-+miscfiles_read_all_certs(telepathy_gabble_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_gabble_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs', `
-+ fs_manage_nfs_dirs(telepathy_gabble_t)
-+ fs_manage_nfs_files(telepathy_gabble_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs', `
-+ fs_manage_cifs_dirs(telepathy_gabble_t)
-+ fs_manage_cifs_files(telepathy_gabble_t)
-+')
++')
+
+ corenet_all_recvfrom_netlabel(telepathy_gabble_t)
+ corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+ corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
+@@ -168,6 +178,11 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(telepathy_logger_t)
+ ')
+
+optional_policy(`
-+ gnome_read_home_config(telepathy_gabble_t)
++# ~/.config/dconf/user
++ gnome_read_home_config(telepathy_logger_t)
+')
+
-+#######################################
-+#
-+# Telepathy Idle local policy.
-+#
-+
-+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
-+corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
-+corenet_tcp_connect_ircd_port(telepathy_idle_t)
-+
-+dev_read_rand(telepathy_idle_t)
-+
-+files_read_etc_files(telepathy_idle_t)
-+
-+#######################################
-+#
-+# Telepathy Mission-Control local policy.
-+#
-+
-+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+ #######################################
+ #
+ # Telepathy Mission-Control local policy.
+@@ -176,6 +191,7 @@ tunable_policy(`use_samba_home_dirs',`
+ manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+ userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-+
-+dev_read_rand(telepathy_mission_control_t)
-+
-+files_read_etc_files(telepathy_mission_control_t)
-+files_read_usr_files(telepathy_mission_control_t)
-+
-+tunable_policy(`use_nfs_home_dirs', `
-+ fs_manage_nfs_dirs(telepathy_mission_control_t)
-+ fs_manage_nfs_files(telepathy_mission_control_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs', `
-+ fs_manage_cifs_dirs(telepathy_mission_control_t)
-+ fs_manage_cifs_files(telepathy_mission_control_t)
-+')
-+
+
+ dev_read_rand(telepathy_mission_control_t)
+
+@@ -194,6 +210,12 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(telepathy_mission_control_t)
+ ')
+
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
+
-+optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_mission_control_t)
-+ gnome_setattr_cache_home_dir(telepathy_mission_control_t)
-+ gnome_read_generic_cache_files(telepathy_mission_control_t)
-+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
-+')
-+
-+#######################################
-+#
-+# Telepathy Salut local policy.
-+#
-+allow telepathy_salut_t self:tcp_socket { accept listen };
-+
-+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
-+files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
-+
-+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
-+corenet_tcp_bind_presence_port(telepathy_salut_t)
-+corenet_tcp_connect_presence_port(telepathy_salut_t)
-+
-+files_read_etc_files(telepathy_salut_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_salut_t)
-+
-+ optional_policy(`
-+ avahi_dbus_chat(telepathy_salut_t)
-+ ')
-+')
-+
-+#######################################
-+#
-+# Telepathy Sofiasip local policy.
-+#
-+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
-+allow telepathy_sofiasip_t self:tcp_socket { listen };
-+
-+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
-+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
-+corenet_udp_bind_all_ports(telepathy_sofiasip_t)
-+corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
-+corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
-+
-+kernel_request_load_module(telepathy_sofiasip_t)
-+
-+#######################################
-+#
-+# Telepathy Sunshine local policy.
-+#
-+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
-+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
-+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
-+userdom_search_user_home_dirs(telepathy_sunshine_t)
-+
-+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
-+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
-+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
-+
-+corecmd_exec_bin(telepathy_sunshine_t)
-+
-+files_read_etc_files(telepathy_sunshine_t)
-+files_read_usr_files(telepathy_sunshine_t)
-+
-+optional_policy(`
-+ xserver_read_xdm_pid(telepathy_sunshine_t)
-+ xserver_stream_connect(telepathy_sunshine_t)
-+')
-+
-+#######################################
-+#
-+# Telepathy Logger local policy.
-+#
-+
-+allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
-+
-+manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-+gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file)
-+
-+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-+manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-+gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
-+
-+files_read_etc_files(telepathy_logger_t)
-+files_read_usr_files(telepathy_logger_t)
-+files_search_pids(telepathy_logger_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(telepathy_logger_t)
-+ fs_manage_nfs_files(telepathy_logger_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(telepathy_logger_t)
-+ fs_manage_cifs_files(telepathy_logger_t)
-+')
-+
-+optional_policy(`
-+ # ~/.config/dconf/user
-+ gnome_read_home_config(telepathy_logger_t)
-+')
-+
-+#######################################
-+#
-+# telepathy domains common policy
-+#
-+
-+allow telepathy_domain self:process { getsched signal sigkill };
-+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
-+allow telepathy_domain self:tcp_socket create_socket_perms;
-+allow telepathy_domain self:udp_socket create_socket_perms;
-+
-+corenet_all_recvfrom_netlabel(telepathy_domain)
-+corenet_all_recvfrom_unlabeled(telepathy_domain)
-+corenet_raw_bind_generic_node(telepathy_domain)
-+corenet_raw_sendrecv_generic_if(telepathy_domain)
-+corenet_raw_sendrecv_generic_node(telepathy_domain)
-+corenet_tcp_bind_generic_node(telepathy_domain)
-+corenet_tcp_sendrecv_generic_if(telepathy_domain)
-+corenet_tcp_sendrecv_generic_node(telepathy_domain)
-+corenet_udp_bind_generic_node(telepathy_domain)
-+
-+dev_read_urand(telepathy_domain)
-+
-+kernel_read_system_state(telepathy_domain)
-+
-+fs_getattr_all_fs(telepathy_domain)
-+fs_search_auto_mountpoints(telepathy_domain)
-+
-+auth_use_nsswitch(telepathy_domain)
-+
-+miscfiles_read_localization(telepathy_domain)
-+
-+# This interface does not facilitate files_search_tmp which appears to be a bug.
-+userdom_stream_connect(telepathy_domain)
-+userdom_use_inherited_user_terminals(telepathy_domain)
-+
-+tunable_policy(`telepathy_tcp_connect_generic_network_ports', `
-+ corenet_tcp_connect_generic_port(telepathy_domain)
-+ corenet_sendrecv_generic_client_packets(telepathy_domain)
-+')
-+
-+tunable_policy(`telepathy_connect_all_ports', `
-+ corenet_tcp_connect_all_ports(telepathy_domain)
-+ corenet_tcp_sendrecv_all_ports(telepathy_domain)
-+ corenet_udp_sendrecv_all_ports(telepathy_domain)
-+')
-+
-+optional_policy(`
-+ automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+ #######################################
+ #
+ # Telepathy Butterfly and Haze local policy.
+@@ -205,8 +227,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+ manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+ manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+ manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
++exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+ files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+ userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
++userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
++can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+ corenet_all_recvfrom_netlabel(telepathy_msn_t)
+ corenet_all_recvfrom_unlabeled(telepathy_msn_t)
+@@ -246,6 +271,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ ')
+
+ optional_policy(`
++ gnome_read_gconf_home_files(telepathy_msn_t)
+')
+
+optional_policy(`
-+ gnome_read_generic_cache_files(telepathy_domain)
-+ gnome_write_generic_cache_files(telepathy_domain)
+ dbus_system_bus_client(telepathy_msn_t)
+
+ optional_policy(`
+@@ -376,5 +405,23 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_generic_cache_files(telepathy_domain)
++ gnome_write_generic_cache_files(telepathy_domain)
+')
+
+optional_policy(`
-+ telepathy_dbus_chat(telepathy_domain)
++ telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
-+ xserver_rw_xdm_pipes(telepathy_domain)
-+')
-+
+ xserver_rw_xdm_pipes(telepathy_domain)
+ ')
+
+# Just for F15
-+optional_policy(`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
-+
-+ role unconfined_r types telepathy_domain;
-+')
++#optional_policy(`
++# gen_require(`
++# role unconfined_r;
++# ')
++#
++# role unconfined_r types telepathy_domain;
++#')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -10947,7 +9588,7 @@ index 03fc701..f58654e 100644
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
-index 5872ea2..179960c 100644
+index f647c7e..252468a 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -39,12 +39,6 @@ ifdef(`distro_redhat',`
@@ -10963,15 +9604,8 @@ index 5872ea2..179960c 100644
/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
-@@ -66,5 +60,6 @@ ifdef(`distro_gentoo',`
- /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
- /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
-
-+/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
- /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
- /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index c76ceb2..e174a83 100644
+index 23066a1..6aff330 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -10982,31 +9616,33 @@ index c76ceb2..e174a83 100644
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
-@@ -133,6 +134,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -133,7 +134,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
files_list_tmp(vmware_host_t)
files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
+-files_read_usr_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -151,6 +153,7 @@ logging_send_syslog_msg(vmware_host_t)
+@@ -152,7 +153,7 @@ logging_send_syslog_msg(vmware_host_t)
miscfiles_read_localization(vmware_host_t)
sysnet_dns_name_resolve(vmware_host_t)
+-sysnet_domtrans_ifconfig(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
-@@ -158,8 +161,23 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
- netutils_domtrans_ping(vmware_host_t)
+@@ -161,10 +162,22 @@ netutils_domtrans_ping(vmware_host_t)
optional_policy(`
-+ hostname_exec(vmware_host_t)
+ hostname_exec(vmware_host_t)
+-')
+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(vmware_host_t)
+
+ optional_policy(`
+ modutils_domtrans_insmod(vmware_host_t)
+')
+
+optional_policy(`
@@ -11014,15 +9650,15 @@ index c76ceb2..e174a83 100644
+')
+
+optional_policy(`
- seutil_sigchld_newrole(vmware_host_t)
++ seutil_sigchld_newrole(vmware_host_t)
+')
-
++
+optional_policy(`
+ shutdown_domtrans(vmware_host_t)
')
optional_policy(`
-@@ -270,7 +288,7 @@ libs_read_lib_files(vmware_t)
+@@ -275,7 +288,7 @@ libs_read_lib_files(vmware_t)
miscfiles_read_localization(vmware_t)
@@ -11032,7 +9668,7 @@ index c76ceb2..e174a83 100644
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
-index f79314b..381d5eb 100644
+index b11941a..dc37e57 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -81,7 +81,7 @@ miscfiles_read_public_files(webalizer_t)
@@ -11044,14 +9680,6 @@ index f79314b..381d5eb 100644
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
-@@ -103,3 +103,7 @@ optional_policy(`
- optional_policy(`
- nscd_socket_use(webalizer_t)
- ')
-+
-+optional_policy(`
-+ squid_manage_logs(webalizer_t)
-+')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..2666317 100644
--- a/policy/modules/apps/wine.fc
@@ -11073,7 +9701,7 @@ index 9d24449..2666317 100644
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index 0440b4c..4b055c1 100644
+index f9a73d0..4b055c1 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
@@ -11136,31 +9764,8 @@ index 0440b4c..4b055c1 100644
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
-@@ -157,3 +168,22 @@ interface(`wine_run',`
- wine_domtrans($1)
- role $2 types wine_t;
- ')
-+
-+########################################
-+##
-+## Read and write wine Shared
-+## memory segments.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`wine_rw_shm',`
-+ gen_require(`
-+ type wine_t;
-+ ')
-+
-+ allow $1 wine_t:shm rw_shm_perms;
-+')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
-index 953cb28..bf6c62e 100644
+index be9246b..e3de8fa 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -40,7 +40,7 @@ domain_mmap_low(wine_t)
@@ -11172,19 +9777,6 @@ index 953cb28..bf6c62e 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
-@@ -51,7 +51,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain_noaudit(wine_t)
-+ policykit_dbus_chat(wine_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(wine_t)
- ')
-
- optional_policy(`
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..6bba1a8 100644
--- a/policy/modules/apps/wireshark.te
@@ -11197,34 +9789,11 @@ index 8bfe97d..6bba1a8 100644
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
-diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc
-index be30d55..93d128c 100644
---- a/policy/modules/apps/wm.fc
-+++ b/policy/modules/apps/wm.fc
-@@ -1,3 +1,4 @@
- /usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
- /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
- /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
-+/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
-index 82842a0..50c1a74 100644
+index b3efef7..50c1a74 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
-@@ -44,7 +44,7 @@ template(`wm_role_template',`
-
- allow $1_wm_t $3:unix_stream_socket connectto;
- allow $3 $1_wm_t:unix_stream_socket connectto;
-- allow $3 $1_wm_t:process { signal sigchld };
-+ allow $3 $1_wm_t:process { signal sigchld signull };
- allow $1_wm_t $3:process { signull sigkill };
-
- allow $1_wm_t $3:dbus send_msg;
-@@ -72,9 +72,16 @@ template(`wm_role_template',`
-
- auth_use_nsswitch($1_wm_t)
-
-+ application_signull($1_wm_t)
-+
+@@ -77,6 +77,11 @@ template(`wm_role_template',`
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
@@ -11263,21 +9832,10 @@ index 223ad43..d400ef6 100644
# Reading dotfiles...
# cjp: ?
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..ddb1528 100644
+index 3fae11a..c8607de 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
- /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
--/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
-
- /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-@@ -95,8 +97,6 @@ ifdef(`distro_redhat',`
+@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -11286,7 +9844,7 @@ index 34c9d01..ddb1528 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -128,18 +128,15 @@ ifdef(`distro_debian',`
+@@ -130,18 +128,15 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -11307,7 +9865,7 @@ index 34c9d01..ddb1528 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -177,6 +174,8 @@ ifdef(`distro_gentoo',`
+@@ -179,6 +174,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -11316,7 +9874,7 @@ index 34c9d01..ddb1528 100644
#
# /usr
#
-@@ -196,47 +195,51 @@ ifdef(`distro_gentoo',`
+@@ -198,48 +195,51 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -11326,6 +9884,7 @@ index 34c9d01..ddb1528 100644
-/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
@@ -11409,7 +9968,7 @@ index 34c9d01..ddb1528 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -244,9 +247,13 @@ ifdef(`distro_gentoo',`
+@@ -247,9 +247,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -11424,7 +9983,7 @@ index 34c9d01..ddb1528 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -283,6 +290,7 @@ ifdef(`distro_gentoo',`
+@@ -286,6 +290,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -11432,7 +9991,7 @@ index 34c9d01..ddb1528 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -291,7 +299,7 @@ ifdef(`distro_gentoo',`
+@@ -294,7 +299,7 @@ ifdef(`distro_gentoo',`
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11441,7 +10000,7 @@ index 34c9d01..ddb1528 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -304,9 +312,8 @@ ifdef(`distro_redhat', `
+@@ -307,9 +312,8 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11452,7 +10011,7 @@ index 34c9d01..ddb1528 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +323,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +323,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11464,7 +10023,7 @@ index 34c9d01..ddb1528 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -360,7 +369,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +369,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -11473,7 +10032,7 @@ index 34c9d01..ddb1528 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -372,8 +381,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +381,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11530,90 +10089,11 @@ index 9e9263a..59c2125 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
-index 9e5c83e..953e0e8 100644
---- a/policy/modules/kernel/corenetwork.fc
-+++ b/policy/modules/kernel/corenetwork.fc
-@@ -5,3 +5,6 @@
- /dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-
- /dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-+
-+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
-+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 5a07a43..eb5f76e 100644
+index 4f3b542..4581434 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
-@@ -32,6 +32,33 @@ interface(`corenet_port',`
-
- ########################################
- ##
-+## Define type to be a network node type
-+##
-+##
-+##
-+## Define type to be a network node type
-+##
-+##
-+## This is for supporting third party modules and its
-+## use is not allowed in upstream reference policy.
-+##
-+##
-+##
-+##
-+## Type to be used for network nodes.
-+##
-+##
-+#
-+interface(`corenet_node',`
-+ gen_require(`
-+ attribute node_type;
-+ ')
-+
-+ typeattribute $1 node_type;
-+')
-+
-+########################################
-+##
- ## Define network type to be a reserved port (lt 1024)
- ##
- ##
-@@ -86,6 +113,33 @@ interface(`corenet_rpc_port',`
-
- ########################################
- ##
-+## Define type to be a network packet type
-+##
-+##
-+##
-+## Define type to be a network packet type
-+##
-+##
-+## This is for supporting third party modules and its
-+## use is not allowed in upstream reference policy.
-+##
-+##
-+##
-+##
-+## Type to be used for a network packet.
-+##
-+##
-+#
-+interface(`corenet_packet',`
-+ gen_require(`
-+ attribute packet_type;
-+ ')
-+
-+ typeattribute $1 packet_type;
-+')
-+
-+########################################
-+##
- ## Define type to be a network client packet type
- ##
- ##
-@@ -561,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
+@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
########################################
##
@@ -11638,7 +10118,7 @@ index 5a07a43..eb5f76e 100644
## Send and receive TCP network traffic on generic nodes.
##
##
-@@ -735,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
+@@ -789,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
########################################
##
@@ -11663,7 +10143,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to generic nodes.
##
##
-@@ -874,6 +964,24 @@ interface(`corenet_inout_generic_node',`
+@@ -928,6 +964,24 @@ interface(`corenet_inout_generic_node',`
########################################
##
@@ -11688,7 +10168,7 @@ index 5a07a43..eb5f76e 100644
## Send and receive TCP network traffic on all nodes.
##
##
-@@ -1048,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+@@ -1102,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
########################################
##
@@ -11713,7 +10193,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to all nodes.
##
##
-@@ -1103,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1157,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',`
########################################
##
@@ -11738,7 +10218,7 @@ index 5a07a43..eb5f76e 100644
## Send and receive TCP network traffic on generic ports.
##
##
-@@ -1121,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+@@ -1175,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',`
########################################
##
@@ -11765,7 +10245,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit send and receive TCP network traffic on generic ports.
##
##
-@@ -1190,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
##
@@ -11792,7 +10272,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to generic ports.
##
##
-@@ -1210,6 +1394,25 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1264,6 +1394,25 @@ interface(`corenet_tcp_bind_generic_port',`
########################################
##
@@ -11818,7 +10298,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit bind TCP sockets to generic ports.
##
##
-@@ -1248,6 +1451,24 @@ interface(`corenet_udp_bind_generic_port',`
+@@ -1302,6 +1451,24 @@ interface(`corenet_udp_bind_generic_port',`
########################################
##
@@ -11843,7 +10323,7 @@ index 5a07a43..eb5f76e 100644
## Connect TCP sockets to generic ports.
##
##
-@@ -1266,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
+@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
########################################
##
@@ -11868,7 +10348,7 @@ index 5a07a43..eb5f76e 100644
## Send and receive TCP network traffic on all ports.
##
##
-@@ -1385,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
##
@@ -11894,7 +10374,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to all ports.
##
##
-@@ -1404,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',`
+@@ -1458,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',`
########################################
##
@@ -11919,7 +10399,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attepts to bind TCP sockets to any ports.
##
##
-@@ -1459,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+@@ -1513,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
########################################
##
@@ -11944,75 +10424,37 @@ index 5a07a43..eb5f76e 100644
## Connect TCP sockets to all ports.
##
##
-@@ -1505,7 +1799,7 @@ interface(`corenet_tcp_connect_all_ports',`
+@@ -1559,6 +1799,25 @@ interface(`corenet_tcp_connect_all_ports',`
########################################
##
--## Do not audit attempts to connect TCP sockets
+## Do not audit attempts to connect DCCP sockets
- ## to all ports.
- ##
- ##
-@@ -1514,35 +1808,72 @@ interface(`corenet_tcp_connect_all_ports',`
- ##
- ##
- #
--interface(`corenet_dontaudit_tcp_connect_all_ports',`
-+interface(`corenet_dontaudit_dccp_connect_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
-- dontaudit $1 port_type:tcp_socket name_connect;
-+ dontaudit $1 port_type:dccp_socket name_connect;
- ')
-
- ########################################
- ##
--## Send and receive TCP network traffic on generic reserved ports.
-+## Do not audit attempts to connect TCP sockets
+## to all ports.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`corenet_tcp_sendrecv_reserved_port',`
-+interface(`corenet_dontaudit_tcp_connect_all_ports',`
- gen_require(`
-- type reserved_port_t;
-+ attribute port_type;
- ')
-
-- allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
-+ dontaudit $1 port_type:tcp_socket name_connect;
- ')
-
- ########################################
- ##
--## Send UDP network traffic on generic reserved ports.
-+## Send and receive DCCP network traffic on generic reserved ports.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`corenet_dccp_sendrecv_reserved_port',`
++interface(`corenet_dontaudit_dccp_connect_all_ports',`
+ gen_require(`
-+ type reserved_port_t;
++ attribute port_type;
+ ')
+
-+ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
++ dontaudit $1 port_type:dccp_socket name_connect;
+')
+
+########################################
+##
-+## Send and receive TCP network traffic on generic reserved ports.
+ ## Do not audit attempts to connect TCP sockets
+ ## to all ports.
+ ##
+@@ -1578,6 +1837,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic reserved ports.
+##
+##
+##
@@ -12020,21 +10462,20 @@ index 5a07a43..eb5f76e 100644
+##
+##
+#
-+interface(`corenet_tcp_sendrecv_reserved_port',`
++interface(`corenet_dccp_sendrecv_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
-+ allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
++ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+##
-+## Send UDP network traffic on generic reserved ports.
+ ## Send and receive TCP network traffic on generic reserved ports.
##
##
- ##
-@@ -1593,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
##
@@ -12060,11 +10501,55 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to generic reserved ports.
##
##
-@@ -1631,6 +1981,24 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1685,7 +1981,7 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
##
+-## Connect TCP sockets to generic reserved ports.
+## Connect DCCP sockets to generic reserved ports.
+ ##
+ ##
+ ##
+@@ -1693,17 +1989,17 @@ interface(`corenet_udp_bind_reserved_port',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_reserved_port',`
++interface(`corenet_dccp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+- allow $1 reserved_port_t:tcp_socket name_connect;
++ allow $1 reserved_port_t:dccp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Send and receive TCP network traffic on all reserved ports.
++## Connect TCP sockets to generic reserved ports.
+ ##
+ ##
+ ##
+@@ -1711,17 +2007,53 @@ interface(`corenet_tcp_connect_reserved_port',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++interface(`corenet_tcp_connect_reserved_port',`
+ gen_require(`
+- attribute reserved_port_type;
++ type reserved_port_t;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ allow $1 reserved_port_t:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Send UDP network traffic on all reserved ports.
++## Send and receive DCCP network traffic on all reserved ports.
+##
+##
+##
@@ -12072,24 +10557,17 @@ index 5a07a43..eb5f76e 100644
+##
+##
+#
-+interface(`corenet_dccp_connect_reserved_port',`
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+ gen_require(`
-+ type reserved_port_t;
++ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_t:dccp_socket name_connect;
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+##
- ## Connect TCP sockets to generic reserved ports.
- ##
- ##
-@@ -1649,6 +2017,24 @@ interface(`corenet_tcp_connect_reserved_port',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on all reserved ports.
++## Send and receive TCP network traffic on all reserved ports.
+##
+##
+##
@@ -12097,20 +10575,21 @@ index 5a07a43..eb5f76e 100644
+##
+##
+#
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+##
- ## Send and receive TCP network traffic on all reserved ports.
++## Send UDP network traffic on all reserved ports.
##
##
-@@ -1718,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ ##
+@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
########################################
##
@@ -12136,7 +10615,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to all reserved ports.
##
##
-@@ -1737,6 +2142,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
+@@ -1791,6 +2142,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
########################################
##
@@ -12161,7 +10640,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to bind TCP sockets to all reserved ports.
##
##
-@@ -1792,6 +2215,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+@@ -1846,6 +2215,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
########################################
##
@@ -12186,7 +10665,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to all ports > 1024.
