+-## Enabling secure mode disallows programs, such as
++## disallow programs, such as
+ ## newrole, from transitioning to administrative
+ ## user domains.
+ ##
+diff --git a/policy/global_tunables b/policy/global_tunables
+index 4705ab6..b82865c 100644
+--- a/policy/global_tunables
++++ b/policy/global_tunables
+@@ -6,52 +6,59 @@
+
+ ##
+ ##
+@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false)
+
+ ##
+ ##
+-## Allow email client to various content.
+-## nfs, samba, removable devices, and user temp
+-## files
+-##
+-##
+-gen_tunable(mail_read_content,false)
+-
+-##
+-##
+ ## Allow any files/directories to be exported read/write via NFS.
+ ##
+ ##
+@@ -105,9 +103,39 @@ gen_tunable(use_samba_home_dirs,false)
+
+ ##
+ ##
++## Support ecryptfs home directories
++##
++##
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++##
++##
++## Support fusefs home directories
++##
++##
++gen_tunable(use_fusefs_home_dirs,false)
++
++##
++##
+ ## Allow users to run TCP servers (bind to ports and accept connection from
+ ## the same domain and outside users) disabling this forces FTP passive mode
+ ## and may change other protocols.
+ ##
+ ##
+-gen_tunable(user_tcp_server,false)
++gen_tunable(selinuxuser_tcp_server,false)
++
++##
++##
++## Allow users to run UDP servers (bind to ports and accept connection from
++## the same domain and outside users) disabling this may break avahi
++## discovering services on the network and other udp related services.
++##
++##
++gen_tunable(selinuxuser_udp_server,false)
++
++##
++##
++## Allow the mount commands to mount any directory or file.
++##
++##
++gen_tunable(mount_anyfile, false)
+diff --git a/policy/mcs b/policy/mcs
+index 216b3d1..064ec83 100644
+--- a/policy/mcs
++++ b/policy/mcs
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++default_range dir_file_class_set target low;
++
+ #
+ # Define sensitivities
+ #
+@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
+ # - /proc/pid operations are not constrained.
+
+ mlsconstrain file { read ioctl lock execute execute_no_trans }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+- (( t1 != mcs_constrained_type ) and (t2 == domain)));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain file { write setattr append unlink link rename }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+- (( t1 != mcs_constrained_type ) and (t2 == domain)));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain dir { search read ioctl lock }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+- (( t1 != mcs_constrained_type ) and (t2 == domain)));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+- (( t1 != mcs_constrained_type ) and (t2 == domain)));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain fifo_file { open }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+- (( t1 != mcs_constrained_type ) and ( t2 == domain )));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+- (( t1 != mcs_constrained_type ) and (t2 == domain)));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+- (( t1 != mcs_constrained_type ) and (t2 == domain)));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
++
++mlsconstrain key { create link read search setattr view write }
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
++
++mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+- (( h1 dom h2 ) and ( l2 eq h2 ));
++ ((( h1 dom h2 ) and ( l2 eq h2 )) or
++ ( t1 != mcs_constrained_type ));
+
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+- ( h1 dom h2 );
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
++
++mlsconstrain { file lnk_file fifo_file } { create relabelto }
++ (( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+- (( h1 dom h2 ) and ( l2 eq h2 ));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain process { transition dyntransition }
+- (( h1 dom h2 ) or ( t1 == mcssetcats ));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain process { ptrace }
+- (( h1 dom h2) or ( t1 == mcsptraceall ));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain process { sigkill sigstop }
+- (( h1 dom h2 ) or ( t1 == mcskillall ));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+ mlsconstrain process { signal }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
+ mlsconstrain { db_tuple } { insert relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
++mlsconstrain context contains
++ (( h1 dom h2 ) and ( l1 domby l2));
++
+ # Access control for any database objects based on MCS rules.
+ mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
+ ( h1 dom h2 );
+@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+ mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
+ ( h1 dom h2 );
+
++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
++
++# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
++# because the subject in this particular case is the remote domain which is
++# writing data out the network node which is acting as the object
++mlsconstrain { node } { recvfrom sendto }
++ (( l1 dom l2 ) or (t1 != mcs_constrained_type));
++
++mlsconstrain { packet peer } { recv }
++ (( l1 dom l2 ) or
++ ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type)));
++
++# the netif ingress/egress ops, the ingress permission is a "write" operation
++# because the subject in this particular case is the remote domain which is
++# writing data out the network interface which is acting as the object
++mlsconstrain { netif } { egress ingress }
++ (( l1 dom l2 ) or (t1 != mcs_constrained_type));
++
+ ') dnl end enable_mcs
+diff --git a/policy/mls b/policy/mls
+index f11e5e2..9e0c245 100644
+--- a/policy/mls
++++ b/policy/mls
+@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ # these access vectors have no MLS restrictions
+ # filesystem { transition associate }
+
+-
+-
+-
+ #
+ # MLS policy for the socket classes
+ #
+@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsnetwrite ));
++ ( t1 == mlsnetwrite ) or
++ ( t2 == mlstrustedobject ));
+
+ # used by netlabel to restrict normal domains to same level connections
+ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+@@ -252,6 +250,11 @@ mlsconstrain msg receive
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
++mlsconstrain key { create link read search setattr view write }
++ (( l1 eq l2 ) or
++ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsprocwrite ));
++
+ # the ipc "write" ops (implicit single level)
+ mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+@@ -361,9 +364,6 @@ mlsconstrain { peer packet } { recv }
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+-
+-
+-
+ #
+ # MLS policy for the process class
+ #
+diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
+index 2626ebf..5745bb2 100644
+--- a/policy/modules/admin/bootloader.fc
++++ b/policy/modules/admin/bootloader.fc
+@@ -1,11 +1,16 @@
++/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+-/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+-/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+-
+-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++
++/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
+diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
+index cc8df9d..90467f3 100644
+--- a/policy/modules/admin/bootloader.if
++++ b/policy/modules/admin/bootloader.if
+@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
+ domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+ ')
+
++######################################
++##
++## Execute bootloader in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bootloader_exec',`
++ gen_require(`
++ type bootloader_exec_t;
++ ')
++
++ can_exec($1, bootloader_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute bootloader interactively and do
+@@ -38,16 +56,18 @@ interface(`bootloader_domtrans',`
+ #
+ interface(`bootloader_run',`
+ gen_require(`
++ type bootloader_t;
+ attribute_role bootloader_roles;
+ ')
+
+ bootloader_domtrans($1)
+ roleattribute $2 bootloader_roles;
++
+ ')
+
+ ########################################
+ ##
+-## Execute bootloader in the caller domain.
++## Read the bootloader configuration file.
+ ##
+ ##
+ ##
+@@ -55,36 +75,37 @@ interface(`bootloader_run',`
+ ##
+ ##
+ #
+-interface(`bootloader_exec',`
++interface(`bootloader_read_config',`
+ gen_require(`
+- type bootloader_exec_t;
++ type bootloader_etc_t;
+ ')
+
+- corecmd_search_bin($1)
+- can_exec($1, bootloader_exec_t)
++ allow $1 bootloader_etc_t:file read_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read the bootloader configuration file.
++## Read and write the bootloader
++## configuration file.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`bootloader_read_config',`
++interface(`bootloader_rw_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+- allow $1 bootloader_etc_t:file read_file_perms;
++ allow $1 bootloader_etc_t:file rw_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write the bootloader
++## Manage the bootloader
+ ## configuration file.
+ ##
+ ##
+@@ -94,12 +115,12 @@ interface(`bootloader_read_config',`
+ ##
+ ##
+ #
+-interface(`bootloader_rw_config',`
++interface(`bootloader_manage_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+- allow $1 bootloader_etc_t:file rw_file_perms;
++ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
+ ')
+
+ ########################################
+@@ -119,7 +140,7 @@ interface(`bootloader_rw_tmp_files',`
+ ')
+
+ files_search_tmp($1)
+- allow $1 bootloader_tmp_t:file rw_file_perms;
++ allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -141,3 +162,24 @@ interface(`bootloader_create_runtime_file',`
+ allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+ files_boot_filetrans($1, boot_runtime_t, file)
+ ')
++
++########################################
++##
++## Type transition files created in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bootloader_filetrans_config',`
++ gen_require(`
++ type bootloader_etc_t;
++ ')
++
++ files_etc_filetrans($1,bootloader_etc_t,file, "grub")
++ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
++ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
++ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
++')
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index 0fd5c5f..a14addb 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -20,13 +20,20 @@ type bootloader_t;
+ type bootloader_exec_t;
+ application_domain(bootloader_t, bootloader_exec_t)
+ role bootloader_roles types bootloader_t;
++role system_r types bootloader_t;
++
++type bootloader_var_run_t;
++files_pid_file(bootloader_var_run_t)
++
++type bootloader_var_lib_t;
++files_type(bootloader_var_lib_t)
+
+ #
+ # bootloader_etc_t is the configuration file,
+ # grub.conf, lilo.conf, etc.
+ #
+ type bootloader_etc_t alias etc_bootloader_t;
+-files_type(bootloader_etc_t)
++files_config_file(bootloader_etc_t)
+
+ #
+ # The temp file is used for initrd creation;
+@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t)
+ # bootloader local policy
+ #
+
+-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
++allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
+ allow bootloader_t self:process { signal_perms execmem };
+ allow bootloader_t self:fifo_file rw_fifo_file_perms;
+
+@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+ # for tune2fs (cjp: ?)
