##
@@ -174,7 +174,7 @@ index 3316f6e..6e82b1e 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index af90ef2..7534872 100644
+index 358ce7c..60afbfe 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
@@ -200,7 +200,7 @@ index af90ef2..7534872 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -132,4 +135,7 @@ mlsconstrain db_procedure { drop getattr setattr execute install }
+@@ -144,4 +147,7 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -8214,7 +8214,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index b06df19..c0763c2 100644
+index 5a07a43..e97e47f 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
@@ -8251,7 +8251,7 @@ index b06df19..c0763c2 100644
## Define type to be a network client packet type
##
##
-@@ -2149,9 +2176,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2168,9 +2195,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
##
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -8266,7 +8266,7 @@ index b06df19..c0763c2 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2503,6 +2535,30 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2522,6 +2554,30 @@ interface(`corenet_all_recvfrom_netlabel',`
########################################
##
@@ -8298,10 +8298,10 @@ index b06df19..c0763c2 100644
##
##
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..900fc3d 100644
+index f12e087..bb37cd3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -15,6 +15,7 @@ attribute rpc_port_type;
+@@ -16,6 +16,7 @@ attribute rpc_port_type;
attribute server_packet_type;
attribute corenet_unconfined_type;
@@ -8309,7 +8309,7 @@ index edefaf3..900fc3d 100644
type ppp_device_t;
dev_node(ppp_device_t)
-@@ -24,6 +25,7 @@ dev_node(ppp_device_t)
+@@ -25,6 +26,7 @@ dev_node(ppp_device_t)
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
@@ -8317,7 +8317,7 @@ index edefaf3..900fc3d 100644
########################################
#
-@@ -33,6 +35,18 @@ dev_node(tun_tap_device_t)
+@@ -34,6 +36,18 @@ dev_node(tun_tap_device_t)
#
# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
@@ -8336,7 +8336,7 @@ index edefaf3..900fc3d 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -64,20 +78,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,20 +79,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -8350,8 +8350,9 @@ index edefaf3..900fc3d 100644
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
+-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
- network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
++network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
@@ -8362,7 +8363,7 @@ index edefaf3..900fc3d 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -85,6 +104,7 @@ network_port(clamd, tcp,3310,s0)
+@@ -86,6 +105,7 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -8370,7 +8371,7 @@ index edefaf3..900fc3d 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -97,7 +117,9 @@ network_port(dict, tcp,2628,s0)
+@@ -98,7 +118,9 @@ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
@@ -8380,7 +8381,7 @@ index edefaf3..900fc3d 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -111,7 +133,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -112,7 +134,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -8389,7 +8390,7 @@ index edefaf3..900fc3d 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,43 +147,57 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +148,57 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8451,7 +8452,7 @@ index edefaf3..900fc3d 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,43 +212,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,43 +213,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -8508,7 +8509,7 @@ index edefaf3..900fc3d 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -274,5 +316,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -275,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -11128,7 +11129,7 @@ index e49c148..4d6bbf4 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index b4ad6d7..67e89f0 100644
+index d7468b3..5d2f9a1 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@@ -11201,7 +11202,7 @@ index b4ad6d7..67e89f0 100644
')
########################################
-@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2890,6 +2928,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -11226,7 +11227,7 @@ index b4ad6d7..67e89f0 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2897,3 +2953,23 @@ interface(`kernel_unconfined',`
+@@ -2905,3 +2961,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
@@ -11251,7 +11252,7 @@ index b4ad6d7..67e89f0 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 9e2e6d7..d5c4f76 100644
+index 5001b89..d513268 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -11502,10 +11503,10 @@ index 3994e57..43aa641 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 492bf76..00b786e 100644
+index f3acfee..4cbc36c 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
+@@ -274,7 +274,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
##
##
@@ -11513,7 +11514,7 @@ index 492bf76..00b786e 100644
#
interface(`term_use_console',`
gen_require(`
-@@ -292,9 +291,11 @@ interface(`term_use_console',`
+@@ -299,9 +298,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -11526,7 +11527,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -334,7 +335,7 @@ interface(`term_relabel_console',`
+@@ -341,7 +342,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
@@ -11535,7 +11536,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -651,6 +652,25 @@ interface(`term_use_controlling_term',`
+@@ -658,6 +659,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
@@ -11561,7 +11562,7 @@ index 492bf76..00b786e 100644
########################################
##
## Do not audit attempts to get attributes
-@@ -848,7 +868,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +875,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -11570,7 +11571,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1116,7 +1136,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1143,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -11579,7 +11580,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1215,7 +1235,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1242,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -11588,7 +11589,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1231,11 +1251,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1258,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -11602,7 +11603,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1252,10 +1274,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1281,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -11615,7 +11616,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1294,7 +1318,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1325,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -11624,7 +11625,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1352,7 +1376,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1383,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -11633,7 +11634,7 @@ index 492bf76..00b786e 100644
')
########################################
-@@ -1468,3 +1492,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1499,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -11657,7 +11658,7 @@ index 492bf76..00b786e 100644
+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index e004757..b5be387 100644
+index 361692e..0f09fb5 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -13478,7 +13479,7 @@ index 0000000..ec21f9a
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 1e0753e..4ae4116 100644
+index e5bfdd4..f8785a0 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,51 @@ role user_r;
@@ -13533,7 +13534,7 @@ index 1e0753e..4ae4116 100644
vlock_run(user_t, user_r)
')
-@@ -114,7 +150,7 @@ ifndef(`distro_redhat',`
+@@ -118,7 +154,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13542,7 +13543,7 @@ index 1e0753e..4ae4116 100644
')
optional_policy(`
-@@ -153,3 +189,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +193,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -31196,7 +31197,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 539a7c9..4782bdb 100644
+index 09aeffa..12d4432 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -31208,37 +31209,40 @@ index 539a7c9..4782bdb 100644