##
##
-@@ -1828,6 +2269,24 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
+@@ -1882,6 +2269,24 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
########################################
##
@@ -12211,7 +10690,7 @@ index 5a07a43..eb5f76e 100644
## Connect TCP sockets to reserved ports.
##
##
-@@ -1846,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+@@ -1900,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
########################################
##
@@ -12236,7 +10715,7 @@ index 5a07a43..eb5f76e 100644
## Connect TCP sockets to all ports > 1024.
##
##
-@@ -1864,6 +2341,25 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
+@@ -1918,6 +2341,25 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
########################################
##
@@ -12262,7 +10741,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to connect TCP sockets
## all reserved ports.
##
-@@ -1883,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+@@ -1937,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
########################################
##
@@ -12287,7 +10766,7 @@ index 5a07a43..eb5f76e 100644
## Connect TCP sockets to rpc ports.
##
##
-@@ -1901,6 +2415,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+@@ -1955,6 +2415,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
##
@@ -12313,7 +10792,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
##
-@@ -1939,6 +2472,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2472,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
##
@@ -12338,7 +10817,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
##
-@@ -1995,6 +2546,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2546,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
##
@@ -12364,7 +10843,7 @@ index 5a07a43..eb5f76e 100644
## Bind TCP sockets to all RPC ports.
##
##
-@@ -2014,6 +2584,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2584,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
##
@@ -12389,7 +10868,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
##
##
-@@ -2140,6 +2728,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2728,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
##
@@ -12415,7 +10894,7 @@ index 5a07a43..eb5f76e 100644
## Receive TCP packets from a NetLabel connection.
##
##
-@@ -2159,6 +2766,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,6 +2766,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
##
@@ -12447,7 +10926,7 @@ index 5a07a43..eb5f76e 100644
## Receive TCP packets from an unlabled connection.
##
##
-@@ -2168,9 +2800,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2222,9 +2800,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
##
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -12462,7 +10941,7 @@ index 5a07a43..eb5f76e 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2195,6 +2832,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2832,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
##
@@ -12489,7 +10968,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
##
-@@ -2215,6 +2872,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2872,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
##
@@ -12517,7 +10996,7 @@ index 5a07a43..eb5f76e 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2479,6 +3157,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,6 +3157,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
##
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -12525,7 +11004,7 @@ index 5a07a43..eb5f76e 100644
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
-@@ -2517,7 +3196,31 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2571,7 +3196,31 @@ interface(`corenet_all_recvfrom_netlabel',`
')
allow $1 netlabel_peer_t:peer recv;
@@ -12558,7 +11037,7 @@ index 5a07a43..eb5f76e 100644
')
########################################
-@@ -2531,6 +3234,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3234,7 @@ interface(`corenet_all_recvfrom_netlabel',`
##
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -12566,7 +11045,7 @@ index 5a07a43..eb5f76e 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2559,7 +3263,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3263,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -12603,7 +11082,7 @@ index 5a07a43..eb5f76e 100644
')
########################################
-@@ -2673,6 +3405,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3405,7 @@ interface(`corenet_raw_recvfrom_labeled',`
##
#
interface(`corenet_all_recvfrom_labeled',`
@@ -12612,7 +11091,7 @@ index 5a07a43..eb5f76e 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..1bec39a 100644
+index 99b71cb..11ee490 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -12650,7 +11129,7 @@ index 0757523..1bec39a 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -65,20 +79,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,22 +79,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -12664,8 +11143,8 @@ index 0757523..1bec39a 100644
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
+ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
-+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
@@ -12673,12 +11152,12 @@ index 0757523..1bec39a 100644
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
-+network_port(boinc, tcp,31416,s0)
+ network_port(boinc, tcp,31416,s0)
+network_port(boinc_client_ctrl, tcp,1043,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -86,9 +106,11 @@ network_port(clamd, tcp,3310,s0)
+@@ -88,6 +106,7 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -12686,11 +11165,7 @@ index 0757523..1bec39a 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-+network_port(daap, tcp,3689,s0, udp,3689,s0)
- network_port(dbskkd, tcp,1178,s0)
- network_port(dcc, udp,6276,s0, udp,6277,s0)
- network_port(dccm, tcp,5679,s0, udp,5679,s0)
-@@ -96,9 +118,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,9 +118,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -12705,16 +11180,7 @@ index 0757523..1bec39a 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -112,7 +139,7 @@ network_port(hddtemp, tcp,7634,s0)
- network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
--network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
- network_port(i18n_input, tcp,9010,s0)
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +153,59 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +153,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -12740,22 +11206,11 @@ index 0757523..1bec39a 100644
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
+network_port(movaz_ssc, tcp,5252,s0)
-+network_port(mpd, tcp,6600,s0)
+ network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
--network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
-+network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
- network_port(munin, tcp,4949,s0, udp,4949,s0)
--network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0)
-+network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
- network_port(mysqlmanagerd, tcp,2273,s0)
- network_port(nessus, tcp,1241,s0)
- network_port(netport, tcp,3129,s0, udp,3129,s0)
- network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
- network_port(nmbd, udp,137,s0, udp,138,s0)
--network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
-+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
- network_port(ntp, udp,123,s0)
-+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+ network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
+@@ -158,10 +187,18 @@ network_port(ntp, udp,123,s0)
+ network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
@@ -12773,14 +11228,7 @@ index 0757523..1bec39a 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
- network_port(postgresql, tcp,5432,s0)
- network_port(postgrey, tcp,60000,s0)
- network_port(prelude, tcp,4690,s0, udp,4690,s0)
-+network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
- network_port(printer, tcp,515,s0)
- network_port(ptal, tcp,5703,s0)
- network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +220,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -183,25 +220,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -12792,9 +11240,8 @@ index 0757523..1bec39a 100644
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sametime, tcp,1533,s0, udp,1533,s0)
network_port(sieve, tcp,4190,s0)
--network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
-+network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
-+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
+ network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+ network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
@@ -12814,12 +11261,8 @@ index 0757523..1bec39a 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,20 +253,22 @@ network_port(transproxy, tcp,8081,s0)
- network_port(ups, tcp,3493,s0)
- type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
- network_port(uucpd, tcp,540,s0)
--network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
-+network_port(varnishd, tcp,6081-6082,s0)
+@@ -215,7 +256,7 @@ network_port(uucpd, tcp,540,s0)
+ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
@@ -12827,12 +11270,7 @@ index 0757523..1bec39a 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
- network_port(xen, tcp,8002,s0)
- network_port(xfs, tcp,7100,s0)
--network_port(xserver, tcp,6000-6020,s0)
-+network_port(xserver, tcp,6000-6150,s0)
-+network_port(zarafa, tcp,236,s0, tcp,237,s0)
- network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +270,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12840,7 +11278,7 @@ index 0757523..1bec39a 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -272,9 +322,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +324,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -12849,7 +11287,7 @@ index 0757523..1bec39a 100644
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
--allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
@@ -12884,7 +11322,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..8695196 100644
+index f820f3b..d53edca 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -12973,7 +11411,7 @@ index e9313fb..8695196 100644
########################################
##
## Read and write generic files in /dev.
-@@ -444,6 +499,42 @@ interface(`dev_getattr_generic_blk_files',`
+@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',`
########################################
##
@@ -13016,7 +11454,7 @@ index e9313fb..8695196 100644
## Dontaudit getattr on generic block devices.
##
##
-@@ -552,6 +643,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
+@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
########################################
##
@@ -13041,7 +11479,7 @@ index e9313fb..8695196 100644
## Dontaudit setattr for generic character device files.
##
##
-@@ -628,7 +737,7 @@ interface(`dev_rw_generic_blk_files',`
+@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
##
##
##
@@ -13050,7 +11488,7 @@ index e9313fb..8695196 100644
##
##
#
-@@ -715,7 +824,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
##
@@ -13059,7 +11497,7 @@ index e9313fb..8695196 100644
##
##
##
-@@ -723,17 +832,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
##
##
#
@@ -13080,7 +11518,7 @@ index e9313fb..8695196 100644
##
##
##
-@@ -741,17 +850,17 @@ interface(`dev_read_generic_symlinks',`
+@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
##
##
#
@@ -13101,7 +11539,7 @@ index e9313fb..8695196 100644
##
##
##
-@@ -759,12 +868,12 @@ interface(`dev_create_generic_symlinks',`
+@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
##
##
#
@@ -13116,7 +11554,7 @@ index e9313fb..8695196 100644
')
########################################
-@@ -920,7 +1029,7 @@ interface(`dev_filetrans',`
+@@ -938,7 +1047,7 @@ interface(`dev_filetrans',`
type device_t;
')
@@ -13125,7 +11563,7 @@ index e9313fb..8695196 100644
dev_associate($2)
files_associate_tmp($2)
-@@ -1006,6 +1115,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+@@ -1024,6 +1133,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
@@ -13133,7 +11571,7 @@ index e9313fb..8695196 100644
')
getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1178,6 +1288,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1196,6 +1306,42 @@ interface(`dev_create_all_chr_files',`
########################################
##
@@ -13176,7 +11614,7 @@ index e9313fb..8695196 100644
## Delete all block device files.
##
##
-@@ -2663,7 +2809,7 @@ interface(`dev_write_misc',`
+@@ -2681,7 +2827,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -13185,7 +11623,7 @@ index e9313fb..8695196 100644
##
##
#
-@@ -3192,24 +3338,6 @@ interface(`dev_rw_printer',`
+@@ -3210,24 +3356,6 @@ interface(`dev_rw_printer',`
########################################
##
@@ -13210,7 +11648,7 @@ index e9313fb..8695196 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
##
-@@ -3793,6 +3921,24 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3811,6 +3939,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -13235,7 +11673,7 @@ index e9313fb..8695196 100644
## Search the sysfs directories.
##
##
-@@ -3884,25 +4030,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,25 +4048,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
##
@@ -13261,7 +11699,7 @@ index e9313fb..8695196 100644
## Read hardware state information.
##
##
-@@ -3954,6 +4081,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4099,42 @@ interface(`dev_rw_sysfs',`
########################################
##
@@ -13304,7 +11742,7 @@ index e9313fb..8695196 100644
## Read and write the TPM device.
##
##
-@@ -4477,6 +4640,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4658,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -13329,32 +11767,7 @@ index e9313fb..8695196 100644
## Read and write VMWare devices.
##
##
-@@ -4514,6 +4695,24 @@ interface(`dev_rwx_vmware',`
-
- ########################################
- ##
-+## Read to watchdog devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_watchdog',`
-+ gen_require(`
-+ type device_t, watchdog_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, watchdog_device_t)
-+')
-+
-+########################################
-+##
- ## Write to watchdog devices.
- ##
- ##
-@@ -4748,3 +4947,772 @@ interface(`dev_unconfined',`
+@@ -4784,3 +4965,772 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -14128,7 +12541,7 @@ index e9313fb..8695196 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 3ff4f60..c028367 100644
+index 08f01e7..95a6de8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
@@ -14155,36 +12568,10 @@ index 3ff4f60..c028367 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index aad8c52..53b0624 100644
+index 6a1e4d1..cf3d50b 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
-@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
-
- ########################################
- ##
-+## Dontaudit sending general signals to all domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`domain_dontaudit_signal_all_domains',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:process signal;
-+')
-+
-+########################################
-+##
- ## Send a null signal to all domains.
- ##
- ##
-@@ -611,7 +630,7 @@ interface(`domain_read_all_domains_state',`
+@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
########################################
##
@@ -14193,12 +12580,7 @@ index aad8c52..53b0624 100644
##
##
##
-@@ -630,11 +649,11 @@ interface(`domain_getattr_all_domains',`
-
- ########################################
- ##
--## Get the attributes of all domains of all domains.
-+## Dontaudit geting the attributes of all domains.
+@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',`
##
##
##
@@ -14207,57 +12589,7 @@ index aad8c52..53b0624 100644
##
##
#
-@@ -886,6 +905,24 @@ interface(`domain_getsched_all_domains',`
-
- ########################################
- ##
-+## Get the capability information of all domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`domain_getcap_all_domains',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:process getcap;
-+')
-+
-+########################################
-+##
- ## Get the attributes of all domains
- ## sockets, for all socket types.
- ##
-@@ -1260,6 +1297,24 @@ interface(`domain_exec_all_entry_files',`
-
- ########################################
- ##
-+## dontaudit gettattr on all entry point files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`domain_dontaudit_getattr_all_entry_files',`
-+ gen_require(`
-+ attribute entry_type;
-+ ')
-+
-+ dontaudit $1 entry_type:file exec_file_perms;
-+')
-+
-+########################################
-+##
- ## dontaudit checking for execute on all entry point files
- ##
- ##
-@@ -1472,4 +1527,29 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -14288,10 +12620,10 @@ index aad8c52..53b0624 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index bc534c1..0ffb0e4 100644
+index fae1ab1..1f0b08f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -4,6 +4,21 @@ policy_module(domain, 1.9.0)
+@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
#
# Declarations
#
@@ -14471,7 +12803,7 @@ index bc534c1..0ffb0e4 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..d993f7e 100644
+index c19518a..ba08cfe 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -14508,16 +12840,7 @@ index 16108f6..d993f7e 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -89,7 +100,7 @@ ifdef(`distro_suse',`
- # HOME_ROOT
- # expanded by genhomedircon
- #
--HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
-+HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
- HOME_ROOT/\.journal <>
- HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- HOME_ROOT/lost\+found/.* <>
-@@ -101,10 +112,9 @@ HOME_ROOT/lost\+found/.* <>
+@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -14529,7 +12852,7 @@ index 16108f6..d993f7e 100644
#
# /lost+found
-@@ -145,7 +155,7 @@ HOME_ROOT/lost\+found/.* <>
+@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -14538,7 +12861,7 @@ index 16108f6..d993f7e 100644
#
# /proc
-@@ -153,6 +163,17 @@ HOME_ROOT/lost\+found/.* <>
+@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <>
/proc -d <>
/proc/.* <>
@@ -14548,28 +12871,10 @@ index 16108f6..d993f7e 100644
+/rhev/[^/]*/.* <>
+')
+
-+/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
-+/run/.* gen_context(system_u:object_r:var_run_t,s0)
-+/run/.*\.*pid <>
-+/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-+
- #
- # /selinux
- #
-@@ -166,12 +187,6 @@ HOME_ROOT/lost\+found/.* <>
- /srv/.* gen_context(system_u:object_r:var_t,s0)
-
#
--# /sys
--#
--/sys -d <>
--/sys/.* <>
--
--#
- # /tmp
+ # /run
#
- /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -211,7 +226,6 @@ HOME_ROOT/lost\+found/.* <>
+@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -14577,7 +12882,7 @@ index 16108f6..d993f7e 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -227,23 +241,27 @@ ifndef(`distro_redhat',`
+@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -14594,26 +12899,19 @@ index 16108f6..d993f7e 100644
/var/lost\+found/.* <>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+-/var/run -l gen_context(system_u:object_r:var_run_t,s0)
+/var/run -l gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <>
- /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
- /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
--/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /var/tmp/.* <>
- /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /var/tmp/lost\+found/.* <>
-@@ -252,3 +270,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..62352ec 100644
+index ff006ea..5ce2d76 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -14629,53 +12927,10 @@ index 958ca84..62352ec 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1410,6 +1408,24 @@ interface(`files_getattr_all_mountpoints',`
-
- ########################################
- ##
-+## Set the attributes of all mount points.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ allow $1 mountpoint:dir setattr;
-+')
-+
-+########################################
-+##
- ## Search all mount points.
- ##
- ##
-@@ -1446,6 +1462,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
+@@ -1482,6 +1480,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
-+## Do not audit listing of all mount points.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_list_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ dontaudit $1 mountpoint:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+## Write all mount points.
+##
+##
@@ -14715,7 +12970,7 @@ index 958ca84..62352ec 100644
## List the contents of the root directory.
##
##
-@@ -1526,7 +1596,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1596,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -14724,32 +12979,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -1731,6 +1801,24 @@ interface(`files_list_boot',`
- allow $1 boot_t:dir list_dir_perms;
- ')
-
-+#######################################
-+##
-+## Dontaudit List the /boot directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_list_boot',`
-+ gen_require(`
-+ type boot_t;
-+ ')
-+
-+ dontaudit $1 boot_t:dir list_dir_perms;
-+')
-+
- ########################################
- ##
- ## Create directories in /boot
-@@ -1794,7 +1882,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +1882,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -14758,33 +12988,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',`
- relabelfrom_files_pattern($1, boot_t, boot_t)
- ')
-
-+######################################
-+##
-+## Read symbolic links
-+## in the /boot directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_boot_symlinks',`
-+ gen_require(`
-+ type boot_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, boot_t, boot_t)
-+')
-+
- ########################################
- ##
- ## Read and write symbolic links
-@@ -2300,6 +2407,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2406,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -14809,7 +13013,7 @@ index 958ca84..62352ec 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2379,7 +2504,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2503,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -14818,7 +13022,7 @@ index 958ca84..62352ec 100644
##
##
#
-@@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2577,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -14843,7 +13047,7 @@ index 958ca84..62352ec 100644
## Execute generic files in /etc.
##
##
-@@ -2552,7 +2695,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2694,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -14852,39 +13056,32 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -2583,6 +2726,31 @@ interface(`files_create_boot_flag',`
+@@ -2680,24 +2750,6 @@ interface(`files_delete_boot_flag',`
########################################
##
-+## Delete a boot flag.
-+##
-+##
-+##
-+## Delete a boot flag, such as
-+## /.autorelabel and /.autofsck.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_boot_flag',`
-+ gen_require(`
-+ type root_t, etc_runtime_t;
-+ ')
-+
-+ delete_files_pattern($1, root_t, etc_runtime_t)
-+')
-+
-+########################################
-+##
+-## Do not audit attempts to set the attributes of the etc_runtime files
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`files_dontaudit_setattr_etc_runtime_files',`
+- gen_require(`
+- type etc_runtime_t;
+- ')
+-
+- dontaudit $1 etc_runtime_t:file setattr;
+-')
+-
+-########################################
+-##
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -2623,6 +2791,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2790,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -14909,7 +13106,7 @@ index 958ca84..62352ec 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2660,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2845,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -14917,23 +13114,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -3104,6 +3291,7 @@ interface(`files_getattr_home_dir',`
- ')
-
- allow $1 home_root_t:dir getattr;
-+ allow $1 home_root_t:lnk_file getattr;
- ')
-
- ########################################
-@@ -3124,6 +3312,7 @@ interface(`files_dontaudit_getattr_home_dir',`
- ')
-
- dontaudit $1 home_root_t:dir getattr;
-+ dontaudit $1 home_root_t:lnk_file getattr;
- ')
-
- ########################################
-@@ -3247,7 +3436,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3435,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -14942,37 +13123,11 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -3287,6 +3476,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
- dontaudit $1 lost_found_t:dir getattr;
- ')
+@@ -3502,20 +3573,38 @@ interface(`files_list_mnt',`
-+#######################################
-+##
-+## List the contents of /tmp/lost-found
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_lost_found_dirs',`
-+ gen_require(`
-+ type lost_found_t;
-+ ')
-+
-+ allow $1 lost_found_t:dir list_dir_perms;
-+')
-+
- ########################################
+ ######################################
##
- ## Create, read, write, and delete objects in
-@@ -3365,6 +3572,43 @@ interface(`files_list_mnt',`
- allow $1 mnt_t:dir list_dir_perms;
- ')
-
-+######################################
-+##
+-## Do not audit attempts to list the contents of /mnt.
+## dontaudit List the contents of /mnt.
+##
+##
@@ -14993,50 +13148,26 @@ index 958ca84..62352ec 100644
+##
+## Do not audit attempts to check the
+## write access on mnt files
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_dontaudit_list_mnt',`
+interface(`files_dontaudit_access_check_mnt',`
-+ gen_require(`
-+ type mnt_t;
-+ ')
-+
+ gen_require(`
+ type mnt_t;
+ ')
+-
+- dontaudit $1 mnt_t:dir list_dir_perms;
+ dontaudit $1 mnt_t:file_class_set audit_access;
-+')
-+
- ########################################
- ##
- ## Mount a filesystem on /mnt.
-@@ -3438,6 +3682,24 @@ interface(`files_read_mnt_files',`
- read_files_pattern($1, mnt_t, mnt_t)
')
-+######################################
-+##
-+## Read symbolic links in /mnt.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_mnt_symlinks',`
-+ gen_require(`
-+ type mnt_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, mnt_t, mnt_t)
-+')
-+
########################################
- ##
- ## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3991,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +3989,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -15136,7 +13267,7 @@ index 958ca84..62352ec 100644
########################################
##
## Allow the specified type to associate
-@@ -3774,7 +4129,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4127,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
@@ -15145,7 +13276,7 @@ index 958ca84..62352ec 100644
##
##
#
-@@ -3846,7 +4201,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4199,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -15154,7 +13285,7 @@ index 958ca84..62352ec 100644
##
##
#
-@@ -3858,6 +4213,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4211,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -15179,13 +13310,12 @@ index 958ca84..62352ec 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -3914,25 +4287,33 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4285,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
--## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
- ##
++##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -15194,70 +13324,26 @@ index 958ca84..62352ec 100644
+## This is added to support java policy.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
-+interface(`files_execmod_tmp',`
- gen_require(`
-- type tmp_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
-+## Manage temporary files and directories in /tmp.
- ##
- ##
- ##
-@@ -3940,17 +4321,35 @@ interface(`files_manage_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
-+## Read symbolic links in the tmp directory (/tmp).
-+##
+##
+##
+## Domain allowed access.
+##
+##
+#
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_execmod_tmp',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
+')
+
+########################################
+##
-+## Read and write generic named sockets in the tmp directory (/tmp).
+ ## Manage temporary files and directories in /tmp.
##
##
- ##
-@@ -3968,6 +4367,84 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4365,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -15297,52 +13383,10 @@ index 958ca84..62352ec 100644
+
+########################################
+##
-+## Relabel all tmp dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_all_tmp_dirs',`
-+ gen_require(`
-+ attribute tmpfile;
-+ type var_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+##
-+## Relabel all tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_all_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ type var_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+##
## Set the attributes of all tmp directories.
##
##
-@@ -4009,7 +4486,7 @@ interface(`files_list_all_tmp',`
+@@ -4202,7 +4464,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -15351,7 +13395,7 @@ index 958ca84..62352ec 100644
##
##
#
-@@ -4047,7 +4524,7 @@ interface(`files_getattr_all_tmp_files',`
+@@ -4262,7 +4524,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -15360,7 +13404,7 @@ index 958ca84..62352ec 100644
##
##
#
-@@ -4103,7 +4580,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4580,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -15369,12 +13413,13 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -4127,6 +4604,15 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4604,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
+ files_delete_isid_type_symlinks($1)
@@ -15385,7 +13430,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -4466,7 +4952,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +4953,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -15394,32 +13439,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -4736,6 +5222,24 @@ interface(`files_read_var_files',`
-
- ########################################
- ##
-+## Append files in the /var directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_append_var_files',`
-+ gen_require(`
-+ type var_t;
-+ ')
-+
-+ append_files_pattern($1, var_t, var_t)
-+')
-+
-+########################################
-+##
- ## Read and write files in the /var directory.
- ##
- ##
-@@ -4851,7 +5355,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5356,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -15428,7 +13448,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -4986,7 +5490,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5491,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15437,7 +13457,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -5071,6 +5575,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5576,25 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -15463,7 +13483,7 @@ index 958ca84..62352ec 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5084,6 +5607,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5608,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -15472,7 +13492,7 @@ index 958ca84..62352ec 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5103,11 +5628,50 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5629,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -15482,22 +13502,23 @@ index 958ca84..62352ec 100644
########################################
##
+-## List generic lock directories.
+## create a directory in the /var/lock
+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5349,12 +5644,30 @@ interface(`files_dontaudit_search_locks',`
+ ##
+ ##
+ #
+-interface(`files_list_locks',`
+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+ files_search_locks($1)
-+ allow $1 var_lock_t:dir create_dir_perms;
++ allow $1 var_lock_t:dir create_dir_perms;
+')
+
+########################################
@@ -15514,16 +13535,13 @@ index 958ca84..62352ec 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
- ## Add and remove entries in the /var/lock
- ## directories.
- ##
-@@ -5122,6 +5686,7 @@ interface(`files_rw_lock_dirs',`
+ ')
+
+ ########################################
+@@ -5373,6 +5686,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -15531,7 +13549,15 @@ index 958ca84..62352ec 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5140,7 +5705,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5385,7 +5699,6 @@ interface(`files_rw_lock_dirs',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+@@ -5412,7 +5725,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -15540,7 +13566,7 @@ index 958ca84..62352ec 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5156,12 +5721,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5741,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -15557,7 +13583,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -5180,7 +5745,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5765,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -15566,35 +13592,7 @@ index 958ca84..62352ec 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5772,27 @@ interface(`files_delete_all_locks',`
-
- ########################################
- ##
-+## Relabel all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
- ## Read all lock files.