+ files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+
++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
++
++manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file })
++
+ kernel_getattr_core_if(bootloader_t)
+ kernel_read_network_state(bootloader_t)
+ kernel_read_system_state(bootloader_t)
+@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t)
+
+ fs_getattr_xattr_fs(bootloader_t)
+ fs_getattr_tmpfs(bootloader_t)
++fs_list_hugetlbfs(bootloader_t)
++fs_list_tmpfs(bootloader_t)
+ fs_read_tmpfs_symlinks(bootloader_t)
+ #Needed for ia64
+ fs_manage_dos_files(bootloader_t)
+@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t)
+ mls_file_write_all_levels(bootloader_t)
+
+ term_getattr_all_ttys(bootloader_t)
++term_getattr_all_ptys(bootloader_t)
+ term_dontaudit_manage_pty_dirs(bootloader_t)
++term_dontaudit_getattr_generic_ptys(bootloader_t)
++term_use_unallocated_ttys(bootloader_t)
+
+ corecmd_exec_all_executables(bootloader_t)
+
+@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t)
+ files_create_boot_dirs(bootloader_t)
+ files_manage_boot_files(bootloader_t)
+ files_manage_boot_symlinks(bootloader_t)
++files_manage_kernel_modules(bootloader_t)
+ files_read_etc_files(bootloader_t)
+ files_exec_etc_files(bootloader_t)
+ files_read_usr_src_files(bootloader_t)
+ files_read_usr_files(bootloader_t)
+ files_read_var_files(bootloader_t)
+ files_read_kernel_modules(bootloader_t)
++files_read_kernel_symbol_table(bootloader_t)
+ # for nscd
+ files_dontaudit_search_pids(bootloader_t)
+ # for blkid.tab
+@@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t)
+ files_etc_filetrans_etc_runtime(bootloader_t, file)
+ files_dontaudit_search_home(bootloader_t)
+
++
++init_read_state(bootloader_t)
+ init_getattr_initctl(bootloader_t)
+ init_use_script_ptys(bootloader_t)
+ init_use_script_fds(bootloader_t)
+@@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t)
+
+ libs_read_lib_files(bootloader_t)
+ libs_exec_lib_files(bootloader_t)
++libs_exec_ld_so(bootloader_t)
+
+-logging_send_syslog_msg(bootloader_t)
+-logging_rw_generic_logs(bootloader_t)
++auth_use_nsswitch(bootloader_t)
+
+-miscfiles_read_localization(bootloader_t)
++logging_send_syslog_msg(bootloader_t)
++logging_manage_generic_logs(bootloader_t)
+
+ modutils_domtrans_insmod(bootloader_t)
+
+ seutil_read_bin_policy(bootloader_t)
+ seutil_read_loadpolicy(bootloader_t)
+-seutil_dontaudit_search_config(bootloader_t)
+
+-userdom_use_user_terminals(bootloader_t)
++userdom_getattr_user_tmp_files(bootloader_t)
++userdom_use_inherited_user_terminals(bootloader_t)
+ userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
+ ifdef(`distro_debian',`
+@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(bootloader_t)
++')
++
++optional_policy(`
+ fstools_exec(bootloader_t)
+ ')
+
+@@ -183,6 +213,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gpm_getattr_gpmctl(bootloader_t)
++')
++
++optional_policy(`
++ fsadm_manage_pid(bootloader_t)
++')
++
++optional_policy(`
+ kudzu_domtrans(bootloader_t)
+ ')
+
+@@ -195,17 +233,18 @@ optional_policy(`
+
+ optional_policy(`
+ modutils_exec_insmod(bootloader_t)
+- modutils_read_module_deps(bootloader_t)
+- modutils_read_module_config(bootloader_t)
+- modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
++ modutils_domtrans_insmod_uncond(bootloader_t)
++ modutils_list_module_config(bootloader_t)
++ modutils_read_module_deps(bootloader_t)
++ modutils_read_module_config(bootloader_t)
+ ')
+
+ optional_policy(`
+- nscd_use(bootloader_t)
++ rpm_rw_pipes(bootloader_t)
+ ')
+
+ optional_policy(`
+- rpm_rw_pipes(bootloader_t)
++ udev_read_pid_files(bootloader_t)
+ ')
+diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
+index b7f053b..5d4fc31 100644
+--- a/policy/modules/admin/consoletype.fc
++++ b/policy/modules/admin/consoletype.fc
+@@ -1,2 +1,4 @@
+
+ /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
++
++/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
+diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
+index 0f57d3b..655d07f 100644
+--- a/policy/modules/admin/consoletype.if
++++ b/policy/modules/admin/consoletype.if
+@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit consoletype_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
+index cd5e005..247259a 100644
+--- a/policy/modules/admin/consoletype.te
++++ b/policy/modules/admin/consoletype.te
+@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
+
+ type consoletype_t;
+ type consoletype_exec_t;
+-init_domain(consoletype_t, consoletype_exec_t)
+-init_system_domain(consoletype_t, consoletype_exec_t)
++application_domain(consoletype_t, consoletype_exec_t)
++role system_r types consoletype_t;
+
+ ########################################
+ #
+@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
+ mls_file_read_all_levels(consoletype_t)
+ mls_file_write_all_levels(consoletype_t)
+
+-term_use_all_terms(consoletype_t)
++term_use_all_inherited_terms(consoletype_t)
++term_use_ptmx(consoletype_t)
+
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+ init_use_script_fds(consoletype_t)
+ init_rw_script_pipes(consoletype_t)
++init_rw_inherited_script_tmp_files(consoletype_t)
+
+-userdom_use_user_terminals(consoletype_t)
++userdom_use_inherited_user_terminals(consoletype_t)
+
+ ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files(consoletype_t)
+@@ -79,16 +81,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- files_read_etc_files(consoletype_t)
+- firstboot_use_fds(consoletype_t)
+- firstboot_rw_pipes(consoletype_t)
++ devicekit_dontaudit_read_pid_files(consoletype_t)
++ devicekit_dontaudit_rw_log(consoletype_t)
+ ')
+
+ optional_policy(`
+- hal_dontaudit_use_fds(consoletype_t)
+- hal_dontaudit_rw_pipes(consoletype_t)
+- hal_dontaudit_rw_dgram_sockets(consoletype_t)
+- hal_dontaudit_write_log(consoletype_t)
++ files_read_etc_files(consoletype_t)
++ firstboot_use_fds(consoletype_t)
++ firstboot_rw_pipes(consoletype_t)
+ ')
+
+ optional_policy(`
+@@ -114,6 +114,7 @@ optional_policy(`
+
+ optional_policy(`
+ userdom_use_unpriv_users_fds(consoletype_t)
++ userdom_dontaudit_rw_dgram_socket(consoletype_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index d6cc2d9..0685b19 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1,2 +1,4 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 72bc6d8..bb4a6f0 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -9,6 +9,10 @@ type dmesg_t;
+ type dmesg_exec_t;
+ init_system_domain(dmesg_t, dmesg_exec_t)
+
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh)
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
+
+ allow dmesg_t self:process signal_perms;
+
++kernel_read_system_state(dmesg_t)
+ kernel_read_kernel_sysctls(dmesg_t)
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
+ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
++kernel_dontaudit_write_kernel_sysctl(dmesg_t)
+
+ dev_read_sysfs(dmesg_t)
++dev_read_kmsg(dmesg_t)
++dev_read_raw_memory(dmesg_t)
+
+ fs_search_auto_mountpoints(dmesg_t)
+
+@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
+ logging_send_syslog_msg(dmesg_t)
+ logging_write_generic_logs(dmesg_t)
+
+-miscfiles_read_localization(dmesg_t)
++miscfiles_read_hwdata(dmesg_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+-userdom_use_user_terminals(dmesg_t)
++userdom_use_inherited_user_terminals(dmesg_t)
++
++optional_policy(`
++ abrt_rw_inherited_cache(dmesg_t)
++')
+
+ optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..1a09bea 100644
+--- a/policy/modules/admin/netutils.fc
++++ b/policy/modules/admin/netutils.fc
+@@ -1,15 +1,22 @@
+ /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+
+ /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
++
++/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
++/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
+diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
+index c6ca761..0c86bfd 100644
+--- a/policy/modules/admin/netutils.if
++++ b/policy/modules/admin/netutils.if
+@@ -42,6 +42,7 @@ interface(`netutils_run',`
+ ')
+
+ netutils_domtrans($1)
++ allow $1 netutils_t:process { signal sigkill };
+ role $2 types netutils_t;
+ ')
+
+@@ -161,6 +162,7 @@ interface(`netutils_run_ping',`
+
+ netutils_domtrans_ping($1)
+ role $2 types ping_t;
++ allow $1 ping_t:process { signal sigkill };
+ ')
+
+ ########################################
+@@ -183,13 +185,14 @@ interface(`netutils_run_ping',`
+ interface(`netutils_run_ping_cond',`
+ gen_require(`
+ type ping_t;
+- bool user_ping;
++ bool selinuxuser_ping;
+ ')
+
+ role $2 types ping_t;
+
+- if ( user_ping ) {
++ if ( selinuxuser_ping ) {
+ netutils_domtrans_ping($1)
++ allow $1 ping_t:process { signal sigkill };
+ }
+ ')
+
+@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',`
+ ')
+
+ netutils_domtrans_traceroute($1)
++ allow $1 traceroute_t:process { signal sigkill };
+ role $2 types traceroute_t;
+ ')
+
+@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',`
+ interface(`netutils_run_traceroute_cond',`
+ gen_require(`
+ type traceroute_t;
+- bool user_ping;
++ bool selinuxuser_ping;
+ ')
+
+ role $2 types traceroute_t;
+
+- if( user_ping ) {
++ if( selinuxuser_ping ) {
+ netutils_domtrans_traceroute($1)
++ allow $1 traceroute_t:process { signal sigkill };
+ }
+ ')
+
+diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
+index c44c359..ec441aa 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
+
+ ##
+ ##
+-## Control users use of ping and traceroute
++## Allow confined users the ability to execute the ping and traceroute commands.
+ ##
+ ##
+-gen_tunable(user_ping, false)
++gen_tunable(selinuxuser_ping, false)
+
+ type netutils_t;
+ type netutils_exec_t;
+@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+ #
+
+ # Perform network administration operations and have raw access to the network.
+-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot };
+ dontaudit netutils_t self:capability { dac_override sys_tty_config };
+ allow netutils_t self:process { setcap signal_perms };
+ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
+ allow netutils_t self:socket create_socket_perms;
++allow netutils_t self:netlink_socket create_socket_perms;
+
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+ kernel_search_proc(netutils_t)
+-kernel_read_network_state(netutils_t)
+ kernel_read_all_sysctls(netutils_t)
++kernel_read_network_state(netutils_t)
++kernel_request_load_module(netutils_t)
+
+-corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+ corenet_tcp_sendrecv_generic_if(netutils_t)
+ corenet_raw_sendrecv_generic_if(netutils_t)
+@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+ corenet_udp_bind_generic_node(netutils_t)
+
+ dev_read_sysfs(netutils_t)
++dev_read_usbmon_dev(netutils_t)
++dev_write_usbmon_dev(netutils_t)
++dev_rw_generic_usb_dev(netutils_t)
+
+ fs_getattr_xattr_fs(netutils_t)
+
+@@ -82,10 +86,9 @@ auth_use_nsswitch(netutils_t)
+
+ logging_send_syslog_msg(netutils_t)
+
+-miscfiles_read_localization(netutils_t)
+
+ term_dontaudit_use_console(netutils_t)
+-userdom_use_user_terminals(netutils_t)
++userdom_use_inherited_user_terminals(netutils_t)
+ userdom_use_all_users_fds(netutils_t)
+
+ optional_policy(`
+@@ -110,11 +113,10 @@ allow ping_t self:capability { setuid net_raw };
+ allow ping_t self:process { getcap setcap };
+ dontaudit ping_t self:capability sys_tty_config;
+ allow ping_t self:tcp_socket create_socket_perms;
+-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
++allow ping_t self:rawip_socket create_socket_perms;
++allow ping_t self:packet_socket create_socket_perms;
+ allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+
+-corenet_all_recvfrom_unlabeled(ping_t)
+ corenet_all_recvfrom_netlabel(ping_t)
+ corenet_tcp_sendrecv_generic_if(ping_t)
+ corenet_raw_sendrecv_generic_if(ping_t)
+@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
+ corenet_tcp_sendrecv_all_ports(ping_t)
+
+ fs_dontaudit_getattr_xattr_fs(ping_t)
++fs_dontaudit_rw_anon_inodefs_files(ping_t)
+
+ domain_use_interactive_fds(ping_t)
+
+@@ -131,14 +134,13 @@ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+
+ kernel_read_system_state(ping_t)
++kernel_read_network_state(ping_t)
+
+ auth_use_nsswitch(ping_t)
+
+-logging_send_syslog_msg(ping_t)
+-
+-miscfiles_read_localization(ping_t)
++init_rw_inherited_script_tmp_files(ping_t)
+
+-userdom_use_user_terminals(ping_t)
++logging_send_syslog_msg(ping_t)
+
+ ifdef(`hide_broken_symptoms',`
+ init_dontaudit_use_fds(ping_t)
+@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ ')
+
++term_use_all_inherited_terms(ping_t)
++
++tunable_policy(`selinuxuser_ping',`
++ term_use_all_ttys(ping_t)
++ term_use_all_ptys(ping_t)
++',`
++ term_dontaudit_use_all_ttys(ping_t)
++ term_dontaudit_use_all_ptys(ping_t)
++')
++
+ optional_policy(`
+ munin_append_log(ping_t)
+ ')
+
+ optional_policy(`
++ nagios_rw_inerited_tmp_files(ping_t)
++')
++
++optional_policy(`
+ pcmcia_use_cardmgr_fds(ping_t)
+ ')
+
+@@ -161,6 +177,15 @@ optional_policy(`
+ hotplug_use_fds(ping_t)
+ ')
+
++optional_policy(`
++ openshift_rw_inherited_content(ping_t)
++ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
++')
++
++optional_policy(`
++ zabbix_read_tmp(ping_t)
++')
++
+ ########################################
+ #
+ # Traceroute local policy
+@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+ kernel_read_system_state(traceroute_t)
+ kernel_read_network_state(traceroute_t)
+
+-corenet_all_recvfrom_unlabeled(traceroute_t)
+ corenet_all_recvfrom_netlabel(traceroute_t)
+ corenet_tcp_sendrecv_generic_if(traceroute_t)
+ corenet_udp_sendrecv_generic_if(traceroute_t)
+@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+ domain_use_interactive_fds(traceroute_t)
+
+ files_read_etc_files(traceroute_t)
++files_read_usr_files(traceroute_t)
+ files_dontaudit_search_var(traceroute_t)
+
+ init_use_fds(traceroute_t)
+@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+
+ logging_send_syslog_msg(traceroute_t)
+
+-miscfiles_read_localization(traceroute_t)
+-
+-userdom_use_user_terminals(traceroute_t)
+
+ #rules needed for nmap
+ dev_read_rand(traceroute_t)
+ dev_read_urand(traceroute_t)
+-files_read_usr_files(traceroute_t)
++
++term_use_all_inherited_terms(traceroute_t)
++
++tunable_policy(`selinuxuser_ping',`
++ term_use_all_ttys(traceroute_t)
++ term_use_all_ptys(traceroute_t)
++',`
++ term_dontaudit_use_all_ttys(traceroute_t)
++ term_dontaudit_use_all_ptys(traceroute_t)
++')
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 688abc2..3d89250 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -3,3 +3,4 @@
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
+index 03ec5ca..a777e72 100644
+--- a/policy/modules/admin/su.if
++++ b/policy/modules/admin/su.if
+@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
++ kernel_getattr_core_if($1_su_t)
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', `
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+ init_search_script_keys($1_su_t)
++ init_getattr_initctl($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+- miscfiles_read_localization($1_su_t)
+
+ ifdef(`distro_redhat',`
+ # RHEL5 and possibly newer releases incl. Fedora
+@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', `
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
+- ifdef(`hide_broken_symptoms',`
+- # dontaudit leaked sockets from parent
+- dontaudit $1_su_t $2:socket_class_set { read write };
+- ')
+-
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+@@ -172,14 +168,6 @@ template(`su_role_template',`
+ role $2 types $1_su_t;
+
+ allow $3 $1_su_t:process signal;
+-
+- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+- dontaudit $1_su_t self:capability sys_tty_config;
+- allow $1_su_t self:process { setexec setsched setrlimit };
+- allow $1_su_t self:fifo_file rw_fifo_file_perms;
+- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+- allow $1_su_t self:key { search write };
+-
+ allow $1_su_t $3:key search;
+
+ # Transition from the user domain to this domain.