## The type of the user domain.
##
##
-@@ -45,14 +45,6 @@ interface(`postgresql_role',`
+@@ -51,15 +51,6 @@ interface(`postgresql_role',`
# Client local policy
#
- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
--
- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
--
- allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
- allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
- allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
-@@ -69,6 +61,14 @@ interface(`postgresql_role',`
+
+ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+@@ -88,6 +79,16 @@ interface(`postgresql_role',`
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-+
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
')
########################################
-@@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
+@@ -286,7 +287,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
@@ -31247,7 +31251,7 @@ index 539a7c9..4782bdb 100644
')
########################################
-@@ -207,6 +207,7 @@ interface(`postgresql_search_db',`
+@@ -298,6 +299,7 @@ interface(`postgresql_search_db',`
## Domain allowed access.
##
##
@@ -31255,7 +31259,7 @@ index 539a7c9..4782bdb 100644
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
-@@ -214,7 +215,7 @@ interface(`postgresql_manage_db',`
+@@ -305,7 +307,7 @@ interface(`postgresql_manage_db',`
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
@@ -31264,7 +31268,7 @@ index 539a7c9..4782bdb 100644
')
########################################
-@@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',`
+@@ -395,7 +397,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
##
##
@@ -31272,7 +31276,7 @@ index 539a7c9..4782bdb 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
+@@ -403,10 +404,8 @@ interface(`postgresql_stream_connect',`
')
files_search_pids($1)
@@ -31285,21 +31289,24 @@ index 539a7c9..4782bdb 100644
')
########################################
-@@ -361,13 +359,6 @@ interface(`postgresql_unpriv_client',`
+@@ -459,6 +458,8 @@ interface(`postgresql_unpriv_client',`
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
-- tunable_policy(`sepgsql_enable_users_ddl',`
-- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
-- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
-- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-- ')
--
++<<<<<<< .merge_file_hr5C3y
++=======
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+@@ -471,6 +472,7 @@ interface(`postgresql_unpriv_client',`
+ allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
+ type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+
++>>>>>>> .merge_file_bHSs2v
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
-@@ -381,6 +372,13 @@ interface(`postgresql_unpriv_client',`
+@@ -492,6 +494,13 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
@@ -31313,7 +31320,7 @@ index 539a7c9..4782bdb 100644
')
########################################
-@@ -420,13 +418,10 @@ interface(`postgresql_unconfined',`
+@@ -531,13 +540,10 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -31331,7 +31338,7 @@ index 539a7c9..4782bdb 100644
')
typeattribute $1 sepgsql_admin_type;
-@@ -439,14 +434,19 @@ interface(`postgresql_admin',`
+@@ -550,14 +556,19 @@ interface(`postgresql_admin',`
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
@@ -31352,10 +31359,10 @@ index 539a7c9..4782bdb 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4b18978..1ab2e1d 100644
+index 8ed5067..f31634f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
-@@ -15,16 +15,16 @@ gen_require(`
+@@ -19,16 +19,16 @@ gen_require(`
#
##
@@ -31378,7 +31385,7 @@ index 4b18978..1ab2e1d 100644
##
gen_tunable(sepgsql_unconfined_dbadm, true)
-@@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -31387,7 +31394,7 @@ index 4b18978..1ab2e1d 100644
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
-@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -307,8 +307,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -43044,14 +43051,13 @@ index a442acc..133f7f8 100644
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 408f4e6..55c2d03 100644
+index ede3231..6cdbda3 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t)
+@@ -83,6 +83,7 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
--term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)
auth_rw_login_records(getty_t)
@@ -44494,10 +44500,10 @@ index 8232f91..cba1b30 100644
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index d82ff45..6de1ab4 100644
+index 98d6081..fbc8601 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
-@@ -72,7 +72,7 @@ role system_r types setkey_t;
+@@ -73,7 +73,7 @@ role system_r types setkey_t;
#
allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
@@ -44506,9 +44512,9 @@ index d82ff45..6de1ab4 100644
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
