+-##
+-## This template creates a user domain, types, and
+-## rules for the user's tty, pty, home directories,
+-## tmp, and tmpfs files.
+-##
+-##
+-## The privileges given to administrative users are:
+-##
+-## - Raw disk access
+-## - Set all sysctls
+-## - All kernel ring buffer controls
+-## - Create, read, write, and delete all files but shadow
+-## - Manage source and binary format SELinux policy
+-## - Run insmod
+-##
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -40767,28 +40735,49 @@ index 3c5dba7..a44c781 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
- ')
-
- # Run pppd in pppd_t by default for user
-@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
++ ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
- ')
- ')
-
-@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
++ ')
++')
++
++#######################################
++##
++## The template for creating an administrative user.
++##
++##
++##
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++##
++##
++## The privileges given to administrative users are:
++##
++## - Raw disk access
++## - Set all sysctls
++## - All kernel ring buffer controls
++## - Create, read, write, and delete all files but shadow
++## - Manage source and binary format SELinux policy
++## - Run insmod
++##
+ ##
+ ##
+ ##
+@@ -1082,7 +1415,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40797,7 +40786,7 @@ index 3c5dba7..a44c781 100644
')
##############################
-@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1442,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40805,7 +40794,7 @@ index 3c5dba7..a44c781 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1451,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40815,7 +40804,7 @@ index 3c5dba7..a44c781 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1468,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40823,7 +40812,7 @@ index 3c5dba7..a44c781 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1486,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40838,7 +40827,7 @@ index 3c5dba7..a44c781 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1500,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1504,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40881,7 +40870,7 @@ index 3c5dba7..a44c781 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1545,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40890,7 +40879,7 @@ index 3c5dba7..a44c781 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1554,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40909,7 +40898,7 @@ index 3c5dba7..a44c781 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1610,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40918,7 +40907,7 @@ index 3c5dba7..a44c781 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1624,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40930,7 +40919,7 @@ index 3c5dba7..a44c781 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1638,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40973,7 +40962,7 @@ index 3c5dba7..a44c781 100644
')
optional_policy(`
-@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1723,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40992,7 +40981,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1774,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -41044,7 +41033,7 @@ index 3c5dba7..a44c781 100644
##
##
## Domain allowed access.
-@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1923,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41076,7 +41065,7 @@ index 3c5dba7..a44c781 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1989,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -41091,7 +41080,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2012,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -41103,7 +41092,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2073,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -41146,7 +41135,7 @@ index 3c5dba7..a44c781 100644
########################################
##
## Create directories in the home dir root with
-@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2188,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41155,7 +41144,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2223,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -41170,7 +41159,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1772,7 +2249,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2253,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -41197,7 +41186,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -1782,49 +2277,67 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,49 +2281,67 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41277,7 +41266,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1848,6 +2361,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2365,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -41303,7 +41292,7 @@ index 3c5dba7..a44c781 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2410,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2414,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41341,7 +41330,7 @@ index 3c5dba7..a44c781 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2450,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2454,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41359,89 +41348,148 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1941,7 +2498,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2502,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
-## Delete all user home content files.
+## Delete files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1949,19 +2510,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_all_user_home_content_files',`
+interface(`userdom_delete_user_home_content_files',`
-+ gen_require(`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
+ type user_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_content($1)
+- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+ allow $1 user_home_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Delete files in a user home subdirectory.
+## Delete all files in a user home subdirectory.
##
##
##
-@@ -1951,17 +2526,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1969,35 +2528,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ##
+ ##
#
- interface(`userdom_delete_all_user_home_content_files',`
+-interface(`userdom_delete_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
+- type user_home_t;
+ attribute user_home_type;
')
-- userdom_search_user_home_content($1)
-- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+- allow $1 user_home_t:file delete_file_perms;
+ allow $1 user_home_type:file delete_file_perms;
')
########################################
##
--## Delete files in a user home subdirectory.
+-## Do not audit attempts to write user home files.
+## Delete sock files in a user home subdirectory.
##
##
##
-@@ -1969,12 +2542,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
#
--interface(`userdom_delete_user_home_content_files',`
+-interface(`userdom_dontaudit_relabel_user_home_content_files',`
+interface(`userdom_delete_user_home_content_sock_files',`
gen_require(`
type user_home_t;
')
-- allow $1 user_home_t:file delete_file_perms;
+- dontaudit $1 user_home_t:file relabel_file_perms;
+ allow $1 user_home_t:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read user home subdirectory symbolic links.