+@@ -194,125 +182,12 @@ template(`su_role_template',`
+ allow $3 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+- kernel_read_kernel_sysctls($1_su_t)
+- kernel_search_key($1_su_t)
+- kernel_link_key($1_su_t)
+-
+- # for SSP
+- dev_read_urand($1_su_t)
+-
+- fs_search_auto_mountpoints($1_su_t)
+
+- # needed for pam_rootok
+- selinux_compute_access_vector($1_su_t)
+-
+- auth_domtrans_chk_passwd($1_su_t)
+- auth_dontaudit_read_shadow($1_su_t)
+- auth_use_nsswitch($1_su_t)
+- auth_rw_faillog($1_su_t)
+-
+- corecmd_search_bin($1_su_t)
+-
+- domain_use_interactive_fds($1_su_t)
+-
+- files_read_etc_files($1_su_t)
+- files_read_etc_runtime_files($1_su_t)
+- files_search_var_lib($1_su_t)
+- files_dontaudit_getattr_tmp_dirs($1_su_t)
+-
+- init_dontaudit_use_fds($1_su_t)
+- # Write to utmp.
+- init_rw_utmp($1_su_t)
++ auth_use_pam($1_su_t)
+
+ mls_file_write_all_levels($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+-
+- miscfiles_read_localization($1_su_t)
+-
+- userdom_use_user_terminals($1_su_t)
+- userdom_search_user_home_dirs($1_su_t)
+-
+- ifdef(`distro_redhat',`
+- # RHEL5 and possibly newer releases incl. Fedora
+- auth_domtrans_upd_passwd($1_su_t)
+-
+- optional_policy(`
+- locallogin_search_keys($1_su_t)
+- ')
+- ')
+-
+- ifdef(`distro_rhel4',`
+- domain_role_change_exemption($1_su_t)
+- domain_subj_id_change_exemption($1_su_t)
+- domain_obj_id_change_exemption($1_su_t)
+-
+- selinux_get_fs_mount($1_su_t)
+- selinux_validate_context($1_su_t)
+- selinux_compute_create_context($1_su_t)
+- selinux_compute_relabel_context($1_su_t)
+- selinux_compute_user_contexts($1_su_t)
+-
+- # Relabel ttys and ptys.
+- term_relabel_all_ttys($1_su_t)
+- term_relabel_all_ptys($1_su_t)
+- # Close and re-open ttys and ptys to get the fd into the correct domain.
+- term_use_all_ttys($1_su_t)
+- term_use_all_ptys($1_su_t)
+-
+- seutil_read_config($1_su_t)
+- seutil_read_default_contexts($1_su_t)
+-
+- if(secure_mode) {
+- # Only allow transitions to unprivileged user domains.
+- userdom_spec_domtrans_unpriv_users($1_su_t)
+- } else {
+- # Allow transitions to all user domains
+- userdom_spec_domtrans_all_users($1_su_t)
+- }
+-
+- optional_policy(`
+- unconfined_domtrans($1_su_t)
+- unconfined_signal($1_su_t)
+- ')
+- ')
+-
+- ifdef(`hide_broken_symptoms',`
+- # dontaudit leaked sockets from parent
+- dontaudit $1_su_t $3:socket_class_set { read write };
+- ')
+-
+- tunable_policy(`allow_polyinstantiation',`
+- fs_mount_xattr_fs($1_su_t)
+- fs_unmount_xattr_fs($1_su_t)
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_search_nfs($1_su_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_search_cifs($1_su_t)
+- ')
+-
+- optional_policy(`
+- cron_read_pipes($1_su_t)
+- ')
+-
+- optional_policy(`
+- kerberos_use($1_su_t)
+- ')
+-
+- optional_policy(`
+- # used when the password has expired
+- usermanage_read_crack_db($1_su_t)
+- ')
+-
+- # Modify .Xauthority file (via xauth program).
+- optional_policy(`
+- xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+- xserver_domtrans_xauth($1_su_t)
+- ')
+ ')
+
+ #######################################
+diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
+index 85bb77e..5f38282 100644
+--- a/policy/modules/admin/su.te
++++ b/policy/modules/admin/su.te
+@@ -9,3 +9,82 @@ attribute su_domain_type;
+
+ type su_exec_t;
+ corecmd_executable_file(su_exec_t)
++
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++dontaudit su_domain_type self:capability sys_tty_config;
++allow su_domain_type self:process { setexec setsched setrlimit };
++allow su_domain_type self:fifo_file rw_fifo_file_perms;
++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
++allow su_domain_type self:key { search write };
++
++kernel_read_kernel_sysctls(su_domain_type)
++kernel_search_key(su_domain_type)
++kernel_link_key(su_domain_type)
++
++# for SSP
++dev_read_urand(su_domain_type)
++dev_dontaudit_getattr_all(su_domain_type)
++
++fs_search_auto_mountpoints(su_domain_type)
++
++# needed for pam_rootok
++selinux_compute_access_vector(su_domain_type)
++
++corecmd_search_bin(su_domain_type)
++
++domain_use_interactive_fds(su_domain_type)
++
++files_read_etc_files(su_domain_type)
++files_read_etc_runtime_files(su_domain_type)
++files_search_var_lib(su_domain_type)
++files_dontaudit_getattr_tmp_dirs(su_domain_type)
++
++init_dontaudit_use_fds(su_domain_type)
++# Write to utmp.
++init_rw_utmp(su_domain_type)
++init_read_state(su_domain_type)
++
++userdom_use_user_terminals(su_domain_type)
++userdom_search_user_home_dirs(su_domain_type)
++userdom_search_admin_dir(su_domain_type)
++
++ifdef(`distro_redhat',`
++ # RHEL5 and possibly newer releases incl. Fedora
++ auth_domtrans_upd_passwd(su_domain_type)
++
++ optional_policy(`
++ locallogin_search_keys(su_domain_type)
++ ')
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++ fs_mount_xattr_fs(su_domain_type)
++ fs_unmount_xattr_fs(su_domain_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(su_domain_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(su_domain_type)
++')
++
++optional_policy(`
++ cron_read_pipes(su_domain_type)
++')
++
++optional_policy(`
++ kerberos_use(su_domain_type)
++')
++
++optional_policy(`
++ # used when the password has expired
++ usermanage_read_crack_db(su_domain_type)
++')
++
++# Modify .Xauthority file (via xauth program).
++optional_policy(`
++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
++ xserver_domtrans_xauth(su_domain_type)
++')
+diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
+index 7bddc02..2b59ed0 100644
+--- a/policy/modules/admin/sudo.fc
++++ b/policy/modules/admin/sudo.fc
+@@ -1,2 +1,4 @@
+
+ /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
++
++/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index 0960199..aa51ab2 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -32,6 +32,7 @@ template(`sudo_role_template',`
+
+ gen_require(`
+ type sudo_exec_t;
++ type sudo_db_t;
+ attribute sudodomain;
+ ')
+
+@@ -45,27 +46,13 @@ template(`sudo_role_template',`
+ domain_interactive_fd($1_sudo_t)
+ domain_role_change_exemption($1_sudo_t)
+ role $2 types $1_sudo_t;
++ userdom_home_manager($1_sudo_t)
+
+- ##############################
+- #
+- # Local Policy
+- #
++ type $1_sudo_tmp_t;
++ files_tmp_file($1_sudo_tmp_t)
+
+- # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+- allow $1_sudo_t self:process { setexec setrlimit };
+- allow $1_sudo_t self:fd use;
+- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
+- allow $1_sudo_t self:shm create_shm_perms;
+- allow $1_sudo_t self:sem create_sem_perms;
+- allow $1_sudo_t self:msgq create_msgq_perms;
+- allow $1_sudo_t self:msg { send receive };
+- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_sudo_t self:unix_dgram_socket sendto;
+- allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:key manage_key_perms;
++ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
++ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
+
+ allow $1_sudo_t $3:key search;
+
+@@ -75,88 +62,30 @@ template(`sudo_role_template',`
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $3)
+ corecmd_bin_domtrans($1_sudo_t, $3)
++ userdom_domtrans_user_home($1_sudo_t, $3)
++ userdom_domtrans_user_tmp($1_sudo_t, $3)
++ domain_entry_file($3, sudo_exec_t)
++ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
++
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+
+- kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+- kernel_link_key($1_sudo_t)
+-
+- corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_exec_all_executables($1_sudo_t)
+-
+- dev_getattr_fs($1_sudo_t)
+- dev_read_urand($1_sudo_t)
+- dev_rw_generic_usb_dev($1_sudo_t)
+- dev_read_sysfs($1_sudo_t)
+-
+- domain_use_interactive_fds($1_sudo_t)
+- domain_sigchld_interactive_fds($1_sudo_t)
+- domain_getattr_all_entry_files($1_sudo_t)
+-
+- files_read_etc_files($1_sudo_t)
+- files_read_var_files($1_sudo_t)
+- files_read_usr_symlinks($1_sudo_t)
+- files_getattr_usr_files($1_sudo_t)
+- # for some PAM modules and for cwd
+- files_dontaudit_search_home($1_sudo_t)
+- files_list_tmp($1_sudo_t)
+-
+- fs_search_auto_mountpoints($1_sudo_t)
+- fs_getattr_xattr_fs($1_sudo_t)
+-
+- selinux_validate_context($1_sudo_t)
+- selinux_compute_relabel_context($1_sudo_t)
+-
+- term_getattr_pty_fs($1_sudo_t)
+- term_relabel_all_ttys($1_sudo_t)
+- term_relabel_all_ptys($1_sudo_t)
++ seutil_libselinux_linked($1_sudo_t)
+
+ auth_run_chk_passwd($1_sudo_t, $2)
+- # sudo stores a token in the pam_pid directory
+- auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+- init_rw_utmp($1_sudo_t)
+-
+- logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+- miscfiles_read_localization($1_sudo_t)
+-
+- seutil_search_default_contexts($1_sudo_t)
+- seutil_libselinux_linked($1_sudo_t)
+-
+- userdom_spec_domtrans_all_users($1_sudo_t)
+- userdom_create_all_users_keys($1_sudo_t)
+- userdom_manage_user_home_content_files($1_sudo_t)
+- userdom_manage_user_home_content_symlinks($1_sudo_t)
+- userdom_manage_user_tmp_files($1_sudo_t)
+- userdom_manage_user_tmp_symlinks($1_sudo_t)
+- userdom_use_user_terminals($1_sudo_t)
+- # for some PAM modules and for cwd
+- userdom_dontaudit_search_user_home_content($1_sudo_t)
+- userdom_dontaudit_search_user_home_dirs($1_sudo_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $1_sudo_t $3:socket_class_set { read write };
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_sudo_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_sudo_t)
+- ')
+-
+ optional_policy(`
+- dbus_system_bus_client($1_sudo_t)
++ mta_role($2, $1_sudo_t)
+ ')
+
+ optional_policy(`
+- fprintd_dbus_chat($1_sudo_t)
++ kerberos_manage_host_rcache($1_sudo_t)
++ kerberos_read_config($1_sudo_t)
+ ')
+
+ ')
+@@ -178,3 +107,22 @@ interface(`sudo_sigchld',`
+
+ allow $1 sudodomain:process sigchld;
+ ')
++
++#######################################
++##
++## Allow execute sudo in called domain.