-@@ -94,9 +94,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+@@ -95,9 +95,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
- files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+ files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -44518,7 +44524,7 @@ index d82ff45..6de1ab4 100644
can_exec(ipsec_t, ipsec_mgmt_exec_t)
-@@ -107,7 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
+@@ -108,7 +109,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
@@ -44527,7 +44533,7 @@ index d82ff45..6de1ab4 100644
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
-@@ -149,6 +150,7 @@ domain_use_interactive_fds(ipsec_t)
+@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
@@ -44535,7 +44541,7 @@ index d82ff45..6de1ab4 100644
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -166,6 +168,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -167,6 +169,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -44544,7 +44550,7 @@ index d82ff45..6de1ab4 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -184,8 +188,8 @@ optional_policy(`
+@@ -185,8 +189,8 @@ optional_policy(`
#
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -44555,7 +44561,7 @@ index d82ff45..6de1ab4 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -224,7 +228,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+@@ -225,7 +229,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -44563,7 +44569,7 @@ index d82ff45..6de1ab4 100644
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -243,6 +246,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -244,6 +247,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -44581,7 +44587,7 @@ index d82ff45..6de1ab4 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -257,7 +271,7 @@ dev_read_urand(ipsec_mgmt_t)
+@@ -258,7 +272,7 @@ dev_read_urand(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -44590,7 +44596,7 @@ index d82ff45..6de1ab4 100644
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -275,8 +289,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -276,8 +290,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -44603,7 +44609,7 @@ index d82ff45..6de1ab4 100644
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -290,7 +307,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t)
+@@ -291,7 +308,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t)
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -44613,7 +44619,7 @@ index d82ff45..6de1ab4 100644
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -299,6 +318,23 @@ optional_policy(`
+@@ -300,6 +319,23 @@ optional_policy(`
')
optional_policy(`
@@ -44637,7 +44643,7 @@ index d82ff45..6de1ab4 100644
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -385,6 +421,8 @@ miscfiles_read_localization(racoon_t)
+@@ -386,6 +422,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -44646,19 +44652,20 @@ index d82ff45..6de1ab4 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -411,6 +449,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
+@@ -412,6 +450,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
- ipsec_setcontext_default_spd(setkey_t)
-@@ -422,3 +461,4 @@ miscfiles_read_localization(setkey_t)
+ corenet_setcontext_all_spds(setkey_t)
+@@ -423,4 +462,5 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
+
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6..fd99a6e 100644
--- a/policy/modules/system/iptables.fc
@@ -45252,7 +45259,7 @@ index 7570583..be6a81b 100644
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 3fb1915..26e9f79 100644
+index 2b7e5f3..76b4ce1 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -45284,7 +45291,7 @@ index 3fb1915..26e9f79 100644
miscfiles_read_localization(local_login_t)
-@@ -151,6 +153,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -156,6 +158,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
@@ -45297,7 +45304,7 @@ index 3fb1915..26e9f79 100644
optional_policy(`
alsa_domtrans(local_login_t)
')
-@@ -180,7 +188,7 @@ optional_policy(`
+@@ -185,7 +193,7 @@ optional_policy(`
')
optional_policy(`
@@ -45306,7 +45313,7 @@ index 3fb1915..26e9f79 100644
')
optional_policy(`
-@@ -197,9 +205,10 @@ optional_policy(`
+@@ -202,9 +210,10 @@ optional_policy(`
# Sulogin local policy
#
@@ -45318,7 +45325,7 @@ index 3fb1915..26e9f79 100644
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
-@@ -219,6 +228,7 @@ files_read_etc_files(sulogin_t)
+@@ -224,6 +233,7 @@ files_read_etc_files(sulogin_t)
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -45326,7 +45333,7 @@ index 3fb1915..26e9f79 100644
init_getpgid_script(sulogin_t)
-@@ -232,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -237,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -45352,7 +45359,7 @@ index 3fb1915..26e9f79 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -250,11 +269,3 @@ ifdef(`sulogin_no_pam', `