++## Delete all sock files in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -2005,45 +2564,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 user_home_type:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute user home files.
++## Delete all files in a user home subdirectory.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+')
-+
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+########################################
+##
-+## Delete all sock files in a user home subdirectory.
++## Do not audit attempts to write user home files.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`userdom_delete_all_user_home_content_sock_files',`
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:sock_file delete_file_perms;
++ type user_home_t;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
++ dontaudit $1 user_home_t:file relabel_file_perms;
+')
+
+########################################
+##
-+## Delete all files in a user home subdirectory.
++## Read user home subdirectory symbolic links.
+##
+##
+##
@@ -41449,51 +41497,42 @@ index 3c5dba7..a44c781 100644
+##
+##
+#
-+interface(`userdom_delete_all_user_home_content',`
++interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
-
- ########################################
-@@ -2010,8 +2619,7 @@ interface(`userdom_read_user_home_content_symlinks',`
- type user_home_dir_t, user_home_t;
++ type user_home_dir_t, user_home_t;
')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
++
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
')
########################################
-@@ -2027,20 +2635,14 @@ interface(`userdom_read_user_home_content_symlinks',`
- #
- interface(`userdom_exec_user_home_content_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
+ ##
++## Execute user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_exec_user_home_content_files',`
++ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
- ')
-
- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
++ ')
++
++ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
- ')
--')
-
- ########################################
- ##
-@@ -2123,7 +2725,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
++ ')
++
++########################################
++##
+ ## Do not audit attempts to execute user home files.
+ ##
+ ##
+@@ -2123,7 +2729,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -41502,7 +41541,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -2131,19 +2733,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2737,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -41526,7 +41565,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -2151,12 +2751,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2755,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -41542,7 +41581,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2393,11 +2993,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2997,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41557,7 +41596,7 @@ index 3c5dba7..a44c781 100644
files_search_tmp($1)
')
-@@ -2417,7 +3017,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3021,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41566,7 +41605,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2664,6 +3264,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3268,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41592,7 +41631,7 @@ index 3c5dba7..a44c781 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3299,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3303,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41608,7 +41647,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -2707,7 +3327,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3331,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -41617,7 +41656,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -2715,14 +3335,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3339,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -41652,7 +41691,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2817,6 +3453,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3457,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -41677,7 +41716,7 @@ index 3c5dba7..a44c781 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3489,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3493,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -41720,7 +41759,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -2859,14 +3525,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3529,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -41758,7 +41797,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2885,8 +3570,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3574,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41788,7 +41827,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2958,69 +3662,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3666,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41889,7 +41928,7 @@ index 3c5dba7..a44c781 100644
##
##
##
-@@ -3028,12 +3731,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3735,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -41904,7 +41943,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -3097,7 +3800,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3804,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41913,7 +41952,7 @@ index 3c5dba7..a44c781 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3816,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3820,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41947,7 +41986,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -3217,7 +3904,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3908,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41974,18 +42013,67 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -3272,7 +3977,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +3981,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
+## Do not audit attempts to write users
+## temporary files.
+ ##
+ ##
+ ##
+@@ -3285,36 +3995,112 @@ interface(`userdom_write_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to delete users
++## temporary files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+##
+##
+##
@@ -41993,37 +42081,36 @@ index 3c5dba7..a44c781 100644
+##
+##
+#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:file write;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to delete users
-+## temporary files.
++## Allow domain to read/write inherited users
++## fifo files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Do not audit attempts to use user ttys.
+##
+##
+##
@@ -42031,18 +42118,17 @@ index 3c5dba7..a44c781 100644
+##
+##
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
-+ type user_tmp_t;
++ type user_tty_device_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Read the process state of all user domains.
+##
+##
+##
@@ -42050,108 +42136,47 @@ index 3c5dba7..a44c781 100644
+##
+##
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -3290,7 +4071,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -3309,6 +4090,7 @@ interface(`userdom_read_all_users_state',`
- ')
-
- read_files_pattern($1, userdomain, userdomain)
++ read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -3385,27 +4167,27 @@ interface(`userdom_signal_all_users',`
++ kernel_search_proc($1)
++')
++
++########################################
++##
++## Get the attributes of all user domains.
+ ##
+ ##
+ ##
+@@ -3385,6 +4171,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
--########################################
+#######################################
- ##
--## Send a SIGCHLD signal to all user domains.