++## This interfaces is added for nova-stack policy.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sudo_exec',`
++ gen_require(`
++ type sudo_exec_t;
++ ')
++
++ can_exec($1, sudo_exec_t)
++')
+diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
+index d9fce57..5c4a213 100644
+--- a/policy/modules/admin/sudo.te
++++ b/policy/modules/admin/sudo.te
+@@ -7,3 +7,110 @@ attribute sudodomain;
+
+ type sudo_exec_t;
+ application_executable_file(sudo_exec_t)
++
++type sudo_db_t;
++files_type(sudo_db_t)
++mls_trusted_object(sudo_db_t)
++
++manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
++manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
++
++##############################
++#
++# Local Policy
++#
++
++# Use capabilities.
++allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
++dontaudit sudodomain self:capability net_admin;
++allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow sudodomain self:process { setexec setrlimit };
++allow sudodomain self:fd use;
++allow sudodomain self:fifo_file rw_fifo_file_perms;
++allow sudodomain self:shm create_shm_perms;
++allow sudodomain self:sem create_sem_perms;
++allow sudodomain self:msgq create_msgq_perms;
++allow sudodomain self:msg { send receive };
++allow sudodomain self:unix_dgram_socket create_socket_perms;
++allow sudodomain self:unix_stream_socket create_stream_socket_perms;
++allow sudodomain self:unix_dgram_socket sendto;
++allow sudodomain self:unix_stream_socket connectto;
++allow sudodomain self:key manage_key_perms;
++allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
++
++kernel_getattr_core_if(sudodomain)
++kernel_link_key(sudodomain)
++kernel_read_kernel_sysctls(sudodomain)
++
++corecmd_read_bin_symlinks(sudodomain)
++corecmd_exec_all_executables(sudodomain)
++
++dev_getattr_fs(sudodomain)
++dev_read_urand(sudodomain)
++dev_rw_generic_usb_dev(sudodomain)
++dev_read_sysfs(sudodomain)
++dev_dontaudit_getattr_all(sudodomain)
++
++domain_use_interactive_fds(sudodomain)
++domain_sigchld_interactive_fds(sudodomain)
++domain_getattr_all_entry_files(sudodomain)
++
++files_read_etc_files(sudodomain)
++files_read_var_files(sudodomain)
++files_read_usr_files(sudodomain)
++# for some PAM modules and for cwd
++files_dontaudit_search_home(sudodomain)
++files_list_tmp(sudodomain)
++
++fs_search_auto_mountpoints(sudodomain)
++fs_getattr_all_fs(sudodomain)
++
++selinux_validate_context(sudodomain)
++selinux_compute_relabel_context(sudodomain)
++
++term_getattr_pty_fs(sudodomain)
++term_relabel_all_ttys(sudodomain)
++term_relabel_all_ptys(sudodomain)
++
++#auth_run_chk_passwd(sudodomain)
++# sudo stores a token in the pam_pid directory
++auth_manage_pam_pid(sudodomain)
++auth_manage_faillog(sudodomain)
++
++application_signal(sudodomain)
++
++init_rw_utmp(sudodomain)
++
++logging_send_audit_msgs(sudodomain)
++logging_set_audit_parameters(sudodomain)
++
++seutil_read_default_contexts(sudodomain)
++
++userdom_spec_domtrans_all_users(sudodomain)
++userdom_manage_user_home_content_files(sudodomain)
++userdom_manage_user_home_content_symlinks(sudodomain)
++userdom_manage_user_tmp_files(sudodomain)
++userdom_manage_user_tmp_symlinks(sudodomain)
++userdom_use_user_terminals(sudodomain)
++userdom_signal_all_users(sudodomain)
++userdom_exec_user_home_content_files(sudodomain)
++# for some PAM modules and for cwd
++userdom_search_user_home_content(sudodomain)
++userdom_search_admin_dir(sudodomain)
++userdom_manage_all_users_keys(sudodomain)
++
++tunable_policy(`authlogin_yubikey',`
++ auth_manage_home_content(sudodomain)
++')
++
++optional_policy(`
++ dbus_system_bus_client(sudodomain)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(sudodomain)
++ ')
++')
++
++optional_policy(`
++ fprintd_dbus_chat(sudodomain)
++')
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..204bdc8 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
+diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
+index 99e3903..fa68362 100644
+--- a/policy/modules/admin/usermanage.if
++++ b/policy/modules/admin/usermanage.if
+@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chfn_exec_t, chfn_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit chfn_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -42,6 +38,7 @@ interface(`usermanage_domtrans_chfn',`
+ interface(`usermanage_run_chfn',`
+ gen_require(`
+ attribute_role chfn_roles;
++ type chfn_t;
+ ')
+
+ usermanage_domtrans_chfn($1)
+@@ -65,10 +62,25 @@ interface(`usermanage_domtrans_groupadd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupadd_exec_t, groupadd_t)
++')
+
+- ifdef(`hide_broken_symptoms',`
+- dontaudit groupadd_t $1:socket_class_set { read write };
++########################################
++##
++## Check access to the groupadd executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usermanage_access_check_groupadd',`
++ gen_require(`
++ type groupadd_exec_t;
+ ')
++
++ corecmd_search_bin($1)
++ allow $1 groupadd_exec_t:file { getattr_file_perms execute };
+ ')
+
+ ########################################
+@@ -90,6 +102,7 @@ interface(`usermanage_domtrans_groupadd',`
+ #
+ interface(`usermanage_run_groupadd',`
+ gen_require(`
++ type groupadd_t;
+ attribute_role groupadd_roles;
+ ')
+
+@@ -114,10 +127,6 @@ interface(`usermanage_domtrans_passwd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit passwd_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -174,6 +183,7 @@ interface(`usermanage_check_exec_passwd',`
+ #
+ interface(`usermanage_run_passwd',`
+ gen_require(`
++ type passwd_t;
+ attribute_role passwd_roles;
+ ')
+
+@@ -183,6 +193,25 @@ interface(`usermanage_run_passwd',`
+
+ ########################################
+ ##
++## Check access to the passwd executable
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usermanage_access_check_passwd',`
++ gen_require(`
++ type passwd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 passwd_exec_t:file { getattr_file_perms execute };
++')
++
++########################################
++##
+ ## Execute password admin functions in
+ ## the admin passwd domain.
+ ##
+@@ -221,6 +250,7 @@ interface(`usermanage_domtrans_admin_passwd',`
+ #
+ interface(`usermanage_run_admin_passwd',`
+ gen_require(`
++ type sysadm_passwd_t;
+ attribute_role sysadm_passwd_roles;
+ ')
+
+@@ -263,10 +293,6 @@ interface(`usermanage_domtrans_useradd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, useradd_exec_t, useradd_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit useradd_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -307,6 +333,7 @@ interface(`usermanage_check_exec_useradd',`
+ interface(`usermanage_run_useradd',`
+ gen_require(`
+ attribute_role useradd_roles;
++ type useradd_t;
+ ')
+
+ usermanage_domtrans_useradd($1)
+@@ -315,6 +342,25 @@ interface(`usermanage_run_useradd',`
+
+ ########################################
+ ##
++## Check access to the useradd executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usermanage_access_check_useradd',`
++ gen_require(`
++ type useradd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 useradd_exec_t:file { getattr_file_perms execute };
++')
++
++########################################
++##
+ ## Read the crack database.