+@@ -255,11 +274,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -46366,7 +46373,7 @@ index 8b5c196..83107f9 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 1899313..c6b6821 100644
+index 15832c7..6ee04e2 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -46416,7 +46423,7 @@ index 1899313..c6b6821 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,59 +68,96 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +68,23 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -46440,7 +46447,8 @@ index 1899313..c6b6821 100644
+kernel_request_load_module(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
-
+ # To load binfmt_misc kernel module
+@@ -57,50 +93,73 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -46522,7 +46530,7 @@ index 1899313..c6b6821 100644
selinux_get_enforce_mode(mount_t)
-@@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t)
+@@ -108,6 +167,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -46530,7 +46538,7 @@ index 1899313..c6b6821 100644
term_use_all_terms(mount_t)
-@@ -114,6 +174,8 @@ auth_use_nsswitch(mount_t)
+@@ -116,6 +176,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -46539,7 +46547,7 @@ index 1899313..c6b6821 100644
logging_send_syslog_msg(mount_t)
-@@ -124,6 +186,12 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +188,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -46552,7 +46560,7 @@ index 1899313..c6b6821 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -139,10 +207,17 @@ ifdef(`distro_ubuntu',`
+@@ -141,10 +209,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -46570,7 +46578,7 @@ index 1899313..c6b6821 100644
')
optional_policy(`
-@@ -172,6 +247,8 @@ optional_policy(`
+@@ -174,6 +249,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -46579,7 +46587,7 @@ index 1899313..c6b6821 100644
')
optional_policy(`
-@@ -179,6 +256,28 @@ optional_policy(`
+@@ -181,6 +258,28 @@ optional_policy(`
')
optional_policy(`
@@ -46608,7 +46616,7 @@ index 1899313..c6b6821 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -186,13 +285,44 @@ optional_policy(`
+@@ -188,13 +287,44 @@ optional_policy(`
')
')
@@ -46653,7 +46661,7 @@ index 1899313..c6b6821 100644
')
########################################
-@@ -201,6 +331,42 @@ optional_policy(`
+@@ -203,6 +333,42 @@ optional_policy(`
#
optional_policy(`
@@ -47202,7 +47210,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..8526f19 100644
+index 7ed9819..ad1d4ca 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -47393,16 +47401,16 @@ index ff5d72d..8526f19 100644
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--corecmd_exec_bin(semanage_t)
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-corecmd_exec_bin(semanage_t)
+-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
@@ -47428,13 +47436,13 @@ index ff5d72d..8526f19 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
--
--miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
+-logging_send_syslog_msg(semanage_t)
+-
+-miscfiles_read_localization(semanage_t)
+-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -47449,7 +47457,7 @@ index ff5d72d..8526f19 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -483,12 +468,23 @@ ifdef(`distro_debian',`
+@@ -487,118 +472,64 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -47465,21 +47473,7 @@ index ff5d72d..8526f19 100644
')
')
-+optional_policy(`
-+ #signal mcstrans on reload
-+ init_spec_domtrans_script(semanage_t)
-+')
-+
- # cjp: need a more general way to handle this:
- ifdef(`enable_mls',`
- # read secadm tmp files
-@@ -498,112 +494,54 @@ ifdef(`enable_mls',`
- userdom_read_user_tmp_files(semanage_t)
- ')
-
-########################################
-+userdom_search_admin_dir(semanage_t)
-+
+####################################n####
#
-# Setfiles local policy
@@ -47523,12 +47517,18 @@ index ff5d72d..8526f19 100644
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
@@ -47548,15 +47548,9 @@ index ff5d72d..8526f19 100644
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-miscfiles_read_localization(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-seutil_libselinux_linked(setfiles_t)
+########################################
+#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8459e8e..f44d62e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.12
-Release: 8%{?dist}
+Version: 3.9.13
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
%endif
%changelog
+* Mon Jan 17 2011 Miroslav Grepl 3.9.13-1
+- Update to upstream
+
* Mon Jan 17 2011 Miroslav Grepl 3.9.12-8
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
- Add puppetmaster_use_db boolean
diff --git a/sources b/sources
index f1a3e17..c1b1cb9 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
409b40c8102b1617681ba17c31032e66 config.tgz
-eeb4ff0fe3beb456f6eb5d11fcc1d247 serefpolicy-3.9.12.tgz
+7133b9fde2dd7620e2985afaf4e3b00e serefpolicy-3.9.13.tgz