- ##
- ##
-@@ -5221,7 +5807,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5806,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -15603,7 +13601,7 @@ index 958ca84..62352ec 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5243,7 +5829,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5828,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -15612,7 +13610,7 @@ index 958ca84..62352ec 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,8 +5861,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5860,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -15623,11 +13621,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -5332,9 +5918,47 @@ interface(`files_search_pids',`
- type var_t, var_run_t;
- ')
-
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+@@ -5608,6 +5921,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -15671,7 +13665,7 @@ index 958ca84..62352ec 100644
########################################
##
## Do not audit attempts to search
-@@ -5463,7 +6087,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6086,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15680,7 +13674,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -5542,6 +6166,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6165,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -15761,7 +13755,7 @@ index 958ca84..62352ec 100644
## Read all process ID files.
##
##
-@@ -5559,6 +6257,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6256,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -15806,7 +13800,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -5769,7 +6505,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6504,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15815,7 +13809,7 @@ index 958ca84..62352ec 100644
')
########################################
-@@ -5844,3 +6580,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6579,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -16101,7 +14095,7 @@ index 958ca84..62352ec 100644
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 6e01635..207d34a 100644
+index 22821ff..567322b 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
@@ -16143,29 +14137,8 @@ index 6e01635..207d34a 100644
#
# var_run_t is the type of /var/run, usually
-diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index 59bae6a..2e55e71 100644
---- a/policy/modules/kernel/filesystem.fc
-+++ b/policy/modules/kernel/filesystem.fc
-@@ -2,5 +2,16 @@
- /dev/shm/.* <>
-
- /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-+/cgroup/.* <>
-
-+/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
-+/lib/udev/devices/hugepages/.* <>
-+
-+/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-+/lib/udev/devices/shm/.* <>
-+
-+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
- /sys/fs/cgroup(/.*)? <>
-+
-+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
-+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..7484288 100644
+index 97fcdac..3babb37 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -16306,32 +14279,7 @@ index dfe361a..7484288 100644
dev_search_sysfs($1)
')
-@@ -1052,6 +1119,24 @@ interface(`fs_list_noxattr_fs',`
-
- ########################################
- ##
-+## Do not audit Read all noxattrfs directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_list_noxattr_fs',`
-+ gen_require(`
-+ attribute noxattrfs;
-+ ')
-+
-+ dontaudit $1 noxattrfs:dir list_dir_perms;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete all noxattrfs directories.
- ##
- ##
-@@ -1088,6 +1173,42 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1174,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
##
@@ -16353,28 +14301,10 @@ index dfe361a..7484288 100644
+
+########################################
+##
-+## Do not audit read all noxattrfs files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_read_noxattr_fs_files',`
-+ gen_require(`
-+ attribute noxattrfs;
-+ ')
-+
-+ dontaudit $1 noxattrfs:file read_file_perms;
-+')
-+
-+########################################
-+##
- ## Dont audit attempts to write to noxattrfs files.
+ ## Do not audit attempts to read all
+ ## noxattrfs files.
##
- ##
-@@ -1227,6 +1348,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1350,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
##
@@ -16417,7 +14347,7 @@ index dfe361a..7484288 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
##
-@@ -1241,7 +1398,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1400,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -16426,7 +14356,7 @@ index dfe361a..7484288 100644
')
########################################
-@@ -1504,6 +1661,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1663,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -16452,155 +14382,7 @@ index dfe361a..7484288 100644
#######################################
##
## Create, read, write, and delete dirs
-@@ -1659,6 +1835,25 @@ interface(`fs_search_dos',`
-
- ########################################
- ##
-+## list dirs
-+## on a DOS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_dos_dirs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ list_dirs_pattern($1, dosfs_t, dosfs_t)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete dirs
- ## on a DOS filesystem.
- ##
-@@ -1774,6 +1969,24 @@ interface(`fs_unmount_fusefs',`
-
- ########################################
- ##
-+## Mounton a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mounton_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Search directories
- ## on a FUSEFS filesystem.
- ##
-@@ -1892,6 +2105,26 @@ interface(`fs_manage_fusefs_files',`
-
- ########################################
- ##
-+## Execute files on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_exec_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to create,
- ## read, write, and delete files
- ## on a FUSEFS filesystem.
-@@ -1931,7 +2164,26 @@ interface(`fs_read_fusefs_symlinks',`
-
- ########################################
- ##
--## Read and write hugetlbfs files.
-+## Get the attributes of an hugetlbfs
-+## filesystem;
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## R/W hugetlbfs files.
- ##
- ##
- ##
-@@ -1946,6 +2198,41 @@ interface(`fs_rw_hugetlbfs_files',`
-
- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-+########################################
-+##
-+## Manage hugetlbfs dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_hugetlbfs_dirs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
-+## List hugetlbfs dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+')
-
- ########################################
- ##
-@@ -1999,6 +2286,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2288,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -16608,7 +14390,7 @@ index dfe361a..7484288 100644
')
########################################
-@@ -2331,6 +2619,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2621,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -16616,7 +14398,7 @@ index dfe361a..7484288 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2658,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2660,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -16624,7 +14406,7 @@ index dfe361a..7484288 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2685,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2687,25 @@ interface(`fs_exec_nfs_files',`
########################################
##
@@ -16650,7 +14432,7 @@ index dfe361a..7484288 100644
## Append files
## on a NFS filesystem.
##
-@@ -2435,6 +2744,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2746,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
##
@@ -16693,7 +14475,7 @@ index dfe361a..7484288 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
-@@ -2449,7 +2794,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2796,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -16702,7 +14484,7 @@ index dfe361a..7484288 100644
')
########################################
-@@ -2587,7 +2932,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2934,7 @@ interface(`fs_search_removable',`
##
##
##
@@ -16711,7 +14493,7 @@ index dfe361a..7484288 100644
##
##
#
-@@ -2623,7 +2968,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2970,7 @@ interface(`fs_read_removable_files',`
##
##
##
@@ -16720,58 +14502,7 @@ index dfe361a..7484288 100644
##
##
#
-@@ -2637,6 +2982,24 @@ interface(`fs_dontaudit_read_removable_files',`
-
- ########################################
- ##
-+## Do not audit attempts to write removable storage files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_write_removable_files',`
-+ gen_require(`
-+ type removable_t;
-+ ')
-+
-+ dontaudit $1 removable_t:file write_file_perms;
-+')
-+
-+########################################
-+##
- ## Read removable storage symbolic links.
- ##
- ##
-@@ -2653,6 +3016,25 @@ interface(`fs_read_removable_symlinks',`
- read_lnk_files_pattern($1, removable_t, removable_t)
- ')
-
-+######################################
-+##
-+## Read block nodes on removable filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_removable_blk_files',`
-+ gen_require(`
-+ type removable_t;
-+ ')
-+
-+ allow $1 removable_t:dir list_dir_perms;
-+ read_blk_files_pattern($1, removable_t, removable_t)
-+')
-+
- ########################################
- ##
- ## Read and write block nodes on removable filesystems.
-@@ -2779,6 +3161,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3163,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -16779,7 +14510,7 @@ index dfe361a..7484288 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3202,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3204,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -16787,16 +14518,7 @@ index dfe361a..7484288 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3229,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
- #########################################
- ##
- ## Create, read, write, and delete symbolic links
--## on a CIFS or SMB network filesystem.
-+## on a NFS network filesystem.
- ##
- ##
- ##
-@@ -2859,6 +3243,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3245,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -16804,7 +14526,7 @@ index dfe361a..7484288 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3772,6 +4157,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4159,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
##
@@ -16847,7 +14569,7 @@ index dfe361a..7484288 100644
## Create, read, write, and delete
## tmpfs directories
##
-@@ -3989,6 +4410,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4412,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
@@ -16872,7 +14594,7 @@ index dfe361a..7484288 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4271,6 +4710,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4712,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -16881,7 +14603,7 @@ index dfe361a..7484288 100644
')
########################################
-@@ -4317,7 +4758,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4760,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -16890,7 +14612,7 @@ index dfe361a..7484288 100644
## Example attributes:
##
##
-@@ -4681,3 +5122,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5123,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -16916,7 +14638,7 @@ index dfe361a..7484288 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e49c148..4d6bbf4 100644
+index f125dc2..3c6e827 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -16927,7 +14649,7 @@ index e49c148..4d6bbf4 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,10 +68,11 @@ fs_type(capifs_t)
+@@ -67,7 +68,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -16936,11 +14658,7 @@ index e49c148..4d6bbf4 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-+dev_associate_sysfs(cgroup_t)
- genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
- type configfs_t;
-@@ -100,12 +102,22 @@ type hugetlbfs_t;
+@@ -96,6 +97,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -16948,35 +14666,7 @@ index e49c148..4d6bbf4 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
- allow ibmasmfs_t self:filesystem associate;
- genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
-
-+#
-+# infinibandeventfs fs
-+#
-+
-+type infinibandeventfs_t;
-+fs_type(infinibandeventfs_t)
-+allow infinibandeventfs_t self:filesystem associate;
-+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
-+
- type inotifyfs_t;
- fs_type(inotifyfs_t)
- genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -148,6 +160,12 @@ fs_type(squash_t)
- genfscon squash / gen_context(system_u:object_r:squash_t,s0)
- files_mountpoint(squash_t)
-
-+type sysv_t;
-+fs_noxattr_type(sysv_t)
-+files_mountpoint(sysv_t)
-+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
-+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
-+
- type vmblock_t;
- fs_noxattr_type(vmblock_t)
- files_mountpoint(vmblock_t)
-@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
+@@ -175,6 +177,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -16984,7 +14674,7 @@ index e49c148..4d6bbf4 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -16993,7 +14683,7 @@ index e49c148..4d6bbf4 100644
files_mountpoint(removable_t)
#
-@@ -266,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -17002,63 +14692,10 @@ index e49c148..4d6bbf4 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 069d36c..4f7bf15 100644
+index 6346378..edbe041 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
-
- ########################################
- ##
-+## Manage information from the debugging filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_manage_debugfs',`
-+ gen_require(`
-+ type debugfs_t;
-+ ')
-+
-+ manage_files_pattern($1, debugfs_t, debugfs_t)
-+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
-+ list_dirs_pattern($1, debugfs_t, debugfs_t)
-+')
-+
-+########################################
-+##
- ## Mount a kernel VM filesystem.
- ##
- ##
-@@ -863,6 +883,25 @@ interface(`kernel_dontaudit_write_proc_dirs',`
-
- ########################################
- ##
-+## Do not audit attempts to setattr
-+## directories in /proc.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_setattr_proc_dirs',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ dontaudit $1 proc_t:dir setattr;
-+')
-+
-+########################################
-+##
- ## Get the attributes of files in /proc.
- ##
- ##
-@@ -2033,7 +2072,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2072,7 +2072,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17067,7 +14704,7 @@ index 069d36c..4f7bf15 100644
')
########################################
-@@ -2254,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2293,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -17076,7 +14713,7 @@ index 069d36c..4f7bf15 100644
##
##
#
-@@ -2436,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -17101,7 +14738,7 @@ index 069d36c..4f7bf15 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2580,7 +2637,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2637,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -17110,7 +14747,7 @@ index 069d36c..4f7bf15 100644
')
########################################
-@@ -2618,6 +2675,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2675,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -17135,7 +14772,7 @@ index 069d36c..4f7bf15 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2645,6 +2720,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2720,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -17161,7 +14798,7 @@ index 069d36c..4f7bf15 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2754,6 +2848,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2848,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -17195,7 +14832,7 @@ index 069d36c..4f7bf15 100644
########################################
##
-@@ -2909,6 +3030,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3030,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -17220,7 +14857,7 @@ index 069d36c..4f7bf15 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2924,3 +3063,23 @@ interface(`kernel_unconfined',`
+@@ -2963,3 +3063,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
@@ -17245,7 +14882,7 @@ index 069d36c..4f7bf15 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5001b89..c90e93e 100644
+index d91c62f..30d03e3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -17257,15 +14894,15 @@ index 5001b89..c90e93e 100644
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -156,6 +158,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
- #
+@@ -157,6 +159,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
+ fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -246,6 +249,9 @@ dev_delete_generic_blk_files(kernel_t)
+@@ -247,6 +250,9 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
@@ -17275,7 +14912,7 @@ index 5001b89..c90e93e 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -254,7 +260,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -255,7 +261,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -17285,7 +14922,7 @@ index 5001b89..c90e93e 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +275,40 @@ files_list_root(kernel_t)
+@@ -269,19 +276,40 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -17326,7 +14963,7 @@ index 5001b89..c90e93e 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -296,6 +324,19 @@ optional_policy(`
+@@ -297,6 +325,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -17346,7 +14983,7 @@ index 5001b89..c90e93e 100644
')
optional_policy(`
-@@ -357,6 +398,15 @@ optional_policy(`
+@@ -358,6 +399,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -17427,7 +15064,7 @@ index 0e5b661..3168d72 100644
+attribute mcsuntrustedproc;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 786449a..23a065c 100644
+index ca7e808..23a065c 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17546,35 +15183,15 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
-@@ -358,6 +388,27 @@ interface(`selinux_load_policy',`
+@@ -371,6 +401,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
- ########################################
- ##
-+## Allow caller to read the policy from the kernel.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`selinux_read_policy',`
-+ gen_require(`
-+ type security_t;
-+ ')
-+
+ dev_search_sysfs($1)
-+ allow $1 security_t:dir list_dir_perms;
-+ allow $1 security_t:file read_file_perms;
-+ allow $1 security_t:security read_policy;
-+')
-+
-+########################################
-+##
- ## Allow caller to set the state of Booleans to
- ## enable or disable conditional portions of the policy. (Deprecated)
- ##
-@@ -416,6 +467,7 @@ interface(`selinux_set_generic_booleans',`
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+ allow $1 security_t:security read_policy;
+@@ -436,6 +467,7 @@ interface(`selinux_set_generic_booleans',`
bool secure_mode_policyload;
')
@@ -17582,7 +15199,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
-@@ -458,7 +510,9 @@ interface(`selinux_set_all_booleans',`
+@@ -478,7 +510,9 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
@@ -17592,7 +15209,7 @@ index 786449a..23a065c 100644
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
-@@ -499,6 +553,7 @@ interface(`selinux_set_parameters',`
+@@ -519,6 +553,7 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
@@ -17600,7 +15217,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -522,6 +577,7 @@ interface(`selinux_validate_context',`
+@@ -542,6 +577,7 @@ interface(`selinux_validate_context',`
type security_t;
')
@@ -17608,7 +15225,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -564,6 +620,7 @@ interface(`selinux_compute_access_vector',`
+@@ -584,6 +620,7 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
@@ -17616,7 +15233,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -585,6 +642,7 @@ interface(`selinux_compute_create_context',`
+@@ -605,6 +642,7 @@ interface(`selinux_compute_create_context',`
type security_t;
')
@@ -17624,7 +15241,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -606,6 +664,7 @@ interface(`selinux_compute_member',`
+@@ -626,6 +664,7 @@ interface(`selinux_compute_member',`
type security_t;
')
@@ -17632,7 +15249,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -635,6 +694,7 @@ interface(`selinux_compute_relabel_context',`
+@@ -655,6 +694,7 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
@@ -17640,7 +15257,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -655,6 +715,7 @@ interface(`selinux_compute_user_contexts',`
+@@ -675,6 +715,7 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
@@ -17648,7 +15265,7 @@ index 786449a..23a065c 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -677,3 +738,24 @@ interface(`selinux_unconfined',`
+@@ -697,3 +738,24 @@ interface(`selinux_unconfined',`
typeattribute $1 selinux_unconfined_type;
')
@@ -17673,27 +15290,8 @@ index 786449a..23a065c 100644
+ mls_trusted_object($1)
+')
+
-diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index a9b8982..57c4a6a 100644
---- a/policy/modules/kernel/storage.fc
-+++ b/policy/modules/kernel/storage.fc
-@@ -12,6 +12,7 @@
- /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -77,3 +78,6 @@ ifdef(`distro_redhat', `
- /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-
- /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
-+
-+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..346dfb1 100644
+index 1700ef2..02ff02d7 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -17705,18 +15303,15 @@ index 3723150..346dfb1 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
- type fixed_disk_device_t;
- ')
+@@ -205,6 +207,7 @@ interface(`storage_create_fixed_disk_dev',`
-+ allow $1 self:capability mknod;
-+
+ allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
dev_add_entry_generic_dirs($1)
')
-@@ -807,3 +812,358 @@ interface(`storage_unconfined',`
+@@ -808,3 +811,358 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -18076,18 +15671,10 @@ index 3723150..346dfb1 100644
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 3994e57..a1923fe 100644
+index 7d45d15..6727eb7 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -6,6 +6,7 @@
- /dev/console -c gen_context(system_u:object_r:console_device_t,s0)
- /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
-+/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-@@ -18,6 +19,7 @@
+@@ -19,6 +19,7 @@
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -18095,14 +15682,14 @@ index 3994e57..a1923fe 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..590c2c0 100644
+index 01dd2f1..8a67d21 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -18155,15 +15742,6 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -341,7 +364,7 @@ interface(`term_relabel_console',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 console_device_t:chr_file { relabelfrom relabelto };
-+ allow $1 console_device_t:chr_file relabel_chr_file_perms;
- ')
-
- ########################################
@@ -462,6 +485,24 @@ interface(`term_list_ptys',`
########################################
@@ -18197,33 +15775,7 @@ index f3acfee..590c2c0 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -658,6 +700,25 @@ interface(`term_use_controlling_term',`
- allow $1 devtty_t:chr_file { rw_term_perms lock append };
- ')
-
-+#######################################
-+##
-+## Allow attempts to get attributes
-+## on the pty multiplexor (/dev/ptmx).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`term_getattr_ptmx',`
-+ gen_require(`
-+ type ptmx_t;
-+ ')
-+
-+ allow $1 ptmx_t:chr_file getattr;
-+')
-+
- ########################################
- ##
- ## Do not audit attempts to get attributes
-@@ -842,6 +903,26 @@ interface(`term_use_all_ptys',`
+@@ -860,6 +902,26 @@ interface(`term_use_all_ptys',`
########################################
##
@@ -18250,7 +15802,7 @@ index f3acfee..590c2c0 100644
## Do not audit attempts to read or write any ptys.
##
##
-@@ -855,7 +936,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -873,7 +935,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -18259,7 +15811,7 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -903,7 +984,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -921,7 +983,7 @@ interface(`term_getattr_all_user_ptys',`
##
##
##
@@ -18268,16 +15820,7 @@ index f3acfee..590c2c0 100644
##
##
#
-@@ -1123,7 +1204,7 @@ interface(`term_relabel_unallocated_ttys',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
-+ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
- ')
-
- ########################################
-@@ -1222,7 +1303,8 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1240,7 +1302,8 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -18287,7 +15830,7 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -1238,11 +1320,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1256,11 +1319,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -18301,7 +15844,7 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -1259,10 +1343,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1277,10 +1342,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -18314,16 +15857,7 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -1301,7 +1387,7 @@ interface(`term_relabel_all_ttys',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 ttynode:chr_file { relabelfrom relabelto };
-+ allow $1 ttynode:chr_file relabel_chr_file_perms;
- ')
-
- ########################################
-@@ -1340,7 +1426,27 @@ interface(`term_use_all_ttys',`
+@@ -1358,7 +1425,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -18352,7 +15886,7 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -1359,7 +1465,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1377,7 +1464,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -18361,7 +15895,7 @@ index f3acfee..590c2c0 100644
')
########################################
-@@ -1467,7 +1573,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1485,7 +1572,7 @@ interface(`term_use_all_user_ttys',`
##
##
##
@@ -18370,7 +15904,7 @@ index f3acfee..590c2c0 100644
##
##
#
-@@ -1475,3 +1581,393 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1493,3 +1580,393 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -18700,7 +16234,7 @@ index f3acfee..590c2c0 100644
+ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
-+ #filetrans_pattern($1, devpts_t, chr_file, "ptmx")
++ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
+ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
@@ -18765,7 +16299,7 @@ index f3acfee..590c2c0 100644
+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 361692e..0f09fb5 100644
+index 2241b7d..b0ab494 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -19141,7 +16675,7 @@ index 2be17d2..1a6d9d1 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..15fbd76 100644
+index e14b961..bd304b2 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -19276,14 +16810,14 @@ index 4a8d146..15fbd76 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -19351,7 +16885,7 @@ index 4a8d146..15fbd76 100644
')
optional_policy(`
-- raid_domtrans_mdadm(sysadm_t)
+- raid_run_mdadm(sysadm_r, sysadm_t)
+ quota_run(sysadm_t, sysadm_r)
')
@@ -19497,14 +17031,14 @@ index 4a8d146..15fbd76 100644
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ lockdev_role(sysadm_r, sysadm_t)
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
-+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
@@ -19518,8 +17052,9 @@ index 4a8d146..15fbd76 100644
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
@@ -19550,9 +17085,8 @@ index 4a8d146..15fbd76 100644
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
@@ -21753,221 +19287,22 @@ index a496fde..847609a 100644
########################################
#
# AFS bossserver local policy
-diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
-new file mode 100644
-index 0000000..069518f
---- /dev/null
-+++ b/policy/modules/services/aiccu.fc
-@@ -0,0 +1,6 @@
-+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
-+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
-+
-+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
-+
-+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
-diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
-new file mode 100644
-index 0000000..6bf0ad6
---- /dev/null
-+++ b/policy/modules/services/aiccu.if
-@@ -0,0 +1,116 @@
-+## Automatic IPv6 Connectivity Client Utility.