+ ##
+ ##
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 1d732f1..4aef39e 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -26,6 +26,7 @@ type chfn_exec_t;
+ domain_obj_id_change_exemption(chfn_t)
+ application_domain(chfn_t, chfn_exec_t)
+ role chfn_roles types chfn_t;
++role system_r types chfn_t;
+
+ type crack_t;
+ type crack_exec_t;
+@@ -44,9 +45,11 @@ domain_obj_id_change_exemption(groupadd_t)
+ init_system_domain(groupadd_t, groupadd_exec_t)
+ role groupadd_roles types groupadd_t;
+
++
+ type passwd_t;
+ type passwd_exec_t;
+ domain_obj_id_change_exemption(passwd_t)
++domain_system_change_exemption(passwd_t)
+ application_domain(passwd_t, passwd_exec_t)
+ role passwd_roles types passwd_t;
+
+@@ -61,9 +64,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
+ type useradd_t;
+ type useradd_exec_t;
+ domain_obj_id_change_exemption(useradd_t)
++domain_system_change_exemption(useradd_t)
+ init_system_domain(useradd_t, useradd_exec_t)
+ role useradd_roles types useradd_t;
+
++type useradd_var_run_t;
++files_pid_file(useradd_var_run_t)
++
+ ########################################
+ #
+ # Chfn local policy
+@@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto;
+
+ kernel_read_system_state(chfn_t)
+ kernel_read_kernel_sysctls(chfn_t)
++kernel_dontaudit_getattr_core_if(chfn_t)
+
+ selinux_get_fs_mount(chfn_t)
+ selinux_validate_context(chfn_t)
+@@ -94,25 +102,29 @@ selinux_compute_create_context(chfn_t)
+ selinux_compute_relabel_context(chfn_t)
+ selinux_compute_user_contexts(chfn_t)
+
+-term_use_all_ttys(chfn_t)
+-term_use_all_ptys(chfn_t)
++term_use_all_inherited_ttys(chfn_t)
++term_use_all_inherited_ptys(chfn_t)
++term_getattr_all_ptys(chfn_t)
+
+ fs_getattr_xattr_fs(chfn_t)
+ fs_search_auto_mountpoints(chfn_t)
+
+ # for SSP
+ dev_read_urand(chfn_t)
++dev_dontaudit_getattr_all(chfn_t)
+
++auth_manage_passwd(chfn_t)
++auth_use_pam(chfn_t)
+ auth_run_chk_passwd(chfn_t, chfn_roles)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
++#auth_dontaudit_read_shadow(chfn_t)
++#auth_use_nsswitch(chfn_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(chfn_t)
++corecmd_exec_bin(chfn_t)
+
+ domain_use_interactive_fds(chfn_t)
+
+-files_manage_etc_files(chfn_t)
+ files_read_etc_runtime_files(chfn_t)
+ files_dontaudit_search_var(chfn_t)
+ files_dontaudit_search_home(chfn_t)
+@@ -120,13 +132,15 @@ files_dontaudit_search_home(chfn_t)
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(chfn_t)
+-
+-miscfiles_read_localization(chfn_t)
++init_dontaudit_getattr_initctl(chfn_t)
+
+ logging_send_syslog_msg(chfn_t)
+
+ seutil_read_file_contexts(chfn_t)
+
++userdom_manage_user_tmp_files(chfn_t)
++userdom_tmp_filetrans_user_tmp(chfn_t, { file })
++
+ userdom_use_unpriv_users_fds(chfn_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+@@ -136,6 +150,16 @@ optional_policy(`
+ nscd_run(chfn_t, chfn_roles)
+ ')
+
++optional_policy(`
++ rssh_exec(chfn_t)
++')
++
++optional_policy(`
++ # allow to exec tmux
++ screen_exec(chfn_t)
++')
++
++
+ ########################################
+ #
+ # Crack local policy
+@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_inherited_terms(groupadd_t)
++term_getattr_all_ptys(groupadd_t)
+
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t)
+
+ domain_use_interactive_fds(groupadd_t)
+
+-files_manage_etc_files(groupadd_t)
+ files_relabel_etc_files(groupadd_t)
++files_read_etc_files(groupadd_t)
+ files_read_etc_runtime_files(groupadd_t)
+ files_read_usr_symlinks(groupadd_t)
+
+@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t)
+ logging_send_audit_msgs(groupadd_t)
+ logging_send_syslog_msg(groupadd_t)
+
+-miscfiles_read_localization(groupadd_t)
+
+ auth_run_chk_passwd(groupadd_t, groupadd_roles)
+ auth_rw_lastlog(groupadd_t)
+ auth_use_nsswitch(groupadd_t)
++auth_manage_passwd(groupadd_t)
++auth_manage_shadow(groupadd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
+-auth_manage_shadow(groupadd_t)
+ auth_relabel_shadow(groupadd_t)
+ auth_etc_filetrans_shadow(groupadd_t)
+
+@@ -273,7 +297,7 @@ optional_policy(`
+ # Passwd local policy
+ #
+
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
+ dontaudit passwd_t self:capability sys_tty_config;
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
+@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
+ allow passwd_t self:sem create_sem_perms;
+ allow passwd_t self:msgq create_msgq_perms;
+ allow passwd_t self:msg { send receive };
++allow passwd_t self:netlink_selinux_socket create_socket_perms;
+
+ allow passwd_t crack_db_t:dir list_dir_perms;
+ read_files_pattern(passwd_t, crack_db_t, crack_db_t)
+@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
+
+ # for SSP
+ dev_read_urand(passwd_t)
++dev_dontaudit_getattr_all(passwd_t)
+
+ fs_getattr_xattr_fs(passwd_t)
+ fs_search_auto_mountpoints(passwd_t)
+@@ -310,26 +336,32 @@ selinux_compute_create_context(passwd_t)
+ selinux_compute_relabel_context(passwd_t)
+ selinux_compute_user_contexts(passwd_t)
+
+-term_use_all_ttys(passwd_t)
+-term_use_all_ptys(passwd_t)
++term_use_all_inherited_terms(passwd_t)
++term_getattr_all_ptys(passwd_t)
+
+ auth_run_chk_passwd(passwd_t, passwd_roles)
++auth_manage_passwd(passwd_t)
+ auth_manage_shadow(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+-auth_use_nsswitch(passwd_t)
++auth_use_pam(passwd_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(passwd_t)
++corecmd_exec_bin(passwd_t)
++
++corenet_tcp_connect_kerberos_password_port(passwd_t)
+
+ domain_use_interactive_fds(passwd_t)
+
+ files_read_etc_runtime_files(passwd_t)
+-files_manage_etc_files(passwd_t)
++files_read_usr_files(passwd_t)
+ files_search_var(passwd_t)
+ files_dontaudit_search_pids(passwd_t)
+ files_relabel_etc_files(passwd_t)
+
++term_search_ptys(passwd_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
+@@ -338,12 +370,11 @@ init_use_fds(passwd_t)
+ logging_send_audit_msgs(passwd_t)
+ logging_send_syslog_msg(passwd_t)
+
+-miscfiles_read_localization(passwd_t)
+
+ seutil_read_config(passwd_t)
+ seutil_read_file_contexts(passwd_t)
+
+-userdom_use_user_terminals(passwd_t)
++userdom_use_inherited_user_terminals(passwd_t)
+ userdom_use_unpriv_users_fds(passwd_t)
+ # make sure that getcon succeeds
+ userdom_getattr_all_users(passwd_t)
+@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(passwd_t)
++userdom_stream_connect(passwd_t)
++userdom_rw_stream(passwd_t)
++
++optional_policy(`
++ gnome_exec_keyringd(passwd_t)
++ gnome_manage_cache_home_dir(passwd_t)
++ gnome_manage_generic_cache_sockets(passwd_t)
++ gnome_stream_connect_gkeyringd(passwd_t)
++')
+
+ optional_policy(`
+ nscd_run(passwd_t, passwd_roles)
+@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t)
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+
+-term_use_all_ttys(sysadm_passwd_t)
+-term_use_all_ptys(sysadm_passwd_t)
++term_use_all_inherited_terms(sysadm_passwd_t)
++term_getattr_all_ptys(sysadm_passwd_t)
+
++auth_manage_passwd(sysadm_passwd_t)
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+ auth_etc_filetrans_shadow(sysadm_passwd_t)
+@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t)
+
+ domain_use_interactive_fds(sysadm_passwd_t)
+
+-files_manage_etc_files(sysadm_passwd_t)
+ files_relabel_etc_files(sysadm_passwd_t)
+ files_read_etc_runtime_files(sysadm_passwd_t)
+ # for nscd lookups
+@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(sysadm_passwd_t)
+
+-miscfiles_read_localization(sysadm_passwd_t)
+
+ logging_send_syslog_msg(sysadm_passwd_t)
+
+-seutil_dontaudit_search_config(sysadm_passwd_t)
+-
+ userdom_use_unpriv_users_fds(sysadm_passwd_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+@@ -446,7 +483,8 @@ optional_policy(`
+ # Useradd local policy
+ #
+
+-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
++
+ dontaudit useradd_t self:capability sys_tty_config;
+ allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow useradd_t self:process setfscreate;
+@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
+
++manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
++manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
++files_pid_filetrans(useradd_t, useradd_var_run_t, dir)
++
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+
+@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t)
+ # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+ corecmd_exec_bin(useradd_t)
+
++kernel_getattr_core_if(useradd_t)
++dev_dontaudit_getattr_all(useradd_t)
++
+ domain_use_interactive_fds(useradd_t)
+ domain_read_all_domains_state(useradd_t)
++domain_dontaudit_read_all_domains_state(useradd_t)
+
+-files_manage_etc_files(useradd_t)
+ files_search_var_lib(useradd_t)
+ files_relabel_etc_files(useradd_t)
+ files_read_etc_runtime_files(useradd_t)
++files_manage_etc_files(useradd_t)
++files_create_var_lib_dirs(useradd_t)
++files_rw_var_lib_dirs(useradd_t)
+
+ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)
+
+ mls_file_upgrade(useradd_t)
++mls_process_read_to_clearance(useradd_t)
+
+-# Allow access to context for shadow file
+-selinux_get_fs_mount(useradd_t)
+-selinux_validate_context(useradd_t)
+-selinux_compute_access_vector(useradd_t)
+-selinux_compute_create_context(useradd_t)
+-selinux_compute_relabel_context(useradd_t)
+-selinux_compute_user_contexts(useradd_t)
+-
+-term_use_all_ttys(useradd_t)
+-term_use_all_ptys(useradd_t)
++term_use_all_inherited_terms(useradd_t)
++term_getattr_all_ptys(useradd_t)
+
+ auth_run_chk_passwd(useradd_t, useradd_roles)
+ auth_rw_lastlog(useradd_t)
+@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t)
+ auth_use_nsswitch(useradd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
++auth_manage_passwd(useradd_t)
+ auth_manage_shadow(useradd_t)
+ auth_relabel_shadow(useradd_t)
+ auth_etc_filetrans_shadow(useradd_t)
+@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t)
+ logging_send_audit_msgs(useradd_t)
+ logging_send_syslog_msg(useradd_t)
+
+-miscfiles_read_localization(useradd_t)
++
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_login_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
+
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
+ seutil_run_semanage(useradd_t, useradd_roles)
+ seutil_run_setfiles(useradd_t, useradd_roles)
++seutil_run_loadpolicy(useradd_t, useradd_roles)
+
+ userdom_use_unpriv_users_fds(useradd_t)
+ # Add/remove user home directories
+-userdom_manage_user_home_dirs(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_manage_user_home_content_dirs(useradd_t)
+-userdom_manage_user_home_content_files(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
++userdom_manage_home_role(system_r, useradd_t)
++userdom_delete_all_user_home_content(useradd_t)
+
+ optional_policy(`
+ mta_manage_spool(useradd_t)
+ ')
+
+-ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_domain(useradd_t)
+- ')
+-')
+-
+ optional_policy(`
+ apache_manage_all_user_content(useradd_t)
+ ')
+@@ -549,10 +590,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openshift_manage_content(useradd_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(useradd_t)
+ ')
+
+ optional_policy(`
++ rpc_list_nfs_state_data(useradd_t)
++ rpc_read_nfs_state_data(useradd_t)
++')
++
++optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+@@ -562,3 +612,12 @@ optional_policy(`
+ rpm_use_fds(useradd_t)
+ rpm_rw_pipes(useradd_t)
+ ')
++
++optional_policy(`
++ smsd_manage_lib_files(useradd_t)
++ smsd_manage_lib_dirs(useradd_t)
++')
++
++optional_policy(`
++ stapserver_manage_lib(useradd_t)
++')
+diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
+index 1dc7a85..c6f4da0 100644
+--- a/policy/modules/apps/seunshare.if
++++ b/policy/modules/apps/seunshare.if
+@@ -43,18 +43,18 @@ interface(`seunshare_run',`
+ role $2 types seunshare_t;
+
+ allow $1 seunshare_t:process signal_perms;
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+- ')
+ ')
+
+ ########################################
+ ##
+-## Role access for seunshare
++## The role template for the seunshare module.
+ ##
++##
++##
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
++##
++##
+ ##
+ ##
+ ## Role allowed access.