++##
+## Send signull to all user domains.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`userdom_sigchld_all_users',`
-- gen_require(`
-- attribute userdomain;
-- ')
++##
++#
+interface(`userdom_signull_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
-
-- allow $1 userdomain:process sigchld;
-+ allow $1 userdomain:process signull;
- ')
-
- ########################################
- ##
--## Create keys for all user domains.
-+## Send kill signals to all user domains.
- ##
- ##
- ##
-@@ -3413,17 +4195,17 @@ interface(`userdom_sigchld_all_users',`
- ##
- ##
- #
--interface(`userdom_create_all_users_keys',`
-+interface(`userdom_kill_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:key create;
-+ allow $1 userdomain:process sigkill;
- ')
-
- ########################################
- ##
--## Send a dbus message to all user domains.
-+## Send a SIGCHLD signal to all user domains.
- ##
- ##
- ##
-@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',`
- ##
- ##
- #
--interface(`userdom_dbus_send_all_users',`
-+interface(`userdom_sigchld_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
+
-+ allow $1 userdomain:process sigchld;
++ allow $1 userdomain:process signull;
+')
+
+########################################
+##
-+## Read keys for all user domains.
++## Send kill signals to all user domains.
+##
+##
+##
@@ -42159,17 +42184,22 @@ index 3c5dba7..a44c781 100644
+##
+##
+#
-+interface(`userdom_read_all_users_keys',`
++interface(`userdom_kill_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:key read;
++ allow $1 userdomain:process sigkill;
+')
+
-+########################################
-+##
-+## Create keys for all user domains.
+ ########################################
+ ##
+ ## Send a SIGCHLD signal to all user domains.
+@@ -3405,6 +4227,24 @@ interface(`userdom_sigchld_all_users',`
+
+ ########################################
+ ##
++## Read keys for all user domains.
+##
+##
+##
@@ -42177,28 +42207,20 @@ index 3c5dba7..a44c781 100644
+##
+##
+#
-+interface(`userdom_create_all_users_keys',`
++interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:key create;
++ allow $1 userdomain:key read;
+')
+
+########################################
+##
-+## Send a dbus message to all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dbus_send_all_users',`
- gen_require(`
- attribute userdomain;
- class dbus send_msg;
+ ## Create keys for all user domains.
+ ##
+ ##
+@@ -3438,4 +4278,1491 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index d1644f4..79ba43c 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -8235,10 +8235,10 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1742ebf 100644
+index 2b9a3a1..838a9a1 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,71 @@
+@@ -1,54 +1,72 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -8336,6 +8336,7 @@ index 2b9a3a1..1742ebf 100644
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -78096,10 +78097,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..577dfa7
+index 0000000..a2cb772
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,85 @@
+
+## policy for sandbox
+
@@ -78124,12 +78125,42 @@ index 0000000..577dfa7
+ attribute sandbox_domain;
+ ')
+
-+ allow $1 sandbox_domain:process transition;
-+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-+ role $2 types sandbox_domain;
-+ allow sandbox_domain $1:process { sigchld signull };
-+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit sandbox_domain $1:process signal;
++ sandbox_dyntransition($1) #885288
++ allow $1 sandbox_domain:process transition;
++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++
++ role $2 types sandbox_domain;
++
++ allow sandbox_domain $1:process { sigchld signull };
++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++
++ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:key { link read search view };
++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++#
++interface(`sandbox_dyntransition',`
++ gen_require(`
++ attribute sandbox_domain;
++ ')
++
++ allow $1 sandbox_domain:process dyntransition;
+')
+
+########################################
@@ -90823,7 +90854,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..f50c3ff 100644
+index 9d4d8cb..a58e2dd 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -90835,7 +90866,7 @@ index 9d4d8cb..f50c3ff 100644
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
-@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)
type varnishlog_log_t;
@@ -90844,9 +90875,11 @@ index 9d4d8cb..f50c3ff 100644
########################################
#
-@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+ # Local policy
+ #
- allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c8d5ead..f2f6ca7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.25%{?dist}
+Release: 74.26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 02 2014 Miroslav Grepl 3.12.1-74.26
+- Update sandbox_transition() to call sandbox_dyntrasition().
+
* Fri May 02 2014 Lukas Vrabec 3.12.1-74.25
- Add interface sysnet_manage_ifconfig_run
- Added sysnet_filetrans_named_content_ifconfig interface