-+
-+########################################
-+##
-+## Execute a domain transition to run aiccu.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`aiccu_domtrans',`
-+ gen_require(`
-+ type aiccu_t, aiccu_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
-+ corecmd_search_bin($1)
-+')
-+
-+########################################
-+##
-+## Execute aiccu server in the aiccu domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`aiccu_initrc_domtrans',`
-+ gen_require(`
-+ type aiccu_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Read aiccu PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`aiccu_read_pid_files',`
-+ gen_require(`
-+ type aiccu_var_run_t;
-+ ')
-+
-+ allow $1 aiccu_var_run_t:file read_file_perms;
-+ files_search_pids($1)
-+')
-+
-+########################################
-+##
-+## Manage aiccu PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`aiccu_manage_var_run',`
-+ gen_require(`
-+ type aiccu_var_run_t;
-+ ')
-+
-+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ files_search_pids($1)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an aiccu environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`aiccu_admin',`
-+ gen_require(`
-+ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
-+ type aiccu_var_run_t;
-+ ')
-+
-+ allow $1 aiccu_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, aiccu_t)
-+
-+ aiccu_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 aiccu_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ admin_pattern($1, aiccu_etc_t)
-+ files_list_etc($1)
-+
-+ admin_pattern($1, aiccu_var_run_t)
-+ files_list_pids($1)
-+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
-new file mode 100644
-index 0000000..dda9c93
---- /dev/null
+index 6d685ba..4114d9b 100644
+--- a/policy/modules/services/aiccu.te
+++ b/policy/modules/services/aiccu.te
-@@ -0,0 +1,75 @@
-+policy_module(aiccu, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type aiccu_t;
-+type aiccu_exec_t;
-+init_daemon_domain(aiccu_t, aiccu_exec_t)
-+
-+type aiccu_initrc_exec_t;
-+init_script_file(aiccu_initrc_exec_t)
-+
-+type aiccu_etc_t;
-+files_config_file(aiccu_etc_t)
-+
-+type aiccu_var_run_t;
-+files_pid_file(aiccu_var_run_t)
-+
-+########################################
-+#
-+# aiccu local policy
-+#
-+
-+allow aiccu_t self:capability { kill net_admin net_raw };
-+dontaudit aiccu_t self:capability sys_tty_config;
-+allow aiccu_t self:process signal;
-+allow aiccu_t self:fifo_file rw_fifo_file_perms;
-+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
-+allow aiccu_t self:tcp_socket create_stream_socket_perms;
-+allow aiccu_t self:tun_socket create_socket_perms;
-+allow aiccu_t self:udp_socket create_stream_socket_perms;
-+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow aiccu_t aiccu_etc_t:file read_file_perms;
-+
-+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
-+
-+kernel_read_system_state(aiccu_t)
-+
-+corecmd_exec_shell(aiccu_t)
-+
-+corenet_all_recvfrom_netlabel(aiccu_t)
-+corenet_all_recvfrom_unlabeled(aiccu_t)
+@@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t)
+
+ corenet_all_recvfrom_netlabel(aiccu_t)
+ corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
-+corenet_tcp_sendrecv_generic_if(aiccu_t)
-+corenet_tcp_sendrecv_generic_node(aiccu_t)
-+corenet_tcp_sendrecv_generic_port(aiccu_t)
+ corenet_tcp_sendrecv_generic_if(aiccu_t)
+ corenet_tcp_sendrecv_generic_node(aiccu_t)
+ corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
-+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
-+corenet_rw_tun_tap_dev(aiccu_t)
-+
-+domain_use_interactive_fds(aiccu_t)
-+
-+dev_read_rand(aiccu_t)
-+dev_read_urand(aiccu_t)
-+
-+files_read_etc_files(aiccu_t)
-+
-+logging_send_syslog_msg(aiccu_t)
-+
-+miscfiles_read_localization(aiccu_t)
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(aiccu_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(aiccu_t)
-+ sysnet_dns_name_resolve(aiccu_t)
-+')
+ corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+ corenet_tcp_bind_generic_node(aiccu_t)
+ corenet_tcp_connect_sixxsconfig_port(aiccu_t)
diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc
index 7798464..ff76db7 100644
--- a/policy/modules/services/aide.fc
@@ -22034,27 +19369,10 @@ index 0370dba..af5d229 100644
#
interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
-index 97c9cae..568e37d 100644
+index 64953f7..99a750b 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
-@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
- # aisexec local policy
- #
-
--allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
-+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
- allow aisexec_t self:process { setrlimit setsched signal };
- allow aisexec_t self:fifo_file rw_fifo_file_perms;
- allow aisexec_t self:sem create_sem_perms;
-@@ -81,11 +81,18 @@ logging_send_syslog_msg(aisexec_t)
-
- miscfiles_read_localization(aisexec_t)
-
-+userdom_rw_semaphores(aisexec_t)
-+userdom_rw_unpriv_user_shared_mem(aisexec_t)
-+
- optional_policy(`
- ccs_stream_connect(aisexec_t)
+@@ -89,6 +89,10 @@ optional_policy(`
')
optional_policy(`
@@ -22252,59 +19570,11 @@ index d96fdfa..e07158f 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
-diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
-index ceb2142..e31d92a 100644
---- a/policy/modules/services/amavis.if
-+++ b/policy/modules/services/amavis.if
-@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
- type amavis_var_run_t;
- ')
-
-- allow $1 amavis_var_run_t:file setattr;
-+ allow $1 amavis_var_run_t:file setattr_file_perms;
- files_search_pids($1)
- ')
-
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index c3a1903..19fb14a 100644
+index deca9d3..841fa8f 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
-@@ -47,7 +47,7 @@ files_type(amavis_spool_t)
-
- allow amavis_t self:capability { kill chown dac_override setgid setuid };
- dontaudit amavis_t self:capability sys_tty_config;
--allow amavis_t self:process { signal sigchld signull };
-+allow amavis_t self:process { signal sigchld sigkill signull };
- allow amavis_t self:fifo_file rw_fifo_file_perms;
- allow amavis_t self:unix_stream_socket create_stream_socket_perms;
- allow amavis_t self:unix_dgram_socket create_socket_perms;
-@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
-
- # tmp files
- manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
--allow amavis_t amavis_tmp_t:dir setattr;
-+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
- files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
-
- # var/lib files for amavis
-@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
- files_search_var_lib(amavis_t)
-
- # log files
--allow amavis_t amavis_var_log_t:dir setattr;
-+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
- manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
- manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
- logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
-@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
-
- # find perl
- corecmd_exec_bin(amavis_t)
-+corecmd_exec_shell(amavis_t)
-
- corenet_all_recvfrom_unlabeled(amavis_t)
- corenet_all_recvfrom_netlabel(amavis_t)
-@@ -152,24 +153,32 @@ sysnet_use_ldap(amavis_t)
+@@ -153,24 +153,28 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -22337,11 +19607,7 @@ index c3a1903..19fb14a 100644
+')
+
+optional_policy(`
-+ nslcd_stream_connect(amavis_t)
-+')
-+
-+optional_policy(`
- postfix_read_config(amavis_t)
+ nslcd_stream_connect(amavis_t)
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
@@ -25189,164 +22455,63 @@ index 0000000..1442451
+ java_exec(boinc_project_t)
+')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
-new file mode 100644
-index 0000000..18f37e2
---- /dev/null
+index 8c84063..c8bfb68 100644
+--- a/policy/modules/services/bugzilla.fc
+++ b/policy/modules/services/bugzilla.fc
-@@ -0,0 +1,4 @@
+@@ -1,3 +1,4 @@
+
-+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
-+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+ /usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+ /usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
-new file mode 100644
-index 0000000..d1fd21d
---- /dev/null
+index de89d0f..0deec20 100644
+--- a/policy/modules/services/bugzilla.if
+++ b/policy/modules/services/bugzilla.if
-@@ -0,0 +1,80 @@
-+## Bugzilla server
-+
-+########################################
-+##
-+## Allow the specified domain to search
-+## bugzilla directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bugzilla_search_dirs',`
-+ gen_require(`
-+ type httpd_bugzilla_content_t;
-+ ')
-+
-+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## bugzilla script unix domain stream sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
-+ gen_require(`
-+ type httpd_bugzilla_script_t;
-+ ')
-+
-+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an bugzilla environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the bugzilla domain.
-+##
-+##
-+##
-+#
-+interface(`bugzilla_admin',`
-+ gen_require(`
-+ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
-+ type httpd_bugzilla_htaccess_t;
-+ ')
-+
-+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, httpd_bugzilla_script_t)
-+
+@@ -58,13 +58,16 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ interface(`bugzilla_admin',`
+ gen_require(`
+ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+- type httpd_bugzilla_htaccess_t;
+- ')
++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
++ type httpd_bugzilla_htaccess_t;
++ ')
+
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
-+ files_list_var_lib(httpd_bugzilla_script_t)
-+
-+ apache_list_sys_content($1)
-+ admin_pattern($1, httpd_bugzilla_script_exec_t)
-+ admin_pattern($1, httpd_bugzilla_script_t)
-+ admin_pattern($1, httpd_bugzilla_content_t)
-+ admin_pattern($1, httpd_bugzilla_htaccess_t)
-+ admin_pattern($1, httpd_bugzilla_rw_content_t)
-+ admin_pattern($1, httpd_bugzilla_ra_content_t)
-+')
+ files_list_var_lib(httpd_bugzilla_script_t)
+
+ apache_list_sys_content($1)
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
-new file mode 100644
-index 0000000..5fa8122
---- /dev/null
+index 048abbf..7368f57 100644
+--- a/policy/modules/services/bugzilla.te
+++ b/policy/modules/services/bugzilla.te
-@@ -0,0 +1,57 @@
-+policy_module(bugzilla, 1.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+apache_content_template(bugzilla)
-+
+@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0)
+
+ apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
-+########################################
-+#
-+# bugzilla local policy
-+#
-+
-+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
-+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
-+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
-+
-+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
-+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
-+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
-+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
-+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
-+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
-+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
-+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
-+
+ ########################################
+ #
+ # bugzilla local policy
+@@ -31,6 +34,10 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
-+files_search_var_lib(httpd_bugzilla_script_t)
-+
-+sysnet_read_config(httpd_bugzilla_script_t)
-+sysnet_use_ldap(httpd_bugzilla_script_t)
-+
-+optional_policy(`
-+ mta_send_mail(httpd_bugzilla_script_t)
-+')
-+
-+optional_policy(`
-+ mysql_search_db(httpd_bugzilla_script_t)
-+ mysql_stream_connect(httpd_bugzilla_script_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(httpd_bugzilla_script_t)
-+')
+ files_search_var_lib(httpd_bugzilla_script_t)
+
+ sysnet_read_config(httpd_bugzilla_script_t)
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
index 0000000..24d9837
@@ -26312,18 +23477,8 @@ index c3e3f79..3e78d4e 100644
pcscd_stream_connect(certmonger_t)
')
+
-diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
-index 420c9d3..b6bb46c 100644
---- a/policy/modules/services/cgroup.fc
-+++ b/policy/modules/services/cgroup.fc
-@@ -11,4 +11,5 @@
- /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
- /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
-
-+/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
- /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
-index d020c93..e5cbcef 100644
+index 33facaf..e5cbcef 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -6,9 +6,9 @@
@@ -26362,33 +23517,11 @@ index d020c93..e5cbcef 100644
##
#
interface(`cgroup_domtrans_cgred',`
-@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
-
- admin_pattern($1, cgconfig_etc_t)
- admin_pattern($1, cgrules_etc_t)
-- files_search_etc($1)
-+ files_list_etc($1)
-
- admin_pattern($1, cgred_var_run_t)
-- files_search_pids($1)
-+ files_list_pids($1)
-
- cgroup_initrc_domtrans_cgconfig($1)
- domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index 8ca2333..93c7789 100644
+index dad226c..7617c53 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
-@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
- type cgred_initrc_exec_t;
- init_script_file(cgred_initrc_exec_t)
-
-+type cgred_log_t;
-+logging_log_file(cgred_log_t)
-+
- type cgred_var_run_t;
- files_pid_file(cgred_var_run_t)
-
+@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -26399,40 +23532,15 @@ index 8ca2333..93c7789 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -36,8 +39,7 @@ files_config_file(cgconfig_etc_t)
+@@ -39,7 +39,6 @@ files_config_file(cgconfig_etc_t)
#
# cgclear personal policy.
#
-
--allow cgclear_t self:capability sys_admin;
-+allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+ allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
kernel_read_system_state(cgclear_t)
-
-@@ -52,7 +54,7 @@ fs_unmount_cgroup(cgclear_t)
- # cgconfig personal policy.
- #
-
--allow cgconfig_t self:capability { chown sys_admin };
-+allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
-
- allow cgconfig_t cgconfig_etc_t:file read_file_perms;
-
-@@ -67,18 +69,22 @@ fs_manage_cgroup_dirs(cgconfig_t)
- fs_manage_cgroup_files(cgconfig_t)
- fs_mount_cgroup(cgconfig_t)
- fs_mounton_cgroup(cgconfig_t)
-+fs_unmount_cgroup(cgconfig_t)
-
- ########################################
- #
- # cgred personal policy.
- #
-
--allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
- allow cgred_t self:netlink_socket { write bind create read };
- allow cgred_t self:unix_dgram_socket { write create connect };
+@@ -86,6 +85,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -26442,7 +23550,7 @@ index 8ca2333..93c7789 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -97,6 +103,8 @@ files_read_etc_files(cgred_t)
+@@ -104,6 +106,8 @@ files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
@@ -26942,200 +24050,31 @@ index 6077339..d10acd2 100644
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
-new file mode 100644
-index 0000000..e500fa5
---- /dev/null
+index 049e2b6..e500fa5 100644
+--- a/policy/modules/services/cmirrord.fc
+++ b/policy/modules/services/cmirrord.fc
-@@ -0,0 +1,6 @@
-+
-+/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
-+
-+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+@@ -1,3 +1,4 @@
+
-+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
+ /etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+ /usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
-new file mode 100644
-index 0000000..756ac91
---- /dev/null
+index f8463c0..bed51fb 100644
+--- a/policy/modules/services/cmirrord.if
+++ b/policy/modules/services/cmirrord.if
-@@ -0,0 +1,113 @@
-+## policy for cmirrord
-+
-+########################################
-+##
-+## Execute a domain transition to run cmirrord.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cmirrord_domtrans',`
-+ gen_require(`
-+ type cmirrord_t, cmirrord_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
-+')
-+
-+########################################
-+##
-+## Execute cmirrord server in the cmirrord domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cmirrord_initrc_domtrans',`
-+ gen_require(`
-+ type cmirrord_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Read cmirrord PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cmirrord_read_pid_files',`
-+ gen_require(`
-+ type cmirrord_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 cmirrord_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Read and write to cmirrord shared memory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cmirrord_rw_shm',`
-+ gen_require(`
-+ type cmirrord_t, cmirrord_tmpfs_t;
-+ ')
-+
+@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
+ type cmirrord_t, cmirrord_tmpfs_t;
+ ')
+
+- allow $1 cmirrord_t:shm rw_shm_perms;
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
-+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ fs_search_tmpfs($1)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an cmirrord environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`cmirrord_admin',`
-+ gen_require(`
-+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
-+ ')
-+
-+ allow $1 cmirrord_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, cmirrord_t)
-+
-+ cmirrord_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 cmirrord_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_pids($1)
-+ admin_pattern($1, cmirrord_var_run_t)
-+')
-diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
-new file mode 100644
-index 0000000..28fdd8a
---- /dev/null
-+++ b/policy/modules/services/cmirrord.te
-@@ -0,0 +1,58 @@
-+policy_module(cmirrord, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type cmirrord_t;
-+type cmirrord_exec_t;
-+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
-+
-+type cmirrord_initrc_exec_t;
-+init_script_file(cmirrord_initrc_exec_t)
-+
-+type cmirrord_tmpfs_t;
-+files_tmpfs_file(cmirrord_tmpfs_t)
-+
-+type cmirrord_var_run_t;
-+files_pid_file(cmirrord_var_run_t)
-+
-+########################################
-+#
-+# cmirrord local policy
-+#
-+
-+allow cmirrord_t self:capability { net_admin kill };
-+dontaudit cmirrord_t self:capability sys_tty_config;
-+allow cmirrord_t self:process { setfscreate signal};
-+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-+allow cmirrord_t self:sem create_sem_perms;
-+allow cmirrord_t self:shm create_shm_perms;
-+allow cmirrord_t self:netlink_socket create_socket_perms;
-+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
-+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
-+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
-+
-+domain_use_interactive_fds(cmirrord_t)
-+domain_obj_id_change_exemption(cmirrord_t)
-+
-+files_read_etc_files(cmirrord_t)
-+
-+storage_create_fixed_disk_dev(cmirrord_t)
-+
-+seutil_read_file_contexts(cmirrord_t)
-+
-+logging_send_syslog_msg(cmirrord_t)
-+
-+miscfiles_read_localization(cmirrord_t)
-+
-+optional_policy(`
-+ corosync_stream_connect(cmirrord_t)
-+')
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+ ')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e..e4bac67 100644
--- a/policy/modules/services/cobbler.fc
@@ -27180,7 +24119,7 @@ index 1cf6c4e..e4bac67 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..82306eb 100644
+index 116d60f..82306eb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
@@ -27241,7 +24180,7 @@ index 293e08d..82306eb 100644
type cobbler_etc_t;
')
-- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
')
@@ -27596,204 +24535,68 @@ index 0258b48..8535cc6 100644
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
-new file mode 100644
-index 0000000..0a83e88
---- /dev/null
-+++ b/policy/modules/services/colord.fc
-@@ -0,0 +1,5 @@
-+
-+/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
-+
-+/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
-+/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
-diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
-new file mode 100644
-index 0000000..939d76e
---- /dev/null
-+++ b/policy/modules/services/colord.if
-@@ -0,0 +1,60 @@
-+
-+## policy for colord
-+
-+########################################
-+##
-+## Execute a domain transition to run colord.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`colord_domtrans',`
-+ gen_require(`
-+ type colord_t, colord_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, colord_exec_t, colord_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## colord over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`colord_dbus_chat',`
-+ gen_require(`
-+ type colord_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 colord_t:dbus send_msg;
-+ allow colord_t $1:dbus send_msg;
-+')
-+
-+######################################
-+##
-+## Read colord lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`colord_read_lib_files',`
-+ gen_require(`
-+ type colord_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
-+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-new file mode 100644
-index 0000000..08d2de0
---- /dev/null
+index 74505cc..101c266 100644
+--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,115 @@
-+policy_module(colord,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type colord_t;
-+type colord_exec_t;
-+dbus_system_domain(colord_t, colord_exec_t)
-+
-+type colord_var_lib_t;
-+files_type(colord_var_lib_t)
-+
-+type colord_tmp_t;
-+files_tmp_file(colord_tmp_t)
-+
-+type colord_tmpfs_t;
-+files_tmpfs_file(colord_tmpfs_t)
-+
-+########################################
-+#
-+# colord local policy
-+#
-+allow colord_t self:capability { dac_read_search dac_override };
-+allow colord_t self:process signal;
-+allow colord_t self:fifo_file rw_fifo_file_perms;
-+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow colord_t self:udp_socket create_socket_perms;
-+allow colord_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-+files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
-+
-+manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
-+manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
-+fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
-+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
-+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
-+
-+kernel_getattr_proc_files(colord_t)
-+kernel_read_device_sysctls(colord_t)
+@@ -43,6 +43,7 @@ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+ kernel_getattr_proc_files(colord_t)
+ kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
-+
-+corenet_udp_bind_generic_node(colord_t)
-+corenet_udp_bind_ipp_port(colord_t)
-+corenet_tcp_connect_ipp_port(colord_t)
-+
+
+ corenet_all_recvfrom_unlabeled(colord_t)
+ corenet_all_recvfrom_netlabel(colord_t)
+@@ -50,6 +51,8 @@ corenet_udp_bind_generic_node(colord_t)
+ corenet_udp_bind_ipp_port(colord_t)
+ corenet_tcp_connect_ipp_port(colord_t)
+
+dev_read_raw_memory(colord_t)
+dev_write_raw_memory(colord_t)
-+dev_read_video_dev(colord_t)
-+dev_write_video_dev(colord_t)
-+dev_rw_printer(colord_t)
-+dev_read_rand(colord_t)
-+dev_read_sysfs(colord_t)
-+dev_read_urand(colord_t)
-+dev_list_sysfs(colord_t)
-+dev_rw_generic_usb_dev(colord_t)
-+
-+domain_use_interactive_fds(colord_t)
-+
-+files_list_mnt(colord_t)
-+files_read_etc_files(colord_t)
-+files_read_usr_files(colord_t)
-+
+ dev_read_video_dev(colord_t)
+ dev_write_video_dev(colord_t)
+ dev_rw_printer(colord_t)
+@@ -65,8 +68,16 @@ files_list_mnt(colord_t)
+ files_read_etc_files(colord_t)
+ files_read_usr_files(colord_t)
+
+fs_search_all(colord_t)
+fs_getattr_noxattr_fs(colord_t)
+fs_list_noxattr_fs(colord_t)
-+fs_read_noxattr_fs_files(colord_t)
-+
+ fs_read_noxattr_fs_files(colord_t)
+
+storage_getattr_fixed_disk_dev(colord_t)
+storage_getattr_removable_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
-+logging_send_syslog_msg(colord_t)
-+
-+miscfiles_read_localization(colord_t)
-+
-+sysnet_dns_name_resolve(colord_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
+ logging_send_syslog_msg(colord_t)
+
+ miscfiles_read_localization(colord_t)
+@@ -74,10 +85,12 @@ miscfiles_read_localization(colord_t)
+ sysnet_dns_name_resolve(colord_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(colord_t)
-+ fs_read_nfs_files(colord_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
+ fs_read_nfs_files(colord_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(colord_t)
-+ fs_read_cifs_files(colord_t)
-+')
-+
-+optional_policy(`
-+ cups_read_config(colord_t)
-+ cups_read_rw_config(colord_t)
-+ cups_stream_connect(colord_t)
-+ cups_dbus_chat(colord_t)
-+')
-+
-+optional_policy(`
+ fs_read_cifs_files(colord_t)
+ ')
+
+@@ -89,6 +102,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
+')
+
+optional_policy(`
-+ policykit_dbus_chat(colord_t)
-+ policykit_domtrans_auth(colord_t)
-+ policykit_read_lib(colord_t)
-+ policykit_read_reload(colord_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(colord_t)
-+')
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index fd15dfe..0716ee4 100644
--- a/policy/modules/services/consolekit.if
@@ -28006,7 +24809,7 @@ index 5220c9d..a2e6830 100644
##
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 7d2cf85..92b621a 100644
+index 04969e5..4e1d434 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@@ -28092,14 +24895,14 @@ index 7d2cf85..92b621a 100644
optional_policy(`
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
-index f1bf79a..7be46b4 100644
+index 01d31f1..a390070 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -6,15 +6,15 @@
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
--/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+-/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
@@ -28118,8 +24921,8 @@ index f1bf79a..7be46b4 100644
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
- /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
-
+ ifdef(`distro_gentoo',`
+ /usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 9971337..f081899 100644
--- a/policy/modules/services/courier.if
@@ -28157,10 +24960,10 @@ index 9971337..f081899 100644
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
-index 2802dbb..5d323df 100644
+index 838dec7..452741c 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
-@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+@@ -95,7 +95,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
@@ -29359,18 +26162,21 @@ index 9d44538..7e9057e 100644
#
interface(`cyphesis_domtrans',`
diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc
-index 445d93d..a5bce33 100644
+index 25546bc..4def4f7 100644
--- a/policy/modules/services/cyrus.fc
+++ b/policy/modules/services/cyrus.fc
-@@ -1,5 +1,5 @@
+@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+-/usr/lib(64)?/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
-/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+/usr/lib/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
++/usr/lib/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+ /var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
-index e182bf4..aab657c 100644
+index a01be9d..f82c32f 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -29427,7 +26233,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..5a0ca9f 100644
+index 1a1becd..5a0ca9f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -29532,7 +26338,7 @@ index 0d5711c..5a0ca9f 100644
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
-@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,11 +191,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -29541,11 +26347,12 @@ index 0d5711c..5a0ca9f 100644
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
+- allow system_dbusd_t $1:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +209,34 @@ interface(`dbus_system_bus_client',`