+@@ -66,15 +66,44 @@ interface(`seunshare_run',`
+ ##
+ ##
+ #
+-interface(`seunshare_role',`
++interface(`seunshare_role_template',`
+ gen_require(`
+- type seunshare_t;
++ attribute seunshare_domain;
++ type seunshare_exec_t;
+ ')
+
+- role $2 types seunshare_t;
++ type $1_seunshare_t, seunshare_domain;
++ application_domain($1_seunshare_t, seunshare_exec_t)
++ role $2 types $1_seunshare_t;
+
+- seunshare_domtrans($1)
++ kernel_read_system_state($1_seunshare_t)
++
++ auth_use_nsswitch($1_seunshare_t)
++
++ logging_send_syslog_msg($1_seunshare_t)
++
++ mls_process_set_level($1_seunshare_t)
++
++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
++
++ # part of sandboxX.pp
++ optional_policy(`
++ sandbox_x_transition($1_seunshare_t, $2)
++ ')
++
++ # part of sandbox.pp
++ optional_policy(`
++ sandbox_transition($1_seunshare_t, $2)
++ ')
++
++ ps_process_pattern($3, $1_seunshare_t)
++ dontaudit $1_seunshare_t $3:file read;
++ allow $3 $1_seunshare_t:process signal_perms;
++ allow $3 $1_seunshare_t:fd use;
++
++ allow $1_seunshare_t $3:process transition;
++ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
+- ps_process_pattern($2, seunshare_t)
+- allow $2 seunshare_t:process signal;
++ corecmd_bin_domtrans($1_seunshare_t, $1_t)
++ corecmd_shell_domtrans($1_seunshare_t, $1_t)
+ ')
+diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
+index 7590165..85186a9 100644
+--- a/policy/modules/apps/seunshare.te
++++ b/policy/modules/apps/seunshare.te
+@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
+ # Declarations
+ #
+
+-type seunshare_t;
++attribute seunshare_domain;
+ type seunshare_exec_t;
+-application_domain(seunshare_t, seunshare_exec_t)
+-role system_r types seunshare_t;
+
+ ########################################
+ #
+ # seunshare local policy
+ #
++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
+
+-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
+-allow seunshare_t self:process { setexec signal getcap setcap };
++allow seunshare_domain self:fifo_file rw_file_perms;
++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
+
+-allow seunshare_t self:fifo_file rw_file_perms;
+-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
++corecmd_getattr_all_executables(seunshare_domain)
+
+-corecmd_exec_shell(seunshare_t)
+-corecmd_exec_bin(seunshare_t)
++dev_read_urand(seunshare_domain)
++dev_dontaudit_rw_dri(seunshare_domain)
+
+-files_read_etc_files(seunshare_t)
+-files_mounton_all_poly_members(seunshare_t)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
++files_mounton_rootfs(seunshare_domain)
++files_manage_generic_tmp_dirs(seunshare_domain)
++files_relabelfrom_tmp_dirs(seunshare_domain)
+
+-auth_use_nsswitch(seunshare_t)
+-
+-logging_send_syslog_msg(seunshare_t)
+-
+-miscfiles_read_localization(seunshare_t)
+-
+-userdom_use_user_terminals(seunshare_t)
++fs_manage_cgroup_dirs(seunshare_domain)
++fs_manage_cgroup_files(seunshare_domain)
++fs_unmount_all_fs(seunshare_domain)
+
++userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
++userdom_use_inherited_user_terminals(seunshare_domain)
++userdom_list_user_home_content(seunshare_domain)
+ ifdef(`hide_broken_symptoms', `
+- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
++ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
++ fs_dontaudit_list_inotifyfs(seunshare_domain)
+
+ optional_policy(`
+- mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ gnome_dontaudit_rw_inherited_config(seunshare_domain)
+ ')
++
++ optional_policy(`
++ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
++ mozilla_plugin_dontaudit_leaks(seunshare_domain)
++ ')
++')
++optional_policy(`
++ rsync_exec(seunshare_domain)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mounton_nfs(seunshare_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mounton_cifs(seunshare_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_mounton_fusefs(seunshare_domain)
+ ')
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 33e0f8d..9a8ff3e 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -1,9 +1,10 @@
+ #
+ # /bin
+ #
+-/bin -d gen_context(system_u:object_r:bin_t,s0)
++/bin gen_context(system_u:object_r:bin_t,s0)
+ /bin/.* gen_context(system_u:object_r:bin_t,s0)
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
+ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
+ /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ ')
+
+ /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
++/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
+
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+-
+ /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+@@ -116,6 +125,9 @@ ifdef(`distro_redhat',`
+
+ /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++
++/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+@@ -135,10 +147,12 @@ ifdef(`distro_debian',`
+ /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0)
+ /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
+ /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
+ /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_gentoo',`
+ /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+@@ -149,10 +163,12 @@ ifdef(`distro_gentoo',`
+ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /sbin
+ #
+-/sbin -d gen_context(system_u:object_r:bin_t,s0)
++/sbin gen_context(system_u:object_r:bin_t,s0)
+ /sbin/.* gen_context(system_u:object_r:bin_t,s0)
+ /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+@@ -168,6 +184,7 @@ ifdef(`distro_gentoo',`
+ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -179,34 +196,50 @@ ifdef(`distro_gentoo',`
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
++/usr/bin -d gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
+-/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -218,19 +251,32 @@ ifdef(`distro_gentoo',`
+ /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
+@@ -245,26 +291,40 @@ ifdef(`distro_gentoo',`
+ /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-
+ /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+-/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -280,10 +340,15 @@ ifdef(`distro_gentoo',`
+ /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+@@ -298,16 +363,22 @@ ifdef(`distro_gentoo',`
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
++/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
++/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -325,20 +396,27 @@ ifdef(`distro_redhat', `
+ /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+ /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
++#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -346,6 +424,7 @@ ifdef(`distro_redhat', `
+ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+@@ -387,11 +466,16 @@ ifdef(`distro_suse', `
+ #
+ # /var
+ #
+-/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0)
++/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+ /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+@@ -401,3 +485,12 @@ ifdef(`distro_suse', `
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+ ')
++
++#
++# /usr/lib
++#
++
++/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
+diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
+index 9e9263a..77e6c8c 100644
+--- a/policy/modules/kernel/corecommands.if
++++ b/policy/modules/kernel/corecommands.if
+@@ -8,6 +8,22 @@
+ ## run init.
+ ##
+
++#####################################
++##
++## corecmd stub bin_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`corecmd_stub_bin',`
++ gen_require(`
++ type bin_t;
++ ')
++')
++
+ ########################################
+ ##
+ ## Make the specified type usable for files
+@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',`
+ interface(`corecmd_bin_entry_type',`
+ gen_require(`
+ type bin_t;
++ type usr_t;
+ ')
+
+ domain_entry_file($1, bin_t)
++ domain_entry_file($1, usr_t)
+ ')
+
+ ########################################
+@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ search_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ list_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ read_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to access check bin files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corecmd_dontaudit_access_check_bin',`
++ gen_require(`
++ type bin_t;
++ ')
++
++ dontaudit $1 bin_t:file audit_access;
++')
++
++########################################
++##
+ ## Read symbolic links in bin directories.
+ ##
+ ##
+@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ read_fifo_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ read_sock_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',`
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ list_dirs_pattern($1, bin_t, bin_t)
+ can_exec($1, bin_t)
++
++ ifdef(`enable_mls',`',`
++ files_exec_all_base_ro_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ manage_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ mmap_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',`
+ interface(`corecmd_bin_spec_domtrans',`
+ gen_require(`
+ type bin_t;
++ type usr_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ domain_transition_pattern($1, bin_t, $2)
++
++ read_lnk_files_pattern($1, usr_t, usr_t)
++ domain_transition_pattern($1, usr_t, $2)
+ ')
+
+ ########################################
+@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',`
+ interface(`corecmd_bin_domtrans',`
+ gen_require(`
+ type bin_t;
++ type usr_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1, $2)
+ type_transition $1 bin_t:process $2;
++ type_transition $1 usr_t:process $2;
+ ')
+
+ ########################################
+@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',`
+ interface(`corecmd_exec_chroot',`
+ gen_require(`
+ type chroot_exec_t;
++ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',`
+
+ ########################################
+ ##
++## Do not audit attempts to access check executable files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corecmd_dontaudit_access_all_executables',`
++ gen_require(`
++ attribute exec_type;
++ ')
++
++ dontaudit $1 exec_type:file audit_access;
++')
++
++########################################
++##
+ ## Get the attributes of all executable files.
+ ##
+ ##
+@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',`
+ can_exec($1, exec_type)
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, exec_type)
++
++ ifdef(`enable_mls',`',`
++ files_exec_all_base_ro_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',`
+ type bin_t;
+ ')
+
++ manage_dirs_pattern($1, bin_t, exec_type)
+ manage_files_pattern($1, bin_t, exec_type)
+ manage_lnk_files_pattern($1, bin_t, bin_t)
+ ')
+@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',`
+
+ mmap_files_pattern($1, bin_t, exec_type)
+ ')
++
++########################################
++##
++## Create objects in the /bin directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created
++##
++##
++##
++##
++## The object class.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`corecmd_bin_filetrans',`
++ gen_require(`
++ type bin_t;
++ ')
++
++ filetrans_pattern($1, bin_t, $2, $3, $4)
++')
+diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
+index 20c76cf..cc63dcc 100644
+--- a/policy/modules/kernel/corecommands.te
++++ b/policy/modules/kernel/corecommands.te
+@@ -13,7 +13,8 @@ attribute exec_type;
+ #
+ # bin_t is the type of files in the system bin/sbin directories.
+ #
+-type bin_t alias { ls_exec_t sbin_t };
++type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
++files_ro_base_file(bin_t)
+ corecmd_executable_file(bin_t)
+ dev_associate(bin_t) #For /dev/MAKEDEV
+
+@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV
+ # shell_exec_t is the type of user shells such as /bin/bash.
+ #
+ type shell_exec_t;
++files_ro_base_file(shell_exec_t)
+ corecmd_executable_file(shell_exec_t)
+
+ type chroot_exec_t;
+diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
+index f9b25c1..9af1f7a 100644
+--- a/policy/modules/kernel/corenetwork.fc
++++ b/policy/modules/kernel/corenetwork.fc
+@@ -8,3 +8,6 @@
+
+ /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+ /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
++
++/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
++/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
+index 07126bd..015bd7a 100644
+--- a/policy/modules/kernel/corenetwork.if.in
++++ b/policy/modules/kernel/corenetwork.if.in
+@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
+ ')
+
+ typeattribute $1 reserved_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
+ ')
+
+ typeattribute $1 rpc_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on generic nodes.
+ ##
+ ##
+@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to generic nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ allow $1 node_t:dccp_socket node_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to generic nodes.
+ ##
+ ##
+@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',`
+
+ ########################################
+ ##
++## Dontaudit attempts to bind TCP sockets to generic nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`corenet_dontaudit_tcp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ dontaudit $1 node_t:tcp_socket node_bind;
++')
++
++########################################
++##
++## Dontaudit attempts to bind UDP sockets to generic nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`corenet_dontaudit_udp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ dontaudit $1 node_t:udp_socket node_bind;
++')
++
++########################################
++##
+ ## Bind raw sockets to genric nodes.
+ ##
+ ##
+@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on all nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_all_nodes',`
++ gen_require(`
++ attribute node_type;
++ ')
++
++ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on all nodes.
+ ##
+ ##
+@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_nodes',`
++ gen_require(`
++ attribute node_type;
++ ')
++
++ allow $1 node_type:dccp_socket node_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all nodes.
+ ##
+ ##
+@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on generic ports.
+ ##
+ ##
+@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',`
+ #
+ interface(`corenet_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
++')
++
++########################################
++##
++## Do not audit attempts to send and
++## receive DCCP network traffic on
++## generic ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_udp_send_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:udp_socket send_msg;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
+ ')
+
+ ########################################
+@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',`
+ #
+ interface(`corenet_udp_receive_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:udp_socket recv_msg;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
+ ')
+
+ ########################################
+@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to generic ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ attribute defined_port_type;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
++ dontaudit $1 defined_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to generic ports.
+ ##
+ ##
+@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ #
+ interface(`corenet_tcp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+- allow $1 port_t:tcp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to bind DCCP
++## sockets to generic ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Do not audit bind TCP sockets to generic ports.
+ ##
+ ##
+@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ #
+ interface(`corenet_udp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+- allow $1 port_t:udp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+ ')
+
+ ########################################
+ ##
++## Connect DCCP sockets to generic ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t,ephemeral_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Connect TCP sockets to generic ports.
+ ##
+ ##
+@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',`
+ #
+ interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
++')
++
++########################################
++##
++## Send and receive DCCP network traffic on all ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_all_ports',`
++ gen_require(`
++ attribute port_type;
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
++ allow $1 port_type:dccp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ allow $1 port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all ports.