#######################################
##
@@ -29580,7 +26387,7 @@ index 0d5711c..5a0ca9f 100644
## Template for creating connections to
## a user DBUS.
##
-@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +257,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@@ -29589,7 +26396,7 @@ index 0d5711c..5a0ca9f 100644
')
########################################
-@@ -335,13 +377,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +377,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
@@ -29607,7 +26414,7 @@ index 0d5711c..5a0ca9f 100644
')
########################################
-@@ -431,14 +473,33 @@ interface(`dbus_system_domain',`
+@@ -432,14 +473,33 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -29642,7 +26449,7 @@ index 0d5711c..5a0ca9f 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -463,26 +524,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +524,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -29675,7 +26482,7 @@ index 0d5711c..5a0ca9f 100644
##
##
##
-@@ -490,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -29692,7 +26499,7 @@ index 0d5711c..5a0ca9f 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 86d09b4..e54a616 100644
+index 1bff6ee..ace3e22 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
@@ -29746,7 +26553,7 @@ index 86d09b4..e54a616 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,10 +147,19 @@ optional_policy(`
+@@ -141,6 +147,19 @@ optional_policy(`
')
optional_policy(`
@@ -29755,10 +26562,10 @@ index 86d09b4..e54a616 100644
+')
+
+optional_policy(`
- cpufreqselector_dbus_chat(system_dbusd_t)
- ')
-
- optional_policy(`
++ cpufreqselector_dbus_chat(system_dbusd_t)
++')
++
++optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
@@ -29766,7 +26573,7 @@ index 86d09b4..e54a616 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -162,5 +177,12 @@ optional_policy(`
+@@ -158,5 +177,12 @@ optional_policy(`
#
# Unconfined access to this module
#
@@ -31425,7 +28232,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..1d725ff 100644
+index acf6d4f..f4f2402 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -31483,16 +28290,15 @@ index cbe14e4..1d725ff 100644
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
-+corenet_tcp_bind_sieve_port(dovecot_t)
+ corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
- corenet_sendrecv_pop_server_packets(dovecot_t)
-@@ -159,6 +167,15 @@ optional_policy(`
+@@ -160,6 +167,15 @@ optional_policy(`
')
optional_policy(`
@@ -31508,7 +28314,7 @@ index cbe14e4..1d725ff 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -179,7 +196,7 @@ optional_policy(`
+@@ -180,7 +196,7 @@ optional_policy(`
# dovecot auth local policy
#
@@ -31517,7 +28323,7 @@ index cbe14e4..1d725ff 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -189,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -31527,7 +28333,7 @@ index cbe14e4..1d725ff 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -203,6 +223,7 @@ kernel_read_system_state(dovecot_auth_t)
+@@ -204,6 +223,7 @@ kernel_read_system_state(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)
@@ -31535,7 +28341,7 @@ index cbe14e4..1d725ff 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -217,6 +238,8 @@ files_read_var_lib_files(dovecot_auth_t)
+@@ -218,6 +238,8 @@ files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -31544,7 +28350,7 @@ index cbe14e4..1d725ff 100644
init_rw_utmp(dovecot_auth_t)
miscfiles_read_localization(dovecot_auth_t)
-@@ -235,6 +258,8 @@ optional_policy(`
+@@ -236,6 +258,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -31553,7 +28359,7 @@ index cbe14e4..1d725ff 100644
')
optional_policy(`
-@@ -242,6 +267,8 @@ optional_policy(`
+@@ -243,6 +267,8 @@ optional_policy(`
')
optional_policy(`
@@ -31562,7 +28368,7 @@ index cbe14e4..1d725ff 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +276,42 @@ optional_policy(`
+@@ -250,23 +276,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -31607,7 +28413,7 @@ index cbe14e4..1d725ff 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +347,19 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,5 +347,19 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -32866,7 +29672,7 @@ index 69dcd2a..a9a9116 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index bc27421..a65582e 100644
+index 9d3201b..21a7a73 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,5 +1,43 @@
@@ -34137,7 +30943,7 @@ index 2d0b4e1..e268ede 100644
')
')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
-index 9821a88..1367b08 100644
+index 7d3a469..5b1ec32 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -165,7 +165,7 @@ miscfiles_read_localization(hadoop_t)
@@ -36064,7 +32870,7 @@ index 771e04b..81d98b3 100644
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
-index 3acbf1d..ed036d1 100644
+index 5037e06..18dc6e5 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -17,7 +17,7 @@ type likewise_var_lib_t;
@@ -36076,15 +32882,6 @@ index 3acbf1d..ed036d1 100644
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
-@@ -137,7 +137,7 @@ selinux_validate_context(lsassd_t)
- seutil_read_config(lsassd_t)
- seutil_read_default_contexts(lsassd_t)
- seutil_read_file_contexts(lsassd_t)
--seutil_run_semanage(lsassd_t, lsassd_t)
-+seutil_run_semanage(lsassd_t, system_r)
-
- sysnet_use_ldap(lsassd_t)
- sysnet_read_config(lsassd_t)
@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
# Likewise DC location service local policy
#
@@ -37192,6 +33989,51 @@ index 0000000..dca01cd
+miscfiles_read_localization(matahari_domain)
+
+sysnet_dns_name_resolve(matahari_domain)
+diff --git a/policy/modules/services/mediawiki.if b/policy/modules/services/mediawiki.if
+index 98d28b4..1c1d012 100644
+--- a/policy/modules/services/mediawiki.if
++++ b/policy/modules/services/mediawiki.if
+@@ -1 +1,40 @@
+ ## Mediawiki policy
++
++#######################################
++##
++## Allow the specified domain to read
++## mediawiki tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mediawiki_read_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
++
++#######################################
++##
++## Delete mediawiki tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mediawiki_delete_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6f..5008a6c 100644
--- a/policy/modules/services/memcached.if
@@ -37972,399 +34814,24 @@ index 83f002c..ed69996 100644
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc
-new file mode 100644
-index 0000000..564b22d
---- /dev/null
-+++ b/policy/modules/services/mpd.fc
-@@ -0,0 +1,10 @@
-+
-+/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
-+
-+/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0)
-+
-+/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
-+/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
-+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
-diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
-new file mode 100644
-index 0000000..311aaed
---- /dev/null
-+++ b/policy/modules/services/mpd.if
-@@ -0,0 +1,267 @@
-+## policy for daemon for playing music
-+
-+########################################
-+##
-+## Execute a domain transition to run mpd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mpd_domtrans',`
-+ gen_require(`
-+ type mpd_t, mpd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, mpd_exec_t, mpd_t)
-+')
-+
-+########################################
-+##
-+## Execute mpd server in the mpd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_initrc_domtrans',`
-+ gen_require(`
-+ type mpd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, mpd_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Read mpd data files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_read_data_files',`
-+ gen_require(`
-+ type mpd_data_t;
-+ ')
-+
-+ mpd_search_lib($1)
-+ read_files_pattern($1, mpd_data_t, mpd_data_t)
-+')
-+
-+#######################################
-+##
-+## Read mpd tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_read_tmpfs_files',`
-+ gen_require(`
-+ type mpd_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
-+')
-+
-+###################################
-+##
-+## Manage mpd tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_manage_tmpfs_files',`
-+ gen_require(`
-+ type mpd_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
-+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
-+')
-+
-+######################################
-+##
-+## Manage mpd data files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_manage_data_files',`
-+ gen_require(`
-+ type mpd_data_t;
-+ ')
-+
-+ mpd_search_lib($1)
-+ manage_files_pattern($1, mpd_data_t, mpd_data_t)
-+')
-+
-+########################################
-+##
-+## Search mpd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_search_lib',`
-+ gen_require(`
-+ type mpd_var_lib_t;
-+ ')
-+
-+ allow $1 mpd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read mpd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_read_lib_files',`
-+ gen_require(`
-+ type mpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## mpd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_manage_lib_files',`
-+ gen_require(`
-+ type mpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Create an object in the root directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+#
-+interface(`mpd_var_lib_filetrans',`
-+ gen_require(`
-+ type mpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
-+')
-+
-+########################################
-+##
-+## Manage mpd lib dirs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mpd_manage_lib_dirs',`
-+ gen_require(`
-+ type mpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an mpd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`mpd_admin',`
-+ gen_require(`
-+ type mpd_t, mpd_initrc_exec_t, mpd_etc_t;
-+ type mpd_data_t, mpd_log_t, mpd_var_lib_t;
-+ type mpd_tmpfs_t;
-+ ')
-+
-+ allow $1 mpd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, mpd_t)
-+
-+ mpd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 mpd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ admin_pattern($1, mpd_etc_t)
-+ files_list_etc($1)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, mpd_var_lib_t)
-+
-+ admin_pattern($1, mpd_data_t)
-+
-+ admin_pattern($1, mpd_log_t)
-+
-+ fs_list_tmpfs($1)
-+ admin_pattern($1, mpd_tmpfs_t)
-+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
-new file mode 100644
-index 0000000..0b9257a
---- /dev/null
+index 7f68872..e4ac35e 100644
+--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,141 @@
-+policy_module(mpd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mpd_t;
-+type mpd_exec_t;
-+init_daemon_domain(mpd_t, mpd_exec_t)
-+
-+type mpd_initrc_exec_t;
-+init_script_file(mpd_initrc_exec_t)
-+
-+type mpd_etc_t;
-+files_config_file(mpd_etc_t)
-+
-+# type for music content
-+type mpd_data_t;
-+files_type(mpd_data_t)
-+
-+type mpd_log_t;
-+logging_log_file(mpd_log_t)
-+
-+type mpd_tmp_t;
-+files_tmp_file(mpd_tmp_t)
-+
-+type mpd_tmpfs_t;
-+files_tmpfs_file(mpd_tmpfs_t)
-+
-+type mpd_var_lib_t;
-+files_type(mpd_var_lib_t)
-+
-+########################################
-+#
-+# mpd local policy
-+#
-+
-+#cjp: dac_override bug in mpd relating to mpd.log file
-+allow mpd_t self:capability { dac_override kill setgid setuid };
-+allow mpd_t self:process { getsched setsched setrlimit signal signull };
-+allow mpd_t self:fifo_file rw_fifo_file_perms;
-+allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+allow mpd_t self:tcp_socket create_stream_socket_perms;
-+allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow mpd_t self:tcp_socket create_stream_socket_perms;
+ allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
-+
-+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
-+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-+manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-+
-+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
-+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
-+manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
-+files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
-+
-+manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
-+manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
-+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
-+
-+manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
-+manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
-+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
-+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
-+
-+# needed by pulseaudio
-+kernel_getattr_proc(mpd_t)
-+kernel_read_system_state(mpd_t)
-+kernel_read_kernel_sysctls(mpd_t)
-+
-+corecmd_exec_bin(mpd_t)
-+
-+corenet_sendrecv_pulseaudio_client_packets(mpd_t)
-+corenet_tcp_connect_http_port(mpd_t)
-+corenet_tcp_connect_http_cache_port(mpd_t)
-+corenet_tcp_connect_pulseaudio_port(mpd_t)
-+corenet_tcp_connect_soundd_port(mpd_t)
-+corenet_tcp_bind_mpd_port(mpd_t)
-+corenet_tcp_bind_soundd_port(mpd_t)
-+
-+dev_read_sound(mpd_t)
-+dev_write_sound(mpd_t)
-+dev_read_sysfs(mpd_t)
-+
-+files_read_usr_files(mpd_t)
-+
-+fs_getattr_tmpfs(mpd_t)
-+fs_list_inotifyfs(mpd_t)
-+fs_rw_anon_inodefs_files(mpd_t)
-+
-+auth_use_nsswitch(mpd_t)
-+
-+logging_send_syslog_msg(mpd_t)
-+
-+miscfiles_read_localization(mpd_t)
-+
+
+ manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+ manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+@@ -103,6 +106,19 @@ logging_send_syslog_msg(mpd_t)
+
+ miscfiles_read_localization(mpd_t)
+
+userdom_read_home_audio_files(mpd_t)
+userdom_read_user_tmpfs_files(mpd_t)
+
@@ -38378,31 +34845,19 @@ index 0000000..0b9257a
+ fs_read_nfs_symlinks(mpd_t)
+')
+
-+optional_policy(`
-+ alsa_read_rw_config(mpd_t)
-+')
-+
-+optional_policy(`
-+ consolekit_dbus_chat(mpd_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(mpd_t)
-+')
-+
-+optional_policy(`
-+ pulseaudio_exec(mpd_t)
-+ pulseaudio_stream_connect(mpd_t)
-+ pulseaudio_signull(mpd_t)
-+')
-+
-+optional_policy(`
+ optional_policy(`
+ alsa_read_rw_config(mpd_t)
+ ')
+@@ -122,5 +138,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
+optional_policy(`
-+ udev_read_db(mpd_t)
-+')
+ udev_read_db(mpd_t)
+ ')
+
+optional_policy(`
+ xserver_dontaudit_stream_connect(mpd_t)
@@ -38819,7 +35274,7 @@ index 343cee3..5e792cc 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..5f0c71d 100644
+index 64268e4..dbddbef 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -38895,8 +35350,8 @@ index 64268e4..5f0c71d 100644
')
optional_policy(`
-+ bugzilla_search_dirs(system_mail_t)
-+ bugzilla_dontaudit_rw_script_stream_sockets(system_mail_t)
++ bugzilla_search_content(system_mail_t)
++ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
@@ -41296,181 +37751,6 @@ index b246bdd..07baada 100644
files_read_etc_files(pads_t)
files_search_spool(pads_t)
-diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
-new file mode 100644
-index 0000000..498c07f
---- /dev/null
-+++ b/policy/modules/services/passenger.fc
-@@ -0,0 +1,16 @@
-+
-+/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
-+/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
-+/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
-+/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
-+
-+/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
-+/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
-+
-+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
-+
-+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
-diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
-new file mode 100644
-index 0000000..9ef0492
---- /dev/null
-+++ b/policy/modules/services/passenger.if
-@@ -0,0 +1,67 @@
-+## Passenger policy
-+
-+######################################
-+##
-+## Execute passenger in the passenger domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`passenger_domtrans',`
-+ gen_require(`
-+ type passenger_t, passenger_exec_t;
-+ ')
-+
-+ allow $1 self:capability { fowner fsetid };
-+
-+ allow $1 passenger_t:process signal;
-+
-+ domtrans_pattern($1, passenger_exec_t, passenger_t)
-+ allow $1 passenger_t:unix_stream_socket { read write connectto shutdown };
-+ allow passenger_t $1:unix_stream_socket { read write };
-+')
-+
-+######################################
-+##
-+## Manage passenger var_run content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_manage_pid_content',`
-+ gen_require(`
-+ type passenger_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+')
-+
-+########################################
-+##
-+## Read passenger lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_read_lib_files',`
-+ gen_require(`
-+ type passenger_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
-+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
-+')
-diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
-new file mode 100644
-index 0000000..d2cc57b
---- /dev/null
-+++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,74 @@
-+policy_module(passenger, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type passenger_t;
-+type passenger_exec_t;
-+domain_type(passenger_t)
-+domain_entry_file(passenger_t, passenger_exec_t)
-+role system_r types passenger_t;
-+
-+type passenger_tmp_t;
-+files_tmp_file(passenger_tmp_t)
-+
-+type passenger_log_t;
-+logging_log_file(passenger_log_t)
-+
-+type passenger_var_lib_t;
-+files_type(passenger_var_lib_t)
-+
-+type passenger_var_run_t;
-+files_pid_file(passenger_var_run_t)
-+
-+########################################
-+#
-+# passenger local policy
-+#
-+
-+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
-+allow passenger_t self:process { setpgid setsched sigkill signal };
-+
-+allow passenger_t self:fifo_file rw_fifo_file_perms;
-+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
-+manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
-+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-+logging_log_filetrans(passenger_t, passenger_log_t, file)
-+
-+files_search_var_lib(passenger_t)
-+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
-+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
-+
-+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
-+
-+can_exec(passenger_t, passenger_exec_t)
-+
-+kernel_read_system_state(passenger_t)
-+kernel_read_kernel_sysctls(passenger_t)
-+
-+corenet_tcp_connect_http_port(passenger_t)
-+
-+corecmd_exec_bin(passenger_t)
-+corecmd_exec_shell(passenger_t)
-+
-+dev_read_urand(passenger_t)
-+
-+files_read_etc_files(passenger_t)
-+
-+auth_use_nsswitch(passenger_t)
-+
-+miscfiles_read_localization(passenger_t)
-+
-+userdom_dontaudit_use_user_terminals(passenger_t)
-+
-+optional_policy(`
-+ apache_append_log(passenger_t)
-+ apache_read_sys_content(passenger_t)
-+')
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
index 1c2a091..ea5ae69 100644
--- a/policy/modules/services/pcscd.if
@@ -42927,7 +39207,7 @@ index 69c331e..0555635 100644
auth_rw_login_records(portslave_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index 55e62d2..f2674e8 100644
+index a3e85c9..cb05623 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@@ -42938,20 +39218,45 @@ index 55e62d2..f2674e8 100644
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -29,12 +30,10 @@ ifdef(`distro_redhat', `
- /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
- /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
- /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
--/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+@@ -16,22 +17,24 @@ ifdef(`distro_redhat', `
+ /usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+ /usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+ ', `
+-/usr/lib(64)?/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/lib(64)?/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/lib(64)?/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib(64)?/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib(64)?/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib(64)?/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib(64)?/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib(64)?/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
- /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
--/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
++')
+ /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -44,9 +43,10 @@ ifdef(`distro_redhat', `
+@@ -42,9 +45,10 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -43306,10 +39611,10 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..ea5feb2 100644
+index a32c4b3..06be6b1 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
-@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
+@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
# Declarations
#
@@ -43502,7 +39807,7 @@ index 06e37d4..ea5feb2 100644
+')
+
+optional_policy(`
-+ zarafa_deliver_domtrans(postfix_local_t)
++ zarafa_domtrans_deliver(postfix_local_t)
+ zarafa_stream_connect_server(postfix_local_t)
+')
+
@@ -43862,7 +40167,7 @@ index 09aeffa..dd70b14 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 8ed5067..a5603cd 100644
+index 4a5387a..acf8ed1 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -45297,220 +41602,210 @@ index 355b2a2..54329f9 100644
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
-diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc
-new file mode 100644
-index 0000000..f3b89e4
---- /dev/null
-+++ b/policy/modules/services/qpidd.fc
-@@ -0,0 +1,9 @@
-+
+diff --git a/policy/modules/services/qpid.fc b/policy/modules/services/qpid.fc
+index 4f94229..f3b89e4 100644
+--- a/policy/modules/services/qpid.fc
++++ b/policy/modules/services/qpid.fc
+@@ -1,6 +1,7 @@
+-/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+-/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
-+
-+/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
-+
-+/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0)
-+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
-diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
-new file mode 100644
-index 0000000..c403abc
---- /dev/null
-+++ b/policy/modules/services/qpidd.if
-@@ -0,0 +1,228 @@
+
+ /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
+index 5a9630c..c403abc 100644
+--- a/policy/modules/services/qpid.if
++++ b/policy/modules/services/qpid.if
+@@ -1,4 +1,4 @@
+-## Apache QPID AMQP messaging server.
+## policy for qpidd
-+
-+########################################
-+##
-+## Execute a domain transition to run qpidd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`qpidd_domtrans',`
-+ gen_require(`
-+ type qpidd_t, qpidd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
-+')
-+
+
+ ########################################
+ ##
+@@ -18,9 +18,9 @@ interface(`qpidd_domtrans',`
+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+ ')
+
+-#####################################
+########################################
-+##
+ ##
+-## Allow read and write access to qpidd semaphores.
+## Execute qpidd server in the qpidd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -28,17 +28,17 @@ interface(`qpidd_domtrans',`
+ ##
+ ##
+ #
+-interface(`qpidd_rw_semaphores',`
+interface(`qpidd_initrc_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type qpidd_t;
+ type qpidd_initrc_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 qpidd_t:sem rw_sem_perms;
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write to qpidd shared memory.
+## Read qpidd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -46,17 +46,18 @@ interface(`qpidd_rw_semaphores',`
+ ##
+ ##
+ #
+-interface(`qpidd_rw_shm',`
+interface(`qpidd_read_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type qpidd_t;
+ type qpidd_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 qpidd_t:shm rw_shm_perms;
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Execute qpidd server in the qpidd domain.
+## Manage qpidd var_run files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -64,17 +65,20 @@ interface(`qpidd_rw_shm',`
+ ##
+ ##
+ #
+-interface(`qpidd_initrc_domtrans',`
+interface(`qpidd_manage_var_run',`
-+ gen_require(`
+ gen_require(`
+- type qpidd_initrc_exec_t;
+ type qpidd_var_run_t;
-+ ')
-+
+ ')
+
+- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read qpidd PID files.
+## Search qpidd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -82,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
+ ##
+ ##
+ #
+-interface(`qpidd_read_pid_files',`
+interface(`qpidd_search_lib',`
-+ gen_require(`
+ gen_require(`
+- type qpidd_var_run_t;
+ type qpidd_var_lib_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- allow $1 qpidd_var_run_t:file read_file_perms;
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search qpidd lib directories.
+## Read qpidd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -101,18 +105,19 @@ interface(`qpidd_read_pid_files',`
+ ##
+ ##
+ #
+-interface(`qpidd_search_lib',`
+interface(`qpidd_read_lib_files',`
-+ gen_require(`
-+ type qpidd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+- allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read qpidd lib files.
+## Create, read, write, and delete
+## qpidd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -120,19 +125,18 @@ interface(`qpidd_search_lib',`
+ ##
+ ##
+ #
+-interface(`qpidd_read_lib_files',`
+interface(`qpidd_manage_lib_files',`
-+ gen_require(`
-+ type qpidd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## qpidd lib files.
+## Manage qpidd var_lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -140,13 +144,15 @@ interface(`qpidd_read_lib_files',`
+ ##
+ ##
+ #
+-interface(`qpidd_manage_lib_files',`
+interface(`qpidd_manage_var_lib',`
-+ gen_require(`
-+ type qpidd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an qpidd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`qpidd_admin',`
-+ gen_require(`
-+ type qpidd_t, qpidd_initrc_exec_t;
-+ ')
-+
-+ allow $1 qpidd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, qpidd_t)
-+
-+ # Allow qpidd_t to restart the apache service
-+ qpidd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 qpidd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ ')
+
+ ########################################
+@@ -180,7 +186,43 @@ interface(`qpidd_admin',`
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_manage_var_run($1)
+
+ qpidd_manage_var_lib($1)
+')
-+
+
+- admin_pattern($1, qpidd_var_run_t)
+#####################################
+##
+## Allow read and write access to qpidd semaphores.
@@ -45545,77 +41840,61 @@ index 0000000..c403abc
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
-+')
-diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
-new file mode 100644
-index 0000000..4c6848c
---- /dev/null
-+++ b/policy/modules/services/qpidd.te
-@@ -0,0 +1,69 @@
-+policy_module(qpidd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type qpidd_t;
-+type qpidd_exec_t;
-+init_daemon_domain(qpidd_t, qpidd_exec_t)
-+
-+type qpidd_initrc_exec_t;
-+init_script_file(qpidd_initrc_exec_t)
-+
-+type qpidd_var_run_t;
-+files_pid_file(qpidd_var_run_t)
-+
+ ')
+diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
+index cb7ecb5..ebf59f1 100644
+--- a/policy/modules/services/qpid.te
++++ b/policy/modules/services/qpid.te
+@@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
+ type qpidd_initrc_exec_t;
+ init_script_file(qpidd_initrc_exec_t)
+
+-type qpidd_var_lib_t;
+-files_type(qpidd_var_lib_t)
+-
+ type qpidd_var_run_t;
+ files_pid_file(qpidd_var_run_t)
+
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
-+########################################
-+#
-+# qpidd local policy
-+#
-+
-+allow qpidd_t self:process { setsched signull };
-+allow qpidd_t self:fifo_file rw_fifo_file_perms;
-+allow qpidd_t self:sem create_sem_perms;
-+allow qpidd_t self:shm create_shm_perms;
-+allow qpidd_t self:tcp_socket create_stream_socket_perms;
-+allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
-+
+ ########################################
+ #
+ # qpidd local policy
+@@ -30,23 +30,24 @@ allow qpidd_t self:shm create_shm_perms;
+ allow qpidd_t self:tcp_socket create_stream_socket_perms;
+ allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
-+
+ files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+
+-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-+files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
-+
-+kernel_read_system_state(qpidd_t)
-+
-+corenet_all_recvfrom_unlabeled(qpidd_t)
-+corenet_all_recvfrom_netlabel(qpidd_t)
+ files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+ kernel_read_system_state(qpidd_t)
+
+ corenet_all_recvfrom_unlabeled(qpidd_t)
+ corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
-+corenet_tcp_sendrecv_generic_if(qpidd_t)
-+corenet_tcp_sendrecv_generic_node(qpidd_t)
-+corenet_tcp_sendrecv_all_ports(qpidd_t)
-+corenet_tcp_bind_amqp_port(qpidd_t)
+ corenet_tcp_sendrecv_generic_if(qpidd_t)
+ corenet_tcp_sendrecv_generic_node(qpidd_t)
+ corenet_tcp_sendrecv_all_ports(qpidd_t)
+-corenet_tcp_bind_generic_node(qpidd_t)
+ corenet_tcp_bind_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
-+
-+dev_read_urand(qpidd_t)
-+
-+files_read_etc_files(qpidd_t)
-+
-+logging_send_syslog_msg(qpidd_t)
-+
-+miscfiles_read_localization(qpidd_t)
-+
-+sysnet_dns_name_resolve(qpidd_t)
-+
-+optional_policy(`
-+ corosync_stream_connect(qpidd_t)
-+')
+
+ dev_read_urand(qpidd_t)
+
+@@ -61,3 +62,8 @@ sysnet_dns_name_resolve(qpidd_t)
+ optional_policy(`
+ corosync_stream_connect(qpidd_t)
+ ')
+
+optional_policy(`
+ matahari_manage_lib_files(qpidd_t)
@@ -47561,7 +43840,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..eaa8036 100644
+index b1468ed..446729b 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -48835,7 +45114,7 @@ index f1aea88..a5a75a8 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index 22184ad..3d85b76 100644
+index cfc60dd..53a9d2d 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -51603,57 +47882,8 @@ index 8294f6f..4847b43 100644
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
-diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
-index b113b41..c2ed23a 100644
---- a/policy/modules/services/tgtd.if
-+++ b/policy/modules/services/tgtd.if
-@@ -11,18 +11,36 @@
-
- #####################################
- ##
--## Allow read and write access to tgtd semaphores.