+ ##
+ ##
+@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',`
+
+ ########################################
+ ##
++## Do not audit attepts to bind DCCP sockets to any ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ dontaudit $1 port_type:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Do not audit attepts to bind TCP sockets to any ports.
+ ##
+ ##
+@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+
+ ########################################
+ ##
++## Connect DCCP sockets to all ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ allow $1 port_type:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Connect TCP sockets to all ports.
+ ##
+ ##
+@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',`
+
+ ########################################
+ ##
++## Do not audit attempts to connect DCCP sockets
++## to all ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_connect_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ dontaudit $1 port_type:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Do not audit attempts to connect TCP sockets
+ ## to all ports.
+ ##
+@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_reserved_port',`
++ gen_require(`
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on generic reserved ports.
+ ##
+ ##
+@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+
+ ########################################
+ ##
+-## Bind TCP sockets to generic reserved ports.
++## Bind DCCP sockets to generic reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_reserved_port',`
++ gen_require(`
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
++## Bind TCP sockets to generic reserved ports.
+ ##
+ ##
+ ##
+@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',`
+
+ ########################################
+ ##
++## Connect DCCP sockets to generic reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_reserved_port',`
++ gen_require(`
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Connect TCP sockets to generic reserved ports.
+ ##
+ ##
+@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on all reserved ports.
+ ##
+ ##
+@@ -1772,6 +2144,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all reserved ports.
+ ##
+ ##
+@@ -1785,31 +2176,284 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_bind;
+- allow $1 self:capability net_bind_service;
++ allow $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
++## Do not audit attempts to bind DCCP sockets to all reserved ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
++## Do not audit attempts to bind TCP sockets to all reserved ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
++## Bind UDP sockets to all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:udp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
++## Do not audit attempts to bind UDP sockets to all reserved ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:udp_socket name_bind;
++')
++
++########################################
++##
++## Bind DCCP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
++## Bind TCP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
++## Bind TCP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_bind_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_t;
++ ')
++
++ allow $1 unreserved_port_t:tcp_socket name_bind;
++')
++
++########################################
++##
++## Bind UDP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:udp_socket name_bind;
++')
++
++########################################
++##
++## Bind TCP sockets to all ports > 32768.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
++## Bind UDP sockets to all ports > 32768.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:udp_socket name_bind;
++')
++
++########################################
++##
++## Connect DCCP sockets to reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket name_connect;
++')
++
++########################################
++##
++## Connect TCP sockets to reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:tcp_socket name_connect;
++')
++
++########################################
++##
++## Connect DCCP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:dccp_socket name_connect;
++')
++
++#######################################
++##
++## Connect TCP sockets to ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_connect_unreserved_ports',`
++ gen_require(`
++ type unreserved_port_t;
++ ')
++
++ allow $1 unreserved_port_t:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to bind TCP sockets to all reserved ports.
++## Connect TCP sockets to all ports > 1024.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 unreserved_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Bind UDP sockets to all reserved ports.
++## Connect TCP sockets to all ports > 32768.
+ ##
+ ##
+ ##
+@@ -1817,18 +2461,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_ephemeral_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute ephemeral_port_type;
+ ')
+
+- allow $1 reserved_port_type:udp_socket name_bind;
+- allow $1 self:capability net_bind_service;
++ allow $1 ephemeral_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to bind UDP sockets to all reserved ports.
++## Do not audit attempts to connect DCCP sockets
++## all reserved ports.
+ ##
+ ##
+ ##
+@@ -1836,35 +2480,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:udp_socket name_bind;
++ dontaudit $1 reserved_port_type:dccp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Bind TCP sockets to all ports > 1024.
++## Do not audit attempts to connect TCP sockets
++## all reserved ports.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`corenet_tcp_bind_all_unreserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+- attribute unreserved_port_type;
++ attribute reserved_port_type;
+ ')
+
+- allow $1 unreserved_port_type:tcp_socket name_bind;
++ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Bind UDP sockets to all ports > 1024.
++## Connect DCCP sockets to rpc ports.
+ ##
+ ##
+ ##
+@@ -1872,17 +2517,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_bind_all_unreserved_ports',`
++interface(`corenet_dccp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute unreserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- allow $1 unreserved_port_type:udp_socket name_bind;
++ allow $1 rpc_port_type:dccp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Connect TCP sockets to reserved ports.
++## Connect TCP sockets to rpc ports.
+ ##
+ ##
+ ##
+@@ -1890,36 +2535,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_connect;
++ allow $1 rpc_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Connect TCP sockets to all ports > 1024.
++## Do not audit attempts to connect DCCP sockets
++## all rpc ports.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_all_unreserved_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute unreserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- allow $1 unreserved_port_type:tcp_socket name_connect;
++ dontaudit $1 rpc_port_type:dccp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+ ## Do not audit attempts to connect TCP sockets
+-## all reserved ports.
++## all rpc ports.
+ ##
+ ##
+ ##
+@@ -1927,54 +2573,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 rpc_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Connect TCP sockets to rpc ports.
++## Read and write the TUN/TAP virtual network device.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## The domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_all_rpc_ports',`
++interface(`corenet_rw_tun_tap_dev',`
+ gen_require(`
+- attribute rpc_port_type;
++ type tun_tap_device_t;
+ ')
+
+- allow $1 rpc_port_type:tcp_socket name_connect;
++ dev_list_all_dev_nodes($1)
++ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to connect TCP sockets
+-## all rpc ports.
++## Relabel to and from the TUN/TAP virtual network device.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## The domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
++interface(`corenet_relabel_tun_tap_dev',`
+ gen_require(`
+- attribute rpc_port_type;
++ type tun_tap_device_t;
+ ')
+
+- dontaudit $1 rpc_port_type:tcp_socket name_connect;
++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write the TUN/TAP virtual network device.
++## Read and write inherited TUN/TAP virtual network device.
+ ##
+ ##
+ ##
+@@ -1982,13 +2628,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_rw_tun_tap_dev',`
++interface(`corenet_rw_inherited_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+- dev_list_all_dev_nodes($1)
+- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
++ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -2049,6 +2694,25 @@ interface(`corenet_rw_ppp_dev',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all RPC ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ allow $1 rpc_port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all RPC ports.
+ ##
+ ##
+@@ -2068,6 +2732,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+
+ ########################################
+ ##
++## Do not audit attempts to bind DCCP sockets to all RPC ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ dontaudit $1 rpc_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Do not audit attempts to bind TCP sockets to all RPC ports.
+ ##
+ ##
+@@ -2194,6 +2876,25 @@ interface(`corenet_tcp_recv_netlabel',`
+
+ ########################################
+ ##
++## Receive DCCP packets from a NetLabel connection.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_recvfrom_netlabel',`
++ gen_require(`
++ type netlabel_peer_t;
++ ')
++
++ allow $1 netlabel_peer_t:peer recv;
++ allow $1 netlabel_peer_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Receive TCP packets from a NetLabel connection.
+ ##
+ ##
+@@ -2213,7 +2914,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+
+ ########################################
+ ##
+-## Receive TCP packets from an unlabled connection.
++## Receive DCCP packets from an unlabled connection.
+ ##
+ ##
+ ##
+@@ -2221,10 +2922,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_recvfrom_unlabeled',`
+- kernel_tcp_recvfrom_unlabeled($1)
++interface(`corenet_dccp_recvfrom_unlabeled',`
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++
++ kernel_dccp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
++ typeattribute $1 corenet_unlabeled_type;
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+@@ -2249,6 +2955,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+
+ ########################################
+ ##
++## Do not audit attempts to receive DCCP packets from a NetLabel
++## connection.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
++ gen_require(`
++ type netlabel_peer_t;
++ ')
++
++ dontaudit $1 netlabel_peer_t:peer recv;
++ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Do not audit attempts to receive TCP packets from a NetLabel
+ ## connection.
+ ##
+@@ -2269,6 +2995,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+
+ ########################################
+ ##
++## Do not audit attempts to receive DCCP packets from an unlabeled
++## connection.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
++ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
++ kernel_dontaudit_recvfrom_unlabeled_peer($1)
++
++ # XXX - at some point the oubound/send access check will be removed
++ # but for right now we need to keep this in place so as not to break
++ # older systems
++ kernel_dontaudit_sendrecv_unlabeled_association($1)
++')
++
++########################################
++##
+ ## Do not audit attempts to receive TCP packets from an unlabeled
+ ## connection.
+ ##
+@@ -2533,15 +3280,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+ ##
+ #
+ interface(`corenet_all_recvfrom_unlabeled',`
+- kernel_tcp_recvfrom_unlabeled($1)
+- kernel_udp_recvfrom_unlabeled($1)
+- kernel_raw_recvfrom_unlabeled($1)
+- kernel_recvfrom_unlabeled_peer($1)
+-
+- # XXX - at some point the oubound/send access check will be removed
+- # but for right now we need to keep this in place so as not to break
+- # older systems
+- kernel_sendrecv_unlabeled_association($1)
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++ typeattribute $1 corenet_unlabeled_type;
+ ')
+
+ ########################################
+@@ -2567,11 +3309,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+ #
+ interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+- type netlabel_peer_t;
++ attribute netlabel_peer_type;
+ ')
+
+- allow $1 netlabel_peer_t:peer recv;
+- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
++ typeattribute $1 netlabel_peer_type;
++')
++
++########################################
++##
++## Enable unlabeled net packets
++##
++##
++##
++## Allow unlabeled_packet_t to be used by all domains that use the network
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`corenet_enable_unlabeled_packets',`
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++
++ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
+ ')
+
+ ########################################
+@@ -2585,6 +3350,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+ ##
+ #
+ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
++ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+@@ -2613,7 +3379,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
++ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
++')
++
++########################################
++##
++## Rules for receiving labeled DCCP packets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Peer domain.
++##
++##
++#
++interface(`corenet_dccp_recvfrom_labeled',`
++ allow { $1 $2 } self:association sendto;
++ allow $1 $2:{ association dccp_socket } recvfrom;
++ allow $2 $1:{ association dccp_socket } recvfrom;
++
++ allow $1 $2:peer recv;
++ allow $2 $1:peer recv;
++
++ # allow receiving packets from MLS-only peers using NetLabel
++ corenet_dccp_recvfrom_netlabel($1)
++ corenet_dccp_recvfrom_netlabel($2)
+ ')
+
+ ########################################
+@@ -2727,6 +3521,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+ ##
+ #
+ interface(`corenet_all_recvfrom_labeled',`
++ corenet_dccp_recvfrom_labeled($1, $2)
+ corenet_tcp_recvfrom_labeled($1, $2)
+ corenet_udp_recvfrom_labeled($1, $2)
+ corenet_raw_recvfrom_labeled($1, $2)
+@@ -3134,3 +3929,70 @@ interface(`corenet_unconfined',`
+
+ typeattribute $1 corenet_unconfined_type;
+ ')
++
++########################################
++##
++## Dontaudit bind tcp sockets to defined ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dontaudit_tcp_bind_all_defined_ports',`
++ gen_require(`
++ attribute defined_port_type;
++ ')
++ dontaudit $1 defined_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
++## Create all network named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tun_tap_device_t;
++ type ppp_device_t;
++ ')
++
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
++ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
++')
+diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
+index 8e0f9cd..b9f45b9 100644
+--- a/policy/modules/kernel/corenetwork.if.m4
++++ b/policy/modules/kernel/corenetwork.if.m4
+@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',`
+
+ ########################################
+ ##
++## Do not audit attempts to sbind to $1 port.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`corenet_dontaudit_udp_bind_$1_port',`
++ gen_require(`
++ $3 $1_$2;
++ ')
++
++ dontaudit dollarsone $1_$2:udp_socket name_bind;
++ $4
++')
++
++########################################
++##
+ ## Make a TCP connection to the $1 port.
+ ##
+ ##
+@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',`
+
+ allow dollarsone $1_$2:tcp_socket name_connect;
+ ')
++########################################
++##
++## Do not audit attempts to make a TCP connection to $1 port.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dontaudit_tcp_connect_$1_port',`
++ gen_require(`
++ $3 $1_$2;
++ ')
++
++ dontaudit dollarsone $1_$2:tcp_socket name_connect;
++')
+ '') dnl end create_port_interfaces
+
+ define(`create_packet_interfaces',``
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index b191055..94987a2 100644
+--- a/policy/modules/kernel/corenetwork.te.in
++++ b/policy/modules/kernel/corenetwork.te.in
+@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
+ # Declarations
+ #
+
++attribute netlabel_peer_type;
+ attribute client_packet_type;
+ # This is an optimization for { port_type -port_t }
+ attribute defined_port_type;
+@@ -14,12 +15,14 @@ attribute node_type;
+ attribute packet_type;
+ attribute port_type;
+ attribute reserved_port_type;
++attribute ephemeral_port_type;
+ attribute rpc_port_type;
+ attribute server_packet_type;
+ # This is an optimization for { port_type -reserved_port_type }
+ attribute unreserved_port_type;
+
+ attribute corenet_unconfined_type;
++attribute corenet_unlabeled_type;
+
+ type ppp_device_t;
+ dev_node(ppp_device_t)
+@@ -29,6 +32,7 @@ dev_node(ppp_device_t)
+ #
+ type tun_tap_device_t;
+ dev_node(tun_tap_device_t)
++mls_trusted_object(tun_tap_device_t)
+
+ ########################################
+ #
+@@ -38,6 +42,18 @@ dev_node(tun_tap_device_t)
+ #
+ # client_packet_t is the default type of IPv4 and IPv6 client packets.
+ #
++type intranet_packet_t;
++corenet_packet(intranet_packet_t)
++
++#
++# client_packet_t is the default type of IPv4 and IPv6 client packets.
++#
++type internet_packet_t;
++corenet_packet(internet_packet_t)
++
++#
++# client_packet_t is the default type of IPv4 and IPv6 client packets.
++#
+ type client_packet_t, packet_type, client_packet_type;
+
+ #
+@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type;
+ #
+ type netlabel_peer_t;
+ sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
++mcs_constrained(netlabel_peer_t)
+
+ #
+ # port_t is the default type of INET port numbers.
+@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
+ type unreserved_port_t, port_type, unreserved_port_type;
+
+ #
++# ephemeral_port_t is the default type of ephemeral port numbers.
++# cat /proc/sys/net/ipv4/ip_local_port_range
++#
++type ephemeral_port_t, port_type, ephemeral_port_type;
++
++#
+ # reserved_port_t is the type of INET port numbers below 1024.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+ network_port(amavisd_recv, tcp,10024,s0)
+ network_port(amavisd_send, tcp,10025,s0)
+-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
++network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
++network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
++network_port(apc, tcp,3052,s0, udp,3052,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+ network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+-network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
+ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+ network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
++network_port(bacula, tcp,9103,s0, udp,9103,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+ network_port(boinc, tcp,31416,s0)
+ network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
++network_port(brlp, tcp,4101,s0)
+ network_port(biff) # no defined portcon
+ network_port(certmaster, tcp,51235,s0)
++network_port(collectd, udp,25826,s0)
+ network_port(chronyd, udp,323,s0)
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+ network_port(cma, tcp,1050,s0, udp,1050,s0)
+ network_port(cobbler, tcp,25151,s0)
+-network_port(commplex_link, tcp,5001,s0, udp,5001,s0)
++network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0)
+ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
+ network_port(comsat, udp,512,s0)
+ network_port(condor, tcp,9618,s0, udp,9618,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
+-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(conman, tcp,7890,s0, udp,7890,s0)
++network_port(connlcli, tcp,1358,s0, udp,1358,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
++network_port(ctdb, tcp,4379,s0, udp,4379,s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+ network_port(daap, tcp,3689,s0, udp,3689,s0)
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
++network_port(dey_sapi, tcp,4330,s0)
+ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
+ network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+ network_port(dict, tcp,2628,s0)
+ network_port(distccd, tcp,3632,s0)
+-network_port(dns, tcp,53,s0, udp,53,s0)
++network_port(dogtag, tcp,7390,s0)
++network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dnssec, tcp,8955,s0)
++network_port(echo, tcp,7,s0, udp,7,s0)
+ network_port(efs, tcp,520,s0)
+ network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
+ network_port(epmap, tcp,135,s0, udp,135,s0)
+ network_port(epmd, tcp,4369,s0, udp,4369,s0)
+ network_port(fingerd, tcp,79,s0)
+-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
++network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
++network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
++network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
+ network_port(ftp_data, tcp,20,s0)
+ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
++network_port(gear, tcp,43273,s0, udp,43273,s0)
+ network_port(gdomap, tcp,538,s0, udp,538,s0)
+ network_port(gds_db, tcp,3050,s0, udp,3050,s0)
+ network_port(giftd, tcp,1213,s0)
+ network_port(git, tcp,9418,s0, udp,9418,s0)
++network_port(glance, tcp,9292,s0, udp,9292,s0)
+ network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
++network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(gpsd, tcp,2947,s0)
+ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -140,45 +177,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hddtemp, tcp,7634,s0)
+ network_port(howl, tcp,5335,s0, udp,5353,s0)
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
+-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+ network_port(i18n_input, tcp,9010,s0)
+ network_port(imaze, tcp,5323,s0, udp,5323,s0)
+-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0)
+ network_port(innd, tcp,119,s0)
+ network_port(interwise, tcp,7778,s0, udp,7778,s0)
+ network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
+ network_port(ipmi, udp,623,s0, udp,664,s0)
+ network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+-network_port(ircd, tcp,6667,s0)
++network_port(ircd, tcp,6667,s0, tcp,6697,s0)
+ network_port(isakmp, udp,500,s0)
+ network_port(iscsi, tcp,3260,s0)
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
+ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+-network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
+-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+-network_port(kismet, tcp,2501,s0)
++network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
++network_port(jabber_router, tcp,5347,s0)
++network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
++network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
++network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
++network_port(kerberos_admin, tcp,749,s0)
++network_port(kerberos_password, tcp,464,s0, udp,464,s0)
++network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
++network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
++network_port(rabbitmq, tcp,25672,s0)
++network_port(rlogin, tcp,543,s0, tcp,2105,s0)
++network_port(rtsclient, tcp,2501,s0)
+ network_port(kprop, tcp,754,s0)
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
+-network_port(l2tp, tcp,1701,s0, udp,1701,s0)
+-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
+ network_port(lirc, tcp,8765,s0)
+-network_port(lmtp, tcp,24,s0, udp,24,s0)
++network_port(luci, tcp,8084,s0)
++network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0)
+ network_port(lrrd) # no defined portcon
++network_port(lsm_plugin, tcp,18700,s0)
++network_port(l2tp, tcp,1701,s0, udp,1701,s0)
+ network_port(mail, tcp,2000,s0, tcp,3905,s0)
+ network_port(matahari, tcp,49000,s0, udp,49000,s0)
+ network_port(memcache, tcp,11211,s0, udp,11211,s0)
+-network_port(milter) # no defined portcon
++network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
++network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
+ network_port(monopd, tcp,1234,s0)
+ network_port(mountd, tcp,20048,s0, udp,20048,s0)
+ network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
+ network_port(mpd, tcp,6600,s0)
+-network_port(msgsrvr, tcp,8787,s0, udp,8787,s0)
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
+ network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
+ network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
+@@ -186,26 +233,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+ network_port(mxi, tcp,8005,s0, udp,8005,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
++network_port(mythtv, tcp,6543-6544,s0)
+ network_port(nessus, tcp,1241,s0)
+ network_port(netport, tcp,3129,s0, udp,3129,s0)
+ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+-network_port(nfs, tcp,2049,s0, udp,2049,s0)
+-network_port(nfsrdma, tcp,20049,s0, udp,20049,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
+ network_port(nmbd, udp,137,s0, udp,138,s0)
++network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
+ network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
+ network_port(ntp, udp,123,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+ network_port(oa_system, tcp,8022,s0, udp,8022,s0)
+-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+ network_port(ocsp, tcp,9080,s0)
++network_port(openflow, tcp,6633,s0, tcp,6653,s0)
+ network_port(openhpid, tcp,4743,s0, udp,4743,s0)
+ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openvswitch, tcp,6634,s0)
++network_port(osapi_compute, tcp, 8774, s0)
+ network_port(pdps, tcp,1314,s0, udp,1314,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
+ network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+ network_port(pingd, tcp,9125,s0)
++network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
++network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
++network_port(pki_ra, tcp,12888-12889,s0)
++network_port(pki_tps, tcp,7888-7889,s0)
+ network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
+-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
++network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0)
+ network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postfix_policyd, tcp,10031,s0)
+ network_port(postgresql, tcp,5432,s0)
+@@ -213,68 +270,79 @@ network_port(postgrey, tcp,60000,s0)
+ network_port(pptp, tcp,1723,s0, udp,1723,s0)
+ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+ network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
++network_port(preupgrade, tcp, 8099, s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+-network_port(pulseaudio, tcp,4713,s0)
++network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
+ network_port(puppet, tcp, 8140, s0)
+ network_port(pxe, udp,4011,s0)
+ network_port(pyzor, udp,24441,s0)
+-network_port(radacct, udp,1646,s0, udp,1813,s0)
+-network_port(radius, udp,1645,s0, udp,1812,s0)
++network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
++network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
++network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0)
+ network_port(radsec, tcp,2083,s0)
+ network_port(razor, tcp,2703,s0)
++network_port(time, tcp,37,s0, udp,37,s0)
+ network_port(redis, tcp,6379,s0)
+ network_port(repository, tcp, 6363, s0)
+ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
+ network_port(rlogind, tcp,513,s0)
+-network_port(rndc, tcp,953,s0, udp,953,s0)
++network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0)
+ network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
+ network_port(rsh, tcp,514,s0)
+ network_port(rsync, tcp,873,s0, udp,873,s0)
+-network_port(rtsp, tcp,554,s0, udp,554,s0)
++network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0)
++network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0)
+ network_port(rwho, udp,513,s0)
++network_port(salt, tcp,4505,s0, tcp,4506,s0)
+ network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
+ network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
++network_port(sge, tcp,6444,s0, tcp,6445,s0)
++network_port(shellinaboxd, tcp,4200,s0)
+ network_port(sieve, tcp,4190,s0)
+ network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+ network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
+ network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
++network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
+ network_port(socks) # no defined portcon
+ network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+-network_port(spamd, tcp,783,s0)
++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
+ network_port(speech, tcp,8036,s0)
+-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+-network_port(ssdp, tcp,1900,s0, udp,1900,s0)
++network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
+ network_port(ssh, tcp,22,s0)
+ network_port(stunnel) # no defined portcon
+ network_port(svn, tcp,3690,s0, udp,3690,s0)
+ network_port(svrloc, tcp,427,s0, udp,427,s0)
+ network_port(swat, tcp,901,s0)
++network_port(swift, tcp,6200-6203,s0)
+ network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
+-network_port(syslogd, udp,514,s0)
++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
+ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+ network_port(tcs, tcp, 30003, s0)
+ network_port(telnetd, tcp,23,s0)
+ network_port(tftp, udp,69,s0)
+-network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0)
+ network_port(traceroute, udp,64000-64010,s0)
++network_port(tram, tcp, 4567, s0)
+ network_port(transproxy, tcp,8081,s0)
+ network_port(trisoap, tcp,10200,s0, udp,10200,s0)
+ network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
+ network_port(ups, tcp,3493,s0)
+ network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
++network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0)
+ network_port(varnishd, tcp,6081-6082,s0)
+ network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+ network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
+ network_port(virt_migration, tcp