-+## Allow read and write access to tgtd semaphores.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`tgtd_rw_semaphores',`
-- gen_require(`
-- type tgtd_t;
-- ')
-+ gen_require(`
-+ type tgtd_t;
-+ ')
-
-- allow $1 tgtd_t:sem rw_sem_perms;
-+ allow $1 tgtd_t:sem rw_sem_perms;
-+')
-+
-+######################################
-+##
-+## Manage tgtd sempaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tgtd_manage_semaphores',`
-+ gen_require(`
-+ type tgtd_t;
-+ ')
-+
-+ allow $1 tgtd_t:sem create_sem_perms;
- ')
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index aa0cc45..a8c69f5 100644
+index 665bf7c..d100080 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
@@ -53295,253 +49525,52 @@ index 3eca020..4dec4ad 100644
+ userdom_search_admin_dir(virsh_ssh_t)
+')
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
-new file mode 100644
-index 0000000..4d81b99
---- /dev/null
+index 11533cc..4d81b99 100644
+--- a/policy/modules/services/vnstatd.fc
+++ b/policy/modules/services/vnstatd.fc
-@@ -0,0 +1,8 @@
-+
-+/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
-+
-+/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
-+
-+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+@@ -1,3 +1,4 @@
+
-+/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0)
+ /usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+ /usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
-new file mode 100644
-index 0000000..b9104b7
---- /dev/null
+index 727fe95..21af852 100644
+--- a/policy/modules/services/vnstatd.if
+++ b/policy/modules/services/vnstatd.if
-@@ -0,0 +1,144 @@
-+## policy for vnstatd
-+
-+########################################
-+##
-+## Execute a domain transition to run vnstatd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`vnstatd_domtrans',`
-+ gen_require(`
-+ type vnstatd_t, vnstatd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run vnstat.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`vnstatd_domtrans_vnstat',`
-+ gen_require(`
-+ type vnstat_t, vnstat_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, vnstat_exec_t, vnstat_t)
-+')
-+
-+########################################
-+##
-+## Search vnstatd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`vnstatd_search_lib',`
-+ gen_require(`
-+ type vnstatd_var_lib_t;
-+ ')
-+
-+ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read vnstatd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`vnstatd_read_lib_files',`
-+ gen_require(`
-+ type vnstatd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## vnstatd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`vnstatd_manage_lib_files',`
-+ gen_require(`
-+ type vnstatd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage vnstatd lib dirs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`vnstatd_manage_lib_dirs',`
-+ gen_require(`
-+ type vnstatd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an vnstatd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`vnstatd_admin',`
-+ gen_require(`
-+ type vnstatd_t, vnstatd_var_lib_t;
-+ ')
-+
-+ allow $1 vnstatd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, vnstatd_t)
+@@ -113,6 +113,7 @@ interface(`vnstatd_manage_lib_files',`
+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ ')
+
+
-+ files_list_var_lib($1)
-+ admin_pattern($1, vnstatd_var_lib_t)
-+')
+ ########################################
+ ##
+ ## All of the rules required to administrate
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
-new file mode 100644
-index 0000000..90b8072
---- /dev/null
+index 8121937..5a462fb 100644
+--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,78 @@
-+policy_module(vnstatd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type vnstatd_t;
-+type vnstatd_exec_t;
-+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
-+
-+type vnstatd_var_lib_t;
-+files_type(vnstatd_var_lib_t)
-+
-+type vnstatd_var_run_t;
-+files_pid_file(vnstatd_var_run_t)
-+
-+type vnstat_t;
-+type vnstat_exec_t;
-+application_domain(vnstat_t, vnstat_exec_t)
-+
-+########################################
-+#
-+# vnstatd local policy
-+#
-+allow vnstatd_t self:process { fork signal };
-+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
-+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
-+
+@@ -28,9 +28,12 @@ allow vnstatd_t self:process signal;
+ allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+ allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
+
-+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
-+
-+kernel_read_network_state(vnstatd_t)
-+kernel_read_system_state(vnstatd_t)
-+
-+domain_use_interactive_fds(vnstatd_t)
-+
-+files_read_etc_files(vnstatd_t)
-+
-+fs_getattr_xattr_fs(vnstatd_t)
-+
-+logging_send_syslog_msg(vnstatd_t)
-+
-+miscfiles_read_localization(vnstatd_t)
-+
-+optional_policy(`
-+ cron_system_entry(vnstat_t, vnstat_exec_t)
-+')
-+
-+########################################
-+#
-+# vnstat local policy
-+#
-+allow vnstat_t self:process signal;
-+allow vnstat_t self:fifo_file rw_fifo_file_perms;
-+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
-+
-+kernel_read_network_state(vnstat_t)
-+kernel_read_system_state(vnstat_t)
-+
-+domain_use_interactive_fds(vnstat_t)
-+
-+files_read_etc_files(vnstat_t)
-+
-+fs_getattr_xattr_fs(vnstat_t)
-+
-+logging_send_syslog_msg(vnstat_t)
-+
-+miscfiles_read_localization(vnstat_t)
+ manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
+ manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+ manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+@@ -64,7 +67,6 @@ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
+
+ kernel_read_network_state(vnstat_t)
+ kernel_read_system_state(vnstat_t)
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index 1174ad8..f4c4c1b 100644
--- a/policy/modules/services/w3c.te
@@ -53751,10 +49780,10 @@ index aa6e5a8..42a0efb 100644
########################################
##
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 6f1e3c7..ade9046 100644
+index 4966c94..ade9046 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
-@@ -2,12 +2,34 @@
+@@ -2,13 +2,34 @@
# HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -53765,7 +49794,7 @@ index 6f1e3c7..ade9046 100644
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
-+HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -53789,7 +49818,7 @@ index 6f1e3c7..ade9046 100644
#
# /dev
-@@ -20,6 +42,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -21,6 +42,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -53798,7 +49827,7 @@ index 6f1e3c7..ade9046 100644
/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-@@ -32,11 +56,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -33,11 +56,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -53810,7 +49839,7 @@ index 6f1e3c7..ade9046 100644
#
# /opt
#
-@@ -47,28 +66,30 @@ ifdef(`distro_redhat',`
+@@ -48,28 +66,30 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -53847,7 +49876,7 @@ index 6f1e3c7..ade9046 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -89,17 +110,44 @@ ifdef(`distro_debian', `
+@@ -90,17 +110,44 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -55010,7 +51039,7 @@ index 130ced9..ea8077d 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..b5cca5e 100644
+index 143c893..5774644 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -55216,7 +51245,7 @@ index 6c01261..b5cca5e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -247,50 +301,110 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,52 +301,112 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
@@ -55269,6 +51298,8 @@ index 6c01261..b5cca5e 100644
+
+kernel_read_system_state(xauth_t)
+ kernel_request_load_module(xauth_t)
+
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -55333,7 +51364,7 @@ index 6c01261..b5cca5e 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -302,20 +416,36 @@ optional_policy(`
+@@ -304,20 +418,36 @@ optional_policy(`
# XDM Local policy
#
@@ -55374,7 +51405,7 @@ index 6c01261..b5cca5e 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -323,43 +453,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +455,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -55443,7 +51474,7 @@ index 6c01261..b5cca5e 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -368,18 +517,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -55471,7 +51502,7 @@ index 6c01261..b5cca5e 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -391,38 +548,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -55525,7 +51556,7 @@ index 6c01261..b5cca5e 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -433,9 +601,23 @@ files_list_mnt(xdm_t)
+@@ -435,9 +603,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -55549,7 +51580,7 @@ index 6c01261..b5cca5e 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +626,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +628,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -55588,7 +51619,7 @@ index 6c01261..b5cca5e 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +664,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -55619,7 +51650,7 @@ index 6c01261..b5cca5e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +703,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -55634,7 +51665,7 @@ index 6c01261..b5cca5e 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -505,11 +724,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -55656,11 +51687,10 @@ index 6c01261..b5cca5e 100644
')
optional_policy(`
-@@ -517,7 +746,43 @@ optional_policy(`
+@@ -519,12 +748,62 @@ optional_policy(`
')
optional_policy(`
-- cpufreqselector_dbus_chat(xdm_t)
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
@@ -55698,10 +51728,12 @@ index 6c01261..b5cca5e 100644
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
- ')
-
- optional_policy(`
-@@ -527,6 +792,16 @@ optional_policy(`
++')
++
++optional_policy(`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
@@ -55718,7 +51750,7 @@ index 6c01261..b5cca5e 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +819,70 @@ optional_policy(`
+@@ -542,28 +821,70 @@ optional_policy(`
')
optional_policy(`
@@ -55798,7 +51830,7 @@ index 6c01261..b5cca5e 100644
')
optional_policy(`
-@@ -577,6 +894,14 @@ optional_policy(`
+@@ -575,6 +896,14 @@ optional_policy(`
')
optional_policy(`
@@ -55813,7 +51845,7 @@ index 6c01261..b5cca5e 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +926,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -55822,7 +51854,7 @@ index 6c01261..b5cca5e 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +940,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -55838,7 +51870,7 @@ index 6c01261..b5cca5e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +967,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -55860,7 +51892,7 @@ index 6c01261..b5cca5e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +987,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -55868,7 +51900,7 @@ index 6c01261..b5cca5e 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1014,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -55876,7 +51908,7 @@ index 6c01261..b5cca5e 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1023,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -55894,7 +51926,7 @@ index 6c01261..b5cca5e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1044,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -55908,7 +51940,7 @@ index 6c01261..b5cca5e 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1063,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1065,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -55917,7 +51949,7 @@ index 6c01261..b5cca5e 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1070,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -55932,7 +51964,7 @@ index 6c01261..b5cca5e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1129,36 @@ optional_policy(`
+@@ -778,16 +1131,36 @@ optional_policy(`
')
optional_policy(`
@@ -55970,7 +52002,7 @@ index 6c01261..b5cca5e 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1167,10 @@ optional_policy(`
+@@ -796,6 +1169,10 @@ optional_policy(`
')
optional_policy(`
@@ -55981,7 +52013,7 @@ index 6c01261..b5cca5e 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1186,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1188,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -55995,7 +52027,7 @@ index 6c01261..b5cca5e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1197,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1199,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -56004,7 +52036,7 @@ index 6c01261..b5cca5e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1210,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1212,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -56014,7 +52046,7 @@ index 6c01261..b5cca5e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1220,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1222,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -56026,7 +52058,7 @@ index 6c01261..b5cca5e 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1233,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1235,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -56043,7 +52075,7 @@ index 6c01261..b5cca5e 100644
')
optional_policy(`
-@@ -864,6 +1248,10 @@ optional_policy(`
+@@ -862,6 +1250,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -56054,7 +52086,7 @@ index 6c01261..b5cca5e 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1295,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -56063,7 +52095,7 @@ index 6c01261..b5cca5e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1349,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1351,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -56095,7 +52127,7 @@ index 6c01261..b5cca5e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1395,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1397,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -56144,24 +52176,25 @@ index 6c01261..b5cca5e 100644
+ unconfined_getpgid(xserver_t)
+')
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
-index 3102286..4ef4400 100644
+index 664cd7a..e3eaec5 100644
--- a/policy/modules/services/zabbix.fc
+++ b/policy/modules/services/zabbix.fc
-@@ -1,6 +1,10 @@
--/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
--/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+-/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+-/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_t,s0)
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
- /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
-index d77e631..4776863 100644
+index c9981d1..05ae02f 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -5,9 +5,9 @@
@@ -56176,7 +52209,7 @@ index d77e631..4776863 100644
##
#
interface(`zabbix_domtrans',`
-@@ -44,9 +44,9 @@ interface(`zabbix_read_log',`
+@@ -65,9 +65,9 @@ interface(`zabbix_read_log',`
## zabbix log files.
##
##
@@ -56189,20 +52222,24 @@ index d77e631..4776863 100644
#
interface(`zabbix_append_log',`
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index c26ecf5..ad41551 100644
+index 7f88f5f..bd6493d 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
-@@ -25,12 +25,14 @@ files_pid_file(zabbix_var_run_t)
+@@ -36,16 +36,17 @@ files_pid_file(zabbix_var_run_t)
# zabbix local policy
#
-allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
+-allow zabbix_t self:process { setsched getsched signal };
+allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+allow zabbix_t self:process setsched;
+allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+ allow zabbix_t self:sem create_sem_perms;
+ allow zabbix_t self:shm create_shm_perms;
+ allow zabbix_t self:tcp_socket create_stream_socket_perms;
# log files
-allow zabbix_t zabbix_log_t:dir setattr;
@@ -56210,187 +52247,46 @@ index c26ecf5..ad41551 100644
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-@@ -39,8 +41,12 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,11 +59,15 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+kernel_read_kernel_sysctls(zabbix_t)
+
+ corenet_tcp_bind_generic_node(zabbix_t)
+ corenet_tcp_bind_zabbix_port(zabbix_t)
+
files_read_etc_files(zabbix_t)
+auth_use_nsswitch(zabbix_t)
+
miscfiles_read_localization(zabbix_t)
- optional_policy(`
+ sysnet_dns_name_resolve(zabbix_t)
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
-new file mode 100644
-index 0000000..8d9a111
---- /dev/null
+index 3defaa1..7fc57b2 100644
+--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,34 @@
-+
-+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
-+
-+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
-+
-+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
-+
-+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
-+
-+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-+
-+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
-+
-+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
-+
-+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
-+
-+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+
-+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
-+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
-+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
-+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
-+/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
-+/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
-+
-+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-+/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
-+/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-+/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
-+/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
-+/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
-+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
+@@ -8,7 +8,8 @@
+ /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+ /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+-/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+
+ /var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+ /var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
-new file mode 100644
-index 0000000..7ee5092
---- /dev/null
+index 21ae664..fcc91a1 100644
+--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,141 @@
-+## policy for zarafa services
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## zararfa init daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`zarafa_domain_template',`
-+ gen_require(`
-+ attribute zarafa_domain;
-+ ')
-+
-+ ##############################
-+ #
-+ # $1_t declarations
-+ #
-+
-+ type zarafa_$1_t, zarafa_domain;
-+ type zarafa_$1_exec_t;
-+ init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
-+
-+ type zarafa_$1_log_t;
-+ logging_log_file(zarafa_$1_log_t)
-+
-+ type zarafa_$1_var_run_t;
-+ files_pid_file(zarafa_$1_var_run_t)
-+
-+ ##############################
-+ #
-+ # $1_t local policy
-+ #
-+
-+ manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
-+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
-+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
-+
-+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
-+ logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run zarafa_server.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`zarafa_server_domtrans',`
-+ gen_require(`
-+ type zarafa_server_t, zarafa_server_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run zarafa_deliver.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`zarafa_deliver_domtrans',`
-+ gen_require(`
-+ type zarafa_deliver_t, zarafa_deliver_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
-+')
-+
-+#######################################
-+##
-+## Connect to zarafa-server unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zarafa_stream_connect_server',`
-+ gen_require(`
-+ type zarafa_server_t, zarafa_server_var_run_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to search
-+## zarafa configuration dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zarafa_search_config',`
-+ gen_require(`
-+ type zarafa_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 zarafa_etc_t:dir search_dir_perms;
-+')
+@@ -118,3 +118,24 @@ interface(`zarafa_stream_connect_server',`
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+ ')
+
-+#####################################
++####################################
+##
+## Allow the specified domain to manage
+## zarafa /var/lib files.
@@ -56405,55 +52301,40 @@ index 0000000..7ee5092
+ gen_require(`
+ type zarafa_var_lib_t;
+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-new file mode 100644
-index 0000000..0b1d997
---- /dev/null
+index 9fb4747..54abc7a 100644
+--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,153 @@
-+policy_module(zarafa, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute zarafa_domain;
-+
-+zarafa_domain_template(monitor)
-+zarafa_domain_template(indexer)
-+zarafa_domain_template(ical)
-+zarafa_domain_template(server)
-+zarafa_domain_template(spooler)
-+zarafa_domain_template(gateway)
-+zarafa_domain_template(deliver)
-+
-+type zarafa_deliver_tmp_t;
-+files_tmp_file(zarafa_deliver_tmp_t)
+@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
+ zarafa_domain_template(gateway)
+ zarafa_domain_template(ical)
+ zarafa_domain_template(indexer)
+
+type zarafa_indexer_tmp_t;
+files_tmp_file(zarafa_indexer_tmp_t)
+
-+type zarafa_server_tmp_t;
-+files_tmp_file(zarafa_server_tmp_t)
-+
-+type zarafa_var_lib_t;
-+files_tmp_file(zarafa_var_lib_t)
-+
-+type zarafa_etc_t;
-+files_config_file(zarafa_etc_t)
-+
-+type zarafa_share_t;
-+files_type(zarafa_share_t)
-+
+ zarafa_domain_template(monitor)
+ zarafa_domain_template(server)
+
+@@ -32,6 +36,8 @@ zarafa_domain_template(spooler)
+ type zarafa_var_lib_t;
+ files_tmp_file(zarafa_var_lib_t)
+
+permissive zarafa_indexer_t;
+
-+#######################################
+ ########################################
+ #
+ # zarafa-deliver local policy
+@@ -57,6 +63,19 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+ corenet_tcp_bind_generic_node(zarafa_gateway_t)
+ corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
++######################################
+#
+# zarafa-indexer local policy
+#
@@ -56465,63 +52346,14 @@ index 0000000..0b1d997
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
-+########################################
-+#
-+# zarafa-deliver local policy
-+#
-+
-+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
-+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
-+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
-+
-+
-+########################################
-+#
-+# zarafa_server local policy
-+#
-+
-+allow zarafa_server_t self:capability { chown kill net_bind_service };
-+allow zarafa_server_t self:process setrlimit;
-+
-+manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
-+manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
-+files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
-+
-+manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+
-+stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
-+
-+corenet_tcp_bind_zarafa_port(zarafa_server_t)
-+
-+files_read_usr_files(zarafa_server_t)
-+
-+logging_send_syslog_msg(zarafa_server_t)
-+logging_send_audit_msgs(zarafa_server_t)
-+
-+sysnet_dns_name_resolve(zarafa_server_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(zarafa_server_t)
-+')
-+
-+optional_policy(`
-+ kerberos_use(zarafa_server_t)
-+')
-+
-+########################################
-+#
-+# zarafa_spooler local policy
-+#
-+
-+allow zarafa_spooler_t self:capability { chown kill };
+
-+can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
-+
-+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-+
-+########################################
-+#
+ #######################################
+ #
+ # zarafa-ical local policy
+@@ -138,6 +157,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
+ ########################################
+ #
+# zarafa_gateway local policy
+#
+
@@ -56548,27 +52380,9 @@ index 0000000..0b1d997
+
+########################################
+#
-+# zarafa domains local policy
-+#
-+
-+# bad permission on /etc/zarafa
-+allow zarafa_domain self:capability { dac_override setgid setuid };
-+allow zarafa_domain self:process signal;
-+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
-+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
-+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
-+
-+read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
-+
-+kernel_read_system_state(zarafa_domain)
-+
-+files_read_etc_files(zarafa_domain)
-+
-+auth_use_nsswitch(zarafa_domain)
-+
-+miscfiles_read_localization(zarafa_domain)
+ # zarafa domains local policy
+ #
+
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..347f754 100644
--- a/policy/modules/services/zebra.if
@@ -56668,105 +52482,33 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..b784a12 100644
+index 1b6619e..c480ddd 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,93 @@ interface(`application_signull',`
+@@ -205,3 +205,21 @@ interface(`application_dontaudit_sigkill',`
- allow $1 application_domain_type:process signull;
+ dontaudit $1 application_domain_type:process sigkill;
')
+
-+########################################
-+##
-+## Dontaudit signull sent to all application domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`application_dontaudit_signull',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ dontaudit $1 application_domain_type:process signull;
-+')
-+
-+########################################
-+##
-+## Dontaudit signal sent to all application domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`application_dontaudit_signal',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ dontaudit $1 application_domain_type:process signal;
-+')
-+
-+########################################
-+##
-+## Dontaudit kill signal sent to all application domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`application_dontaudit_sigkill',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ dontaudit $1 application_domain_type:process sigkill;
-+')
-+
-+########################################
-+##
-+## Send signal to all application domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`application_signal',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ allow $1 application_domain_type:process signal;
-+')
-+
-+########################################
++#######################################
+##
-+## Getattr all application sockets.
++## Getattr all application sockets.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`application_getattr_socket',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
++ gen_require(`
++ attribute application_domain_type;
++ ')
+
-+ allow $1 application_domain_type:socket_class_set getattr;
++ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index 88df85d..78e0fc2 100644
+index c6fdab7..41198a4 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
@@ -6,6 +6,24 @@ attribute application_domain_type;
@@ -56792,38 +52534,10 @@ index 88df85d..78e0fc2 100644
+')
+
optional_policy(`
- ssh_sigchld(application_domain_type)
- ssh_rw_stream_sockets(application_domain_type)
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2952cef..d845132 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -10,6 +10,7 @@
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
- /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
- /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
-@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', `
-
- /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-
-+/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
-@@ -39,6 +41,7 @@ ifdef(`distro_gentoo', `
- /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
-
- /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-+/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
- /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
- /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ cron_sigchld(application_domain_type)
+ ')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..0e6f84a 100644
+index 73554ec..e053e7d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -56835,18 +52549,7 @@ index 42b4f0f..0e6f84a 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -66,6 +68,10 @@ interface(`auth_use_pam',`
- optional_policy(`
- consolekit_dbus_chat($1)
- ')
-+
-+ optional_policy(`
-+ fprintd_dbus_chat($1)
-+ ')
- ')
-
- optional_policy(`
-@@ -91,9 +97,12 @@ interface(`auth_use_pam',`
+@@ -95,9 +97,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -56859,7 +52562,7 @@ index 42b4f0f..0e6f84a 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,8 +116,10 @@ interface(`auth_login_pgm_domain',`
+@@ -111,8 +116,10 @@ interface(`auth_login_pgm_domain',`
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -56870,7 +52573,7 @@ index 42b4f0f..0e6f84a 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -119,13 +130,19 @@ interface(`auth_login_pgm_domain',`
+@@ -123,13 +130,19 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -56891,7 +52594,7 @@ index 42b4f0f..0e6f84a 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +158,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +158,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -56900,7 +52603,7 @@ index 42b4f0f..0e6f84a 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,13 +170,68 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +170,68 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -56971,11 +52674,7 @@ index 42b4f0f..0e6f84a 100644
## Use the login program as an entry point program.
##
##
-@@ -361,17 +435,18 @@ interface(`auth_domtrans_chk_passwd',`
-
- optional_policy(`
- kerberos_read_keytab($1)
-- kerberos_connect_524($1)
+@@ -368,13 +438,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -56992,7 +52691,7 @@ index 42b4f0f..0e6f84a 100644
')
########################################
-@@ -418,6 +493,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +493,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -57018,16 +52717,7 @@ index 42b4f0f..0e6f84a 100644
')
########################################
-@@ -694,7 +788,7 @@ interface(`auth_relabel_shadow',`
- ')
-
- files_search_etc($1)
-- allow $1 shadow_t:file { relabelfrom relabelto };
-+ allow $1 shadow_t:file relabel_file_perms;
- typeattribute $1 can_relabelto_shadow_passwords;
- ')
-
-@@ -733,7 +827,47 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +827,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -57076,54 +52766,7 @@ index 42b4f0f..0e6f84a 100644
')
#######################################
-@@ -874,6 +1008,46 @@ interface(`auth_exec_pam',`
-
- ########################################
- ##
-+## Read var auth files. Used by various other applications
-+## and pam applets etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_read_var_auth',`
-+ gen_require(`
-+ type var_auth_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, var_auth_t, var_auth_t)
-+')
-+
-+#######################################
-+##
-+## Read and write var auth files. Used by various other applications
-+## and pam applets etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_rw_var_auth',`
-+ gen_require(`
-+ type var_auth_t;
-+ ')
-+
-+ files_search_var($1)
-+ rw_files_pattern($1, var_auth_t, var_auth_t)
-+')
-+
-+########################################
-+##
- ## Manage var auth files. Used by various other applications
- ## and pam applets etc.
- ##
-@@ -889,9 +1063,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1063,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -57157,32 +52800,7 @@ index 42b4f0f..0e6f84a 100644
')
########################################
-@@ -1093,6 +1288,24 @@ interface(`auth_delete_pam_console_data',`
-
- ########################################
- ##
-+## Relable all pid directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_pam_console_data_dirs',`
-+ gen_require(`
-+ type pam_var_console_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t)
-+')
-+
-+########################################
-+##
- ## Read all directories on the filesystem, except
- ## the shadow passwords and listed exceptions.
- ##
-@@ -1326,6 +1539,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1539,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -57208,7 +52826,32 @@ index 42b4f0f..0e6f84a 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1500,28 +1732,36 @@ interface(`auth_manage_login_records',`
+@@ -1541,24 +1712,6 @@ interface(`auth_manage_login_records',`
+
+ ########################################
+ ##
+-## Relabel login record files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`auth_relabel_login_records',`
+- gen_require(`
+- type wtmp_t;
+- ')
+-
+- allow $1 wtmp_t:file relabel_file_perms;
+-')
+-
+-########################################
+-##
+ ## Use nsswitch to look up user, password, group, or
+ ## host information.
+ ##
+@@ -1579,28 +1732,36 @@ interface(`auth_relabel_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -57252,25 +52895,17 @@ index 42b4f0f..0e6f84a 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1531,7 +1771,15 @@ interface(`auth_use_nsswitch',`
+@@ -1610,7 +1771,7 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
- nscd_socket_use($1)
+ nscd_use($1)
-+ ')
-+
-+ optional_policy(`
-+ nslcd_stream_connect($1)
-+ ')
-+
-+ optional_policy(`
-+ sssd_stream_connect($1)
')
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 66d13c4..335900f 100644
+index b7a5f00..335900f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1)
@@ -57298,15 +52933,6 @@ index 66d13c4..335900f 100644
type auth_cache_t;
logging_log_file(auth_cache_t)
-@@ -44,7 +59,7 @@ type pam_tmp_t;
- files_tmp_file(pam_tmp_t)
-
- type pam_var_console_t;
--files_type(pam_var_console_t)
-+files_pid_file(pam_var_console_t)
-
- type pam_var_run_t;
- files_pid_file(pam_var_run_t)
@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
@@ -57403,102 +53029,18 @@ index b9ed25b..de3738c 100644
domain_use_interactive_fds(hwclock_t)
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
-index 89cc088..81e5ed4 100644
+index ce3e676..0158314 100644
--- a/policy/modules/system/daemontools.if
+++ b/policy/modules/system/daemontools.if
-@@ -71,6 +71,32 @@ interface(`daemontools_domtrans_start',`
- domtrans_pattern($1, svc_start_exec_t, svc_start_t)
- ')
-
-+######################################
-+##
-+## Execute svc_start in the svc_start domain, and
-+## allow the specified role the svc_start domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the svc_start domain.
-+##
-+##
-+##
-+#
-+interface(`daemonstools_run_start',`
-+ gen_require(`
-+ type svc_start_t;
-+ ')
-+
-+ daemontools_domtrans_start($1)
-+ role $2 types svc_start_t;
-+')
-+
- ########################################
- ##
- ## Execute in the svc_run_t domain.
-@@ -127,6 +153,24 @@ interface(`daemontools_read_svc',`
- allow $1 svc_svc_t:file read_file_perms;
- ')
-
-+######################################
-+##
-+## Search svc_svc_t directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`daemontools_search_svc_dir',`
-+ gen_require(`
-+ type svc_svc_t;
-+ ')
-+
-+ allow $1 svc_svc_t:dir search_dir_perms;
-+')
-+
- ########################################
- ##
- ## Allow a domain to create svc_svc_t files.
-@@ -148,3 +192,21 @@ interface(`daemontools_manage_svc',`
+@@ -210,3 +210,4 @@ interface(`daemontools_manage_svc',`
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
')
+
-+######################################
-+##
-+## Send a SIGCHLD signal to svc_run domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`daemontools_sigchld_run',`
-+ gen_require(`
-+ type svc_run_t;
-+ ')
-+
-+ allow $1 svc_run_t:process sigchld;
-+')
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
-index 183fcf1..d923d03 100644
+index dcc5f1c..5610417 100644
--- a/policy/modules/system/daemontools.te
+++ b/policy/modules/system/daemontools.te
-@@ -6,7 +6,7 @@ policy_module(daemontools, 1.2.0)
- #
-
- type svc_conf_t;
--files_type(svc_conf_t)
-+files_config_file(svc_conf_t)
-
- type svc_log_t;
- files_type(svc_log_t)
@@ -38,7 +38,10 @@ files_type(svc_svc_t)
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -57510,21 +53052,7 @@ index 183fcf1..d923d03 100644
# writes to /var/log/*/*
logging_manage_generic_logs(svc_multilog_t)
-@@ -52,7 +55,7 @@ daemontools_ipc_domain(svc_multilog_t)
- # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
- #
-
--allow svc_run_t self:capability { setgid setuid chown fsetid };
-+allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
- allow svc_run_t self:process setrlimit;
- allow svc_run_t self:fifo_file rw_fifo_file_perms;
- allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
-@@ -64,9 +67,13 @@ can_exec(svc_run_t, svc_run_exec_t)
-
- kernel_read_system_state(svc_run_t)
-
-+dev_read_urand(svc_run_t)
-+
+@@ -69,6 +72,8 @@ dev_read_urand(svc_run_t)
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
@@ -57533,25 +53061,15 @@ index 183fcf1..d923d03 100644
files_read_etc_files(svc_run_t)
files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
-@@ -88,21 +95,36 @@ optional_policy(`
- # ie svc, svscan, supervise ...
- #
-
--allow svc_start_t svc_run_t:process signal;
-+allow svc_start_t svc_run_t:process { signal setrlimit };
-
- allow svc_start_t self:fifo_file rw_fifo_file_perms;
- allow svc_start_t self:capability kill;
-+allow svc_start_t self:tcp_socket create_stream_socket_perms;
- allow svc_start_t self:unix_stream_socket create_socket_perms;
+@@ -99,17 +104,28 @@ allow svc_start_t self:unix_stream_socket create_socket_perms;
can_exec(svc_start_t, svc_start_exec_t)
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+
-+kernel_read_kernel_sysctls(svc_start_t)
-+kernel_read_system_state(svc_start_t)
-+
+ kernel_read_kernel_sysctls(svc_start_t)
+ kernel_read_system_state(svc_start_t)
+
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
@@ -57571,6 +53089,7 @@ index 183fcf1..d923d03 100644
+
daemontools_domtrans_run(svc_start_t)
daemontools_manage_svc(svc_start_t)
+
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index a97a096..ab1e16a 100644
--- a/policy/modules/system/fstools.fc
@@ -57598,35 +53117,10 @@ index a97a096..ab1e16a 100644
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..028a90f 100644
+index c28da1c..73883c4 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
-@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
-
- kernel_read_system_state(fsadm_t)
- kernel_read_kernel_sysctls(fsadm_t)
-+kernel_request_load_module(fsadm_t)
- # Allow console log change (updfstab)
- kernel_change_ring_buffer_level(fsadm_t)
- # mkreiserfs needs this
-@@ -78,6 +79,7 @@ dev_dontaudit_getattr_generic_files(fsadm_t)
- # mkreiserfs and other programs need this for UUID
- dev_read_rand(fsadm_t)
- dev_read_urand(fsadm_t)
-+dev_write_kmsg(fsadm_t)
- # Recreate /dev/cdrom.
- dev_manage_generic_symlinks(fsadm_t)
- # fdisk needs this for early boot
-@@ -85,7 +87,7 @@ dev_manage_generic_blk_files(fsadm_t)
- # Access to /initrd devices
- dev_search_usbfs(fsadm_t)
- # for swapon
--dev_read_sysfs(fsadm_t)
-+dev_rw_sysfs(fsadm_t)
- # Access to /initrd devices
- dev_getattr_usbfs_dirs(fsadm_t)
- # Access to /dev/mapper/control
-@@ -99,6 +101,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +101,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -57635,11 +53129,7 @@ index a442acc..028a90f 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -114,9 +118,13 @@ fs_rw_tmpfs_files(fsadm_t)
- # remount file system to apply changes
- fs_remount_xattr_fs(fsadm_t)
- # for /dev/shm
-+fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +122,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -57649,7 +53139,7 @@ index a442acc..028a90f 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -130,10 +138,12 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,10 +138,12 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -57662,13 +53152,8 @@ index a442acc..028a90f 100644
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
-@@ -142,18 +152,15 @@ logging_send_syslog_msg(fsadm_t)
-
- miscfiles_read_localization(fsadm_t)
+@@ -147,13 +154,13 @@ miscfiles_read_localization(fsadm_t)
--modutils_read_module_config(fsadm_t)
--modutils_read_module_deps(fsadm_t)
--
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
@@ -57687,7 +53172,7 @@ index a442acc..028a90f 100644
optional_policy(`
amanda_rw_dumpdates_files(fsadm_t)
-@@ -166,6 +173,24 @@ optional_policy(`
+@@ -166,6 +173,11 @@ optional_policy(`
')
optional_policy(`
@@ -57696,30 +53181,13 @@ index a442acc..028a90f 100644
+')
+
+optional_policy(`
-+ hal_dontaudit_write_log(fsadm_t)
-+')
-+
-+optional_policy(`
-+ livecd_rw_tmp_files(fsadm_t)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_config(fsadm_t)
-+ modutils_read_module_deps(fsadm_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(fsadm_t)
+ hal_dontaudit_write_log(fsadm_t)
')
-@@ -175,6 +200,14 @@ optional_policy(`
+@@ -192,6 +204,10 @@ optional_policy(`
')
optional_policy(`
-+ udev_read_db(fsadm_t)
-+')
-+
-+optional_policy(`
+ virt_read_blk_images(fsadm_t)
+')
+
@@ -57774,32 +53242,6 @@ index c310775..ec32c5e 100644
logging_send_syslog_msg(hostname_t)
-diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index 882c6a2..d0ff4ec 100644
---- a/policy/modules/system/hotplug.te
-+++ b/policy/modules/system/hotplug.te
-@@ -105,9 +105,6 @@ libs_read_lib_files(hotplug_t)
- miscfiles_read_hwdata(hotplug_t)
- miscfiles_read_localization(hotplug_t)
-
--modutils_domtrans_insmod(hotplug_t)
--modutils_read_module_deps(hotplug_t)
--
- seutil_dontaudit_search_config(hotplug_t)
-
- sysnet_read_config(hotplug_t)
-@@ -154,6 +151,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ modutils_domtrans_insmod(hotplug_t)
-+ modutils_read_module_deps(hotplug_t)
-+')
-+
-+optional_policy(`
- mount_domtrans(hotplug_t)
- ')
-
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 354ce93..b8b14b9 100644
--- a/policy/modules/system/init.fc
@@ -57845,7 +53287,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..6569096 100644
+index 94fd8dd..2ae760f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -58633,7 +54075,7 @@ index cc83689..6569096 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..34ac96c 100644
+index 29a9565..ad617a2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -59383,16 +54825,7 @@ index ea29513..34ac96c 100644
')
optional_policy(`
-@@ -781,14 +1108,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # shorewall-init script run /var/lib/shorewall/firewall
-+ shorewall_domtrans_lib(initrc_t)
-+')
-+
-+optional_policy(`
- squid_read_config(initrc_t)
+@@ -790,10 +1117,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -59405,7 +54838,7 @@ index ea29513..34ac96c 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1134,6 @@ optional_policy(`
+@@ -805,7 +1134,6 @@ optional_policy(`
')
optional_policy(`
@@ -59413,7 +54846,7 @@ index ea29513..34ac96c 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1143,24 @@ optional_policy(`
+@@ -815,11 +1143,24 @@ optional_policy(`
')
optional_policy(`
@@ -59439,7 +54872,7 @@ index ea29513..34ac96c 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1170,25 @@ optional_policy(`
+@@ -829,6 +1170,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -59465,7 +54898,7 @@ index ea29513..34ac96c 100644
')
optional_policy(`
-@@ -839,6 +1204,10 @@ optional_policy(`
+@@ -844,6 +1204,10 @@ optional_policy(`
')
optional_policy(`
@@ -59476,7 +54909,7 @@ index ea29513..34ac96c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -849,3 +1218,45 @@ optional_policy(`
+@@ -854,3 +1218,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -59523,7 +54956,7 @@ index ea29513..34ac96c 100644
+
+init_stream_connect(initrc_t)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 07eba2b..a75297a 100644
+index fb09b9e..e25c6b6 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -12,12 +12,12 @@
@@ -59545,11 +54978,9 @@ index 07eba2b..a75297a 100644
/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-@@ -25,16 +25,19 @@
- /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
- /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+@@ -27,10 +27,10 @@
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-+/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -59562,43 +54993,35 @@ index 07eba2b..a75297a 100644
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
- /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-
-+/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
-+
- /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-
- /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 8232f91..8897e32 100644
+index 0d4c8d3..9d66bf7 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -20,6 +20,24 @@ interface(`ipsec_domtrans',`
-
- ########################################
- ##
-+## Execute ipsec in the ipsec mgmt domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_domtrans_mgmt',`
-+ gen_require(`
-+ type ipsec_mgmt_t, ipsec_mgmt_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
-+')
-+
-+########################################
-+##
- ## Connect to IPSEC using a unix domain stream socket.
- ##
- ##
-@@ -129,6 +147,7 @@ interface(`ipsec_match_default_spd',`
+@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_signal_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_signull_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_kill_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -59606,125 +55029,11 @@ index 8232f91..8897e32 100644
')
########################################
-@@ -273,3 +292,81 @@ interface(`ipsec_run_setkey',`
- ipsec_domtrans_setkey($1)
- role $2 types setkey_t;
- ')
-+
-+########################################
-+##
-+## Send ipsec mgmt a signal
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+#
-+interface(`ipsec_signal_mgmt',`
-+ gen_require(`
-+ type ipsec_mgmt_t;
-+ ')
-+
-+ allow $1 ipsec_mgmt_t:process signal;
-+')
-+
-+########################################
-+##
-+## Send ipsec mgmt a signull
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+#
-+interface(`ipsec_signull_mgmt',`
-+ gen_require(`
-+ type ipsec_mgmt_t;
-+ ')
-+
-+ allow $1 ipsec_mgmt_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send ipsec mgmt a kill signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+#
-+interface(`ipsec_kill_mgmt',`
-+ gen_require(`
-+ type ipsec_mgmt_t;
-+ ')
-+
-+ allow $1 ipsec_mgmt_t:process sigkill;
-+')
-+
-+######################################
-+##
-+## Send and receive messages from
-+## ipsec-mgmt over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_mgmt_dbus_chat',`
-+ gen_require(`
-+ type ipsec_mgmt_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 ipsec_mgmt_t:dbus send_msg;
-+ allow ipsec_mgmt_t $1:dbus send_msg;
-+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 98d6081..e46bdda 100644
+index 55a6cd8..bec6385 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
-@@ -73,7 +73,7 @@ role system_r types setkey_t;
- #
-
- allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
--dontaudit ipsec_t self:capability sys_tty_config;
-+dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
- allow ipsec_t self:process { getcap setcap getsched signal setsched };
- allow ipsec_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_t self:udp_socket create_socket_perms;
-@@ -95,9 +95,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
- manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
- files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
-
-+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
- manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
- manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
--files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
-+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
-
- can_exec(ipsec_t, ipsec_mgmt_exec_t)
-
-@@ -108,8 +109,8 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
- corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
- allow ipsec_mgmt_t ipsec_t:fd use;
- allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
--dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
--allow ipsec_mgmt_t ipsec_t:process sigchld;
-+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
-+allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
-
- kernel_read_kernel_sysctls(ipsec_t)
- kernel_list_proc(ipsec_t)
-@@ -127,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -128,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -59744,15 +55053,7 @@ index 98d6081..e46bdda 100644
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
- files_list_tmp(ipsec_t)
- files_read_etc_files(ipsec_t)
- files_read_usr_files(ipsec_t)
-+files_dontaudit_search_home(ipsec_t)
-
- fs_getattr_all_fs(ipsec_t)
- fs_search_auto_mountpoints(ipsec_t)
-@@ -167,6 +169,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -169,6 +169,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -59761,26 +55062,7 @@ index 98d6081..e46bdda 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -185,8 +189,8 @@ optional_policy(`
- #
-
- allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
--dontaudit ipsec_mgmt_t self:capability sys_tty_config;
--allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
-+dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
- allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +229,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
-
- manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
- manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
--files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
-
- # whack needs to connect to pluto
- stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -244,6 +247,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +247,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -59798,73 +55080,25 @@ index 98d6081..e46bdda 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -258,7 +272,7 @@ dev_read_urand(ipsec_mgmt_t)
-
- domain_use_interactive_fds(ipsec_mgmt_t)
- # denials when ps tries to search /proc. Do not audit these denials.
--domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
-+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
- # suppress audit messages about unnecessary socket access
- # cjp: this seems excessive
- domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -276,8 +290,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,7 +290,7 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_inherited_terms(ipsec_mgmt_t)
-+auth_dontaudit_read_login_records(ipsec_mgmt_t)
-+
-+init_read_utmp(ipsec_mgmt_t)
- init_use_script_ptys(ipsec_mgmt_t)
- init_exec_script_files(ipsec_mgmt_t)
- init_use_fds(ipsec_mgmt_t)
-@@ -287,19 +304,40 @@ logging_send_syslog_msg(ipsec_mgmt_t)
-
- miscfiles_read_localization(ipsec_mgmt_t)
-
--modutils_domtrans_insmod(ipsec_mgmt_t)
--
- seutil_dontaudit_search_config(ipsec_mgmt_t)
+ auth_dontaudit_read_login_records(ipsec_mgmt_t)
-+sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +310,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
-+sysnet_etc_filetrans_config(ipsec_mgmt_t)
+ sysnet_etc_filetrans_config(ipsec_mgmt_t)
-userdom_use_user_terminals(ipsec_mgmt_t)
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
- ')
-
- optional_policy(`
-+ hostname_exec(ipsec_mgmt_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(ipsec_mgmt_t)
-+ dbus_connect_system_bus(ipsec_mgmt_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(ipsec_mgmt_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(ipsec_mgmt_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(ipsec_mgmt_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(ipsec_mgmt_t)
- ')
-
-@@ -352,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -59883,7 +55117,7 @@ index 98d6081..e46bdda 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -59892,15 +55126,7 @@ index 98d6081..e46bdda 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +452,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
- files_read_etc_files(setkey_t)
-
- init_dontaudit_use_fds(setkey_t)
-+init_read_script_tmp_files(setkey_t)
-
- # allow setkey to set the context for ipsec SAs and policy.
- corenet_setcontext_all_spds(setkey_t)
-@@ -422,5 +463,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -59909,48 +55135,29 @@ index 98d6081..e46bdda 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 13f62a6..fd99a6e 100644
+index 05fb364..2538de7 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,12 +1,19 @@
+@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
- /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
-+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+
- /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 5c94dfe..59bfb17 100644
---- a/policy/modules/system/iptables.if
-+++ b/policy/modules/system/iptables.if
-@@ -17,6 +17,10 @@ interface(`iptables_domtrans',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, iptables_exec_t, iptables_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit iptables_t $1:socket_class_set { read write };
-+ ')
- ')
-
- ########################################
+ /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+@@ -12,8 +10,3 @@
+ /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-
+-/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..66f2959 100644
+index f3e1b57..a7b2adc 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -59963,12 +55170,8 @@ index a3fdcb3..66f2959 100644
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
-@@ -31,10 +28,12 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_ra
- dontaudit iptables_t self:capability sys_tty_config;
- allow iptables_t self:fifo_file rw_fifo_file_perms;
- allow iptables_t self:process { sigchld sigkill sigstop signull signal };
-+# needed by ipvsadm
-+allow iptables_t self:netlink_socket create_socket_perms;
+@@ -34,8 +31,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
@@ -59978,15 +55181,7 @@ index a3fdcb3..66f2959 100644
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -52,10 +51,17 @@ kernel_read_kernel_sysctls(iptables_t)
- kernel_read_modprobe_sysctls(iptables_t)
- kernel_use_fds(iptables_t)
-
-+# needed by ipvsadm
-+corecmd_exec_bin(iptables_t)
-+corecmd_exec_shell(iptables_t)
-+
- corenet_relabelto_all_packets(iptables_t)
+@@ -61,6 +58,9 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -59996,7 +55191,7 @@ index a3fdcb3..66f2959 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -64,11 +70,13 @@ fs_list_inotifyfs(iptables_t)
+@@ -69,11 +69,13 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -60011,7 +55206,7 @@ index a3fdcb3..66f2959 100644
auth_use_nsswitch(iptables_t)
-@@ -77,6 +85,7 @@ init_use_script_ptys(iptables_t)
+@@ -82,6 +84,7 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -60019,7 +55214,7 @@ index a3fdcb3..66f2959 100644
logging_send_syslog_msg(iptables_t)
-@@ -85,11 +94,13 @@ miscfiles_read_localization(iptables_t)
+@@ -90,7 +93,7 @@ miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
@@ -60027,6 +55222,9 @@ index a3fdcb3..66f2959 100644
+userdom_use_inherited_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
+ ifdef(`hide_broken_symptoms',`
+@@ -99,6 +102,8 @@ ifdef(`hide_broken_symptoms',`
+
optional_policy(`
fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
@@ -60034,7 +55232,7 @@ index a3fdcb3..66f2959 100644
')
optional_policy(`
-@@ -112,6 +123,7 @@ optional_policy(`
+@@ -121,6 +126,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -60042,65 +55240,19 @@ index a3fdcb3..66f2959 100644
')
optional_policy(`
-@@ -124,6 +136,8 @@ optional_policy(`
-
+@@ -134,6 +140,7 @@ optional_policy(`
optional_policy(`
+ shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
-+ shorewall_read_config(iptables_t)
+ shorewall_read_config(iptables_t)
')
- optional_policy(`
-diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
-index 663a47b..ad0b864 100644
---- a/policy/modules/system/iscsi.if
-+++ b/policy/modules/system/iscsi.if
-@@ -56,3 +56,21 @@ interface(`iscsi_read_lib_files',`
- allow $1 iscsi_var_lib_t:dir list_dir_perms;
- files_search_var_lib($1)
- ')
-+
-+########################################
-+##
-+## Manage iscsid sempaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`iscsi_manage_semaphores',`
-+ gen_require(`
-+ type iscsid_t;
-+ ')
-+
-+ allow $1 iscsid_t:sem create_sem_perms;
-+')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..b8f623a 100644
+index ddbd8be..ac8e814 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
-@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
- #
-
- allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-+dontaudit iscsid_t self:capability { sys_ptrace };
- allow iscsid_t self:process { setrlimit setsched signal };
- allow iscsid_t self:fifo_file rw_fifo_file_perms;
- allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -44,8 +45,9 @@ allow iscsid_t self:tcp_socket create_stream_socket_perms;
-
- can_exec(iscsid_t, iscsid_exec_t)
-
-+manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
- manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
--files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
-+files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
-
- manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
- logging_log_filetrans(iscsid_t, iscsi_log_t, file)
-@@ -64,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -66,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
@@ -60108,7 +55260,7 @@ index 1d1c399..b8f623a 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -76,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -78,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -60117,15 +55269,8 @@ index 1d1c399..b8f623a 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +96,5 @@ logging_send_syslog_msg(iscsid_t)
- miscfiles_read_localization(iscsid_t)
-
- optional_policy(`
-- tgtd_rw_semaphores(iscsid_t)
-+ tgtd_manage_semaphores(iscsid_t)
- ')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..98b8d89 100644
+index 560dc48..98b8d89 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
@@ -60154,15 +55299,7 @@ index 9df8c4d..98b8d89 100644
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -90,6 +84,7 @@ ifdef(`distro_gentoo',`
- ')
-
- ifdef(`distro_redhat',`
-+/opt/Adobe.*/libcurl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
-@@ -118,64 +113,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +113,62 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -60261,7 +55398,7 @@ index 9df8c4d..98b8d89 100644
')
ifdef(`distro_gentoo',`
-@@ -194,94 +187,92 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +187,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -60269,9 +55406,7 @@ index 9df8c4d..98b8d89 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -203,86 +194,85 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -60279,6 +55414,7 @@ index 9df8c4d..98b8d89 100644
-
-/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -60339,6 +55475,7 @@ index 9df8c4d..98b8d89 100644
-/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -60412,22 +55549,17 @@ index 9df8c4d..98b8d89 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
-/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
--/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
--/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
--
--/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
') dnl end distro_redhat
#
-@@ -316,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -60587,37 +55719,10 @@ index 9df8c4d..98b8d89 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index d97d16d..ed84884 100644
+index 808ba93..ed84884 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
-@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
-
- ########################################
- ##
-+## Execute ldconfig in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`libs_exec_ldconfig',`
-+ gen_require(`
-+ type ldconfig_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, ldconfig_exec_t)
-+')
-+
-+########################################
-+##
- ## Use the dynamic link/loader for automatic loading
- ## of shared libraries.
- ##
-@@ -187,6 +207,23 @@ interface(`libs_search_lib',`
+@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
allow $1 lib_t:dir search_dir_perms;
')
@@ -60641,7 +55746,32 @@ index d97d16d..ed84884 100644
########################################
##
-@@ -383,7 +420,7 @@ interface(`libs_manage_shared_libs',`
+@@ -253,24 +270,6 @@ interface(`libs_manage_lib_dirs',`
+
+ ########################################
+ ##
+-## dontaudit attempts to setattr on library files
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`libs_dontaudit_setattr_lib_files',`
+- gen_require(`
+- type lib_t;
+- ')
+-
+- dontaudit $1 lib_t:file setattr;
+-')
+-
+-########################################
+-##
+ ## Read files in the library directories, such
+ ## as static libraries.
+ ##
+@@ -421,7 +420,7 @@ interface(`libs_manage_shared_libs',`
type lib_t, textrel_shlib_t;
')
@@ -60650,7 +55780,7 @@ index d97d16d..ed84884 100644
')
########################################
-@@ -402,9 +439,9 @@ interface(`libs_use_shared_libs',`
+@@ -440,9 +439,9 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
@@ -60663,7 +55793,7 @@ index d97d16d..ed84884 100644
allow $1 textrel_shlib_t:file execmod;
')
-@@ -445,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -483,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
@@ -60673,7 +55803,7 @@ index d97d16d..ed84884 100644
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..91f5506 100644
+index e5836d3..1db2eab 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -60737,16 +55867,8 @@ index bf416a4..91f5506 100644
+# unconfined_domain(ldconfig_t)
+#')
+
-diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index 7570583..be6a81b 100644
---- a/policy/modules/system/locallogin.fc
-+++ b/policy/modules/system/locallogin.fc
-@@ -1,2 +1,3 @@
-
- /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-+/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 2b7e5f3..76b4ce1 100644
+index a0b379d..77f0e09 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -60791,28 +55913,7 @@ index 2b7e5f3..76b4ce1 100644
optional_policy(`
alsa_domtrans(local_login_t)
')
-@@ -185,7 +193,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain(local_login_t)
-+ unconfined_shell_domtrans(local_login_t)
- ')
-
- optional_policy(`
-@@ -202,9 +210,10 @@ optional_policy(`
- # Sulogin local policy
- #
-
-+allow sulogin_t self:capability dac_override;
- allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow sulogin_t self:fd use;
--allow sulogin_t self:fifo_file rw_file_perms;
-+allow sulogin_t self:fifo_file rw_fifo_file_perms;
- allow sulogin_t self:unix_dgram_socket create_socket_perms;
- allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
- allow sulogin_t self:unix_dgram_socket sendto;
-@@ -224,6 +233,7 @@ files_read_etc_files(sulogin_t)
+@@ -225,6 +233,7 @@ files_read_etc_files(sulogin_t)
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -60820,7 +55921,7 @@ index 2b7e5f3..76b4ce1 100644
init_getpgid_script(sulogin_t)
-@@ -237,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -60846,7 +55947,7 @@ index 2b7e5f3..76b4ce1 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -255,11 +274,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +274,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -60859,7 +55960,7 @@ index 2b7e5f3..76b4ce1 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..ddaf246 100644
+index 02f4c97..cd16709 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
@@ -60876,64 +55977,26 @@ index 571599b..ddaf246 100644
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -25,6 +32,7 @@
- /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-+/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-
- ifdef(`distro_suse', `
-@@ -37,13 +45,14 @@ ifdef(`distro_suse', `
+@@ -38,7 +45,7 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
--/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-
- ifndef(`distro_gentoo',`
- /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,18 +63,25 @@ ifdef(`distro_redhat',`
- /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
- ')
-
--/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
--/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
--/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
--/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-+/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
-+/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-+/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
- /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
- /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
- /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
--/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
-
- /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
- /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
--/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
-+/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+@@ -73,4 +80,8 @@ ifdef(`distro_redhat',`
+ /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
-+
-+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..ee89659 100644
+index 831b909..57064ad 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@@ -60981,7 +56044,7 @@ index c7cfb62..ee89659 100644
## Read the auditd configuration files.
##
##
-@@ -715,7 +753,44 @@ interface(`logging_append_all_logs',`
+@@ -734,7 +772,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -61005,29 +56068,10 @@ index c7cfb62..ee89659 100644
+ ')
+
+ allow $1 logfile:file { getattr append ioctl lock };
-+')
-+
-+########################################
-+##
-+## Set attributes on all log dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_setattr_all_log_dirs',`
-+ gen_require(`
-+ attribute logfile;
-+ ')
-+
-+ allow $1 logfile:dir setattr;
')
########################################
-@@ -798,7 +873,7 @@ interface(`logging_manage_all_logs',`
+@@ -817,7 +873,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -61036,7 +56080,7 @@ index c7cfb62..ee89659 100644
')
########################################
-@@ -824,6 +899,44 @@ interface(`logging_read_generic_logs',`
+@@ -843,6 +899,44 @@ interface(`logging_read_generic_logs',`
########################################
##
@@ -61081,7 +56125,7 @@ index c7cfb62..ee89659 100644
## Write generic log files.
##
##
-@@ -971,6 +1084,7 @@ interface(`logging_admin_syslog',`
+@@ -990,6 +1084,7 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -61089,7 +56133,7 @@ index c7cfb62..ee89659 100644
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
-@@ -996,6 +1110,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1110,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -61099,28 +56143,18 @@ index c7cfb62..ee89659 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..41ee997 100644
+index b6ec597..7354066 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -19,6 +19,11 @@ type auditd_log_t;
- files_security_file(auditd_log_t)
+@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
-+type audit_spool_t;
+ type audit_spool_t;
+files_type(audit_spool_t)
-+files_security_file(audit_spool_t)
-+files_security_mountpoint(audit_spool_t)
-+
- type auditd_t;
- type auditd_exec_t;
- init_daemon_domain(auditd_t, auditd_exec_t)
-@@ -55,11 +60,12 @@ type klogd_var_run_t;
- files_pid_file(klogd_var_run_t)
-
- type syslog_conf_t;
--files_type(syslog_conf_t)
-+files_config_file(syslog_conf_t)
+ files_security_file(audit_spool_t)
+ files_security_mountpoint(audit_spool_t)
+@@ -64,6 +65,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -61128,7 +56162,7 @@ index 9b5a9ed..41ee997 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -107,7 +113,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +113,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -61137,7 +56171,7 @@ index 9b5a9ed..41ee997 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -179,16 +185,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +185,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -61158,14 +56192,7 @@ index 9b5a9ed..41ee997 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -226,15 +235,24 @@ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
- manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
- files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
-
-+kernel_read_system_state(audisp_t)
-+
- corecmd_exec_bin(audisp_t)
- corecmd_exec_shell(audisp_t)
+@@ -237,10 +242,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -61183,7 +56210,7 @@ index 9b5a9ed..41ee997 100644
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +262,26 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +262,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -61194,35 +56221,18 @@ index 9b5a9ed..41ee997 100644
')
########################################
- #
- # Audit remote logger local policy
- #
--
-+allow audisp_remote_t self:capability { setuid setpcap };
-+allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
-+allow audisp_remote_t var_log_t:dir search_dir_perms;
-+
-+manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
-+manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
-+files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
-+
-+corecmd_exec_bin(audisp_remote_t)
-
- corenet_all_recvfrom_unlabeled(audisp_remote_t)
- corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -265,10 +295,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +296,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
+mls_socket_write_all_levels(audisp_remote_t)
+
logging_send_syslog_msg(audisp_remote_t)
-+logging_send_audit_msgs(audisp_remote_t)
-+
+ logging_send_audit_msgs(audisp_remote_t)
+
+auth_use_nsswitch(audisp_remote_t)
+auth_append_login_records(audisp_remote_t)
-
++
miscfiles_read_localization(audisp_remote_t)
+init_telinit(audisp_remote_t)
@@ -61232,7 +56242,7 @@ index 9b5a9ed..41ee997 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -338,11 +378,12 @@ optional_policy(`
+@@ -354,11 +379,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -61243,11 +56253,11 @@ index 9b5a9ed..41ee997 100644
# setpgid for metalog
# setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit };
-+allow syslogd_t self:process { signal_perms setpgid setsched setrlimit setcap getcap };
++allow syslogd_t self:process { signal_perms getcap setcap setpgid setsched setrlimit };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +401,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +402,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -61255,7 +56265,7 @@ index 9b5a9ed..41ee997 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +411,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +412,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -61271,7 +56281,7 @@ index 9b5a9ed..41ee997 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,8 +460,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -428,8 +461,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -61285,7 +56295,7 @@ index 9b5a9ed..41ee997 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -432,6 +485,7 @@ term_write_console(syslogd_t)
+@@ -448,6 +486,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -61293,7 +56303,7 @@ index 9b5a9ed..41ee997 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -480,6 +534,10 @@ optional_policy(`
+@@ -496,6 +535,10 @@ optional_policy(`
')
optional_policy(`
@@ -61304,7 +56314,7 @@ index 9b5a9ed..41ee997 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +546,10 @@ optional_policy(`
+@@ -504,6 +547,10 @@ optional_policy(`
')
optional_policy(`
@@ -62627,10 +57637,10 @@ index ed9c70d..b961d53 100644
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
-index c817fda..8bcb1fd 100644
+index b1a85b5..db0d815 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
-@@ -21,6 +21,24 @@ interface(`raid_domtrans_mdadm',`
+@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',`
########################################
##
@@ -62656,7 +57666,7 @@ index c817fda..8bcb1fd 100644
##
##
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 73cc8cf..020e663 100644
+index a19ecea..4e2ef36 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -63984,10 +58994,10 @@ index ff80d0a..95e705c 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..7307991 100644
+index 34d0ec5..0cdb0be 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
# Declarations
#
@@ -64148,7 +59158,15 @@ index df32316..7307991 100644
')
optional_policy(`
-@@ -276,8 +320,11 @@ dev_read_urand(ifconfig_t)
+@@ -255,6 +299,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+ allow ifconfig_t self:msg { send receive };
+ # Create UDP sockets, necessary when called from dhcpc
+ allow ifconfig_t self:udp_socket create_socket_perms;
++allow ifconfig_t self:appletalk_socket create_socket_perms;
+ # for /sbin/ip
+ allow ifconfig_t self:packet_socket create_socket_perms;
+ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -276,8 +321,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -64160,7 +59178,7 @@ index df32316..7307991 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +348,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +349,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -64175,7 +59193,7 @@ index df32316..7307991 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +362,14 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +363,14 @@ ifdef(`distro_ubuntu',`
')
')
@@ -64190,7 +59208,7 @@ index df32316..7307991 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,12 +380,31 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +381,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -64205,11 +59223,10 @@ index df32316..7307991 100644
')
optional_policy(`
- ipsec_write_pid(ifconfig_t)
-+ ipsec_setcontext_default_spd(ifconfig_t)
-+')
-+
-+optional_policy(`
+@@ -335,6 +397,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ kdump_dontaudit_read_config(ifconfig_t)
+')
+
@@ -64219,10 +59236,13 @@ index df32316..7307991 100644
+
+optional_policy(`
+ netutils_domtrans(dhcpc_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(ifconfig_t)
')
- optional_policy(`
-@@ -355,3 +429,9 @@ optional_policy(`
+@@ -356,3 +430,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -64508,7 +59528,7 @@ index 0000000..c59c37c
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..747aa58
+index 0000000..9e2eaf0
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,191 @@
@@ -64627,7 +59647,7 @@ index 0000000..747aa58
+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
-+files_list_lost_found_dirs(systemd_tmpfiles_t)
++files_list_lost_found(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+
@@ -65894,7 +60914,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..240fa6c 100644
+index 4b2878a..b0955cf 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -66039,15 +61059,15 @@ index 28b88de..240fa6c 100644
+ storage_rw_fuse($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
-+
+
+- libs_exec_ld_so($1_t)
+ init_stream_connect($1_usertype)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_usertype)
+
+ libs_exec_ld_so($1_usertype)
-
-- libs_exec_ld_so($1_t)
++
+ logging_send_audit_msgs($1_t)
miscfiles_read_localization($1_t)
@@ -66373,6 +61393,17 @@ index 28b88de..240fa6c 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
+@@ -462,8 +548,8 @@ template(`userdom_change_password_template',`
+ ')
+
+ optional_policy(`
+- usermanage_run_chfn($1_t, $1_r)
+- usermanage_run_passwd($1_t, $1_r)
++ usermanage_run_chfn($1_t,$1_r)
++ usermanage_run_passwd($1_t,$1_r)
+ ')
+ ')
+
@@ -490,7 +576,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -66404,27 +61435,27 @@ index 28b88de..240fa6c 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -66448,10 +61479,10 @@ index 28b88de..240fa6c 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
-+
-+ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
++ application_getattr_socket($1_usertype)
++
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -66477,18 +61508,21 @@ index 28b88de..240fa6c 100644
- auth_use_nsswitch($1_t)
- auth_read_login_records($1_t)
- auth_search_pam_console_data($1_t)
+- auth_run_pam($1_t, $1_r)
+- auth_run_utempter($1_t, $1_r)
+ auth_read_login_records($1_usertype)
- auth_run_pam($1_t,$1_r)
- auth_run_utempter($1_t,$1_r)
++ auth_run_pam($1_t,$1_r)
++ auth_run_utempter($1_t,$1_r)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
- seutil_read_file_contexts($1_t)
- seutil_read_default_contexts($1_t)
+- seutil_run_newrole($1_t, $1_r)
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
- seutil_run_newrole($1_t,$1_r)
++ seutil_run_newrole($1_t,$1_r)
seutil_exec_checkpolicy($1_t)
- seutil_exec_setfiles($1_t)
+ seutil_exec_setfiles($1_usertype)
@@ -66545,85 +61579,85 @@ index 28b88de..240fa6c 100644
+ optional_policy(`
+ policykit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
++
++ optional_policy(`
++ hal_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ lircd_stream_connect($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -66672,35 +61706,35 @@ index 28b88de..240fa6c 100644
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ rpc_dontaudit_getattr_exports($1_usertype)
++ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
-- usernetctl_run($1_t,$1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
+- usernetctl_run($1_t, $1_r)
++ sandbox_transition($1_usertype, $1_r)
')
+
+ optional_policy(`
++ seunshare_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ slrnpull_search_spool($1_usertype)
+ ')
+
@@ -66713,17 +61747,17 @@ index 28b88de..240fa6c 100644
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -66739,7 +61773,7 @@ index 28b88de..240fa6c 100644
userdom_change_password_template($1)
-@@ -736,72 +908,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +908,76 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -66783,11 +61817,12 @@ index 28b88de..240fa6c 100644
auth_dontaudit_write_login_records($1_t)
+ auth_rw_cache($1_t)
-- application_exec_all($1_t)
+ application_exec_all($1_t)
-
-- # The library functions always try to open read-write first,
-- # then fall back to read-only if it fails.
-- init_dontaudit_rw_utmp($1_t)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_t)
++
# Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
@@ -66809,46 +61844,46 @@ index 28b88de..240fa6c 100644
- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
-+
-+ optional_policy(`
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
-+ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
++ ')
++
++ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -833,6 +1004,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1009,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -66858,7 +61893,7 @@ index 28b88de..240fa6c 100644
##############################
#
# Local policy
-@@ -874,45 +1048,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1053,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -66918,7 +61953,7 @@ index 28b88de..240fa6c 100644
+ gnome_read_usr_config($1_usertype)
+ gnome_role_gkeyringd($1, $1_r, $1_t)
+ # cjp: telepathy F15 bugs
-+ telepathy_dbus_session_role($1_r, $1_t, $1)
++ telepathy_role($1_r, $1_t, $1)
')
optional_policy(`
@@ -66988,7 +62023,7 @@ index 28b88de..240fa6c 100644
')
')
-@@ -947,7 +1194,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -66997,7 +62032,7 @@ index 28b88de..240fa6c 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1203,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -67006,25 +62041,18 @@ index 28b88de..240fa6c 100644
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
+ corenet_tcp_bind_generic_node($1_usertype)
++
++ storage_rw_fuse($1_t)
-- files_exec_usr_files($1_t)
+ files_exec_usr_files($1_t)
- # cjp: why?
-- files_read_kernel_symbol_table($1_t)
--
-- ifndef(`enable_mls',`
-- fs_exec_noxattr($1_t)
--
-- tunable_policy(`user_rw_noexattrfile',`
-- fs_manage_noxattr_fs_files($1_t)
-- fs_manage_noxattr_fs_dirs($1_t)
-- # Write floppies
-- storage_raw_read_removable_device($1_t)
-- storage_raw_write_removable_device($1_t)
-- ',`
-- storage_raw_read_removable_device($1_t)
-- ')
-- ')
-+ storage_rw_fuse($1_t)
++ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
+
+ ifndef(`enable_mls',`
+@@ -978,32 +1233,76 @@ template(`userdom_unpriv_user_template', `
+ ')
+ ')
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
@@ -67052,12 +62080,14 @@ index 28b88de..240fa6c 100644
')
optional_policy(`
-- netutils_run_ping_cond($1_t,$1_r)
-- netutils_run_traceroute_cond($1_t,$1_r)
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t, $1_r)
+ cron_role($1_r, $1_t)
+ ')
+
@@ -67083,21 +62113,19 @@ index 28b88de..240fa6c 100644
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -67111,7 +62139,7 @@ index 28b88de..240fa6c 100644
')
')
-@@ -1039,7 +1315,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1338,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -67120,7 +62148,7 @@ index 28b88de..240fa6c 100644
')
##############################
-@@ -1066,6 +1342,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1365,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -67128,7 +62156,7 @@ index 28b88de..240fa6c 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1351,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -67138,7 +62166,7 @@ index 28b88de..240fa6c 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1368,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -67146,7 +62174,7 @@ index 28b88de..240fa6c 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1386,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -67160,7 +62188,7 @@ index 28b88de..240fa6c 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1403,22 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1426,22 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -67184,7 +62212,7 @@ index 28b88de..240fa6c 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1430,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1453,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -67196,7 +62224,7 @@ index 28b88de..240fa6c 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1502,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1525,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -67205,7 +62233,7 @@ index 28b88de..240fa6c 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1516,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1539,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -67213,17 +62241,20 @@ index 28b88de..240fa6c 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1234,11 +1529,22 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1552,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
+- seutil_run_checkpolicy($1, $2)
+- seutil_run_loadpolicy($1, $2)
+- seutil_run_semanage($1, $2)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
- seutil_run_checkpolicy($1,$2)
- seutil_run_loadpolicy($1,$2)
- seutil_run_semanage($1,$2)
++ seutil_run_checkpolicy($1,$2)
++ seutil_run_loadpolicy($1,$2)
++ seutil_run_semanage($1,$2)
+ seutil_run_setsebool($1,$2)
seutil_run_setfiles($1, $2)
@@ -67234,9 +62265,28 @@ index 28b88de..240fa6c 100644
+ seutil_manage_config($1)
+
optional_policy(`
- aide_run($1,$2)
+- aide_run($1, $2)
++ aide_run($1,$2)
')
-@@ -1279,54 +1585,66 @@ template(`userdom_security_admin_template',`
+
+ optional_policy(`
+@@ -1251,12 +1580,12 @@ template(`userdom_security_admin_template',`
+ dmesg_exec($1)
+ ')
+
+- optional_policy(`
+- ipsec_run_setkey($1, $2)
++ optional_policy(`
++ ipsec_run_setkey($1,$2)
+ ')
+
+ optional_policy(`
+- netlabel_run_mgmt($1, $2)
++ netlabel_run_mgmt($1,$2)
+ ')
+
+ optional_policy(`
+@@ -1279,54 +1608,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -67318,7 +62368,7 @@ index 28b88de..240fa6c 100644
##
##
##
-@@ -1334,9 +1652,46 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,12 +1675,49 @@ interface(`userdom_setattr_user_ptys',`
##
##
#
@@ -67327,8 +62377,9 @@ index 28b88de..240fa6c 100644
gen_require(`
- type user_devpts_t;
+ attribute admindomain;
-+ ')
-+
+ ')
+
+- term_create_pty($1, user_devpts_t)
+ allow $1 admindomain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
@@ -67364,10 +62415,13 @@ index 28b88de..240fa6c 100644
+interface(`userdom_create_user_pty',`
+ gen_require(`
+ type user_devpts_t;
- ')
++ ')
++
++ term_create_pty($1, user_devpts_t)
+ ')
- term_create_pty($1, user_devpts_t)
-@@ -1395,6 +1750,7 @@ interface(`userdom_search_user_home_dirs',`
+ ########################################
+@@ -1395,6 +1773,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -67375,7 +62429,7 @@ index 28b88de..240fa6c 100644
files_search_home($1)
')
-@@ -1441,6 +1797,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1820,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -67390,7 +62444,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -1456,9 +1820,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1843,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -67402,7 +62456,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -1515,6 +1881,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1904,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -67445,7 +62499,7 @@ index 28b88de..240fa6c 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +1991,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2014,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -67454,7 +62508,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -1603,10 +2007,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2030,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -67469,7 +62523,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -1649,6 +2055,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2078,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -67513,7 +62567,7 @@ index 28b88de..240fa6c 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1668,6 +2111,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2134,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -67539,7 +62593,7 @@ index 28b88de..240fa6c 100644
## Mmap user home files.
##
##
-@@ -1700,12 +2162,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2185,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -67572,7 +62626,7 @@ index 28b88de..240fa6c 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2198,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2221,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -67590,7 +62644,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -1779,6 +2264,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2287,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -67651,7 +62705,7 @@ index 28b88de..240fa6c 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2349,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2372,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -67661,7 +62715,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -1827,20 +2365,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2388,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -67686,7 +62740,7 @@ index 28b88de..240fa6c 100644
########################################
##
-@@ -1941,6 +2473,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2496,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
##
@@ -67711,7 +62765,7 @@ index 28b88de..240fa6c 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
-@@ -2008,7 +2558,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2581,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -67720,7 +62774,7 @@ index 28b88de..240fa6c 100644
files_search_home($1)
')
-@@ -2182,7 +2732,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2755,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -67729,7 +62783,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -2435,13 +2985,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3008,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -67745,7 +62799,7 @@ index 28b88de..240fa6c 100644
##
##
##
-@@ -2462,26 +3013,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3036,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -67772,7 +62826,7 @@ index 28b88de..240fa6c 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2572,7 +3103,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3126,7 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -67781,7 +62835,7 @@ index 28b88de..240fa6c 100644
##
##
##
-@@ -2580,70 +3111,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3134,138 @@ interface(`userdom_use_user_ttys',`
##
##
#
@@ -67853,9 +62907,8 @@ index 28b88de..240fa6c 100644
gen_require(`
- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
++ ')
++
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
@@ -67922,9 +62975,9 @@ index 28b88de..240fa6c 100644
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
-+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -67950,7 +63003,58 @@ index 28b88de..240fa6c 100644
########################################
##
## Execute a shell in all user domains. This
-@@ -2815,7 +3414,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3358,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+-#######################################
+-##
+-## Read and write unpriviledged user SysV sempaphores.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`userdom_rw_unpriv_user_semaphores',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+-
+- allow $1 unpriv_userdomain:sem rw_sem_perms;
+-')
+-
+ ########################################
+ ##
+ ## Manage unpriviledged user SysV sempaphores.
+@@ -2772,25 +3376,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
+-#######################################
+-##
+-## Read and write unpriviledged user SysV shared
+-## memory segments.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`userdom_rw_unpriv_user_shared_mem',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+-
+- allow $1 unpriv_userdomain:shm rw_shm_perms;
+-')
+-
+ ########################################
+ ##
+ ## Manage unpriviledged user SysV shared
+@@ -2852,7 +3437,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -67959,7 +63063,7 @@ index 28b88de..240fa6c 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3430,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3453,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -67970,12 +63074,30 @@ index 28b88de..240fa6c 100644
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+-')
+-
+-########################################
+-##
+-## Send signull to unprivileged user domains.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`userdom_signull_unpriv_users',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+-
+- allow $1 unpriv_userdomain:process signull;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
')
########################################
-@@ -2917,7 +3518,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3541,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -67984,7 +63106,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -2972,7 +3573,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3596,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -68031,7 +63153,7 @@ index 28b88de..240fa6c 100644
')
########################################
-@@ -3009,6 +3648,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3671,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -68039,7 +63161,7 @@ index 28b88de..240fa6c 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3727,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3750,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -68064,7 +63186,7 @@ index 28b88de..240fa6c 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3797,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3820,1075 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -69123,11 +64245,28 @@ index 28b88de..240fa6c 100644
+ dontaudit $1 user_tmp_type:file read_file_perms;
+')
+
++#######################################
++##
++## Read and write unpriviledged user SysV sempaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_unpriv_user_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..54e3feb 100644
+index 9b4a930..6bdf7f7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
+@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
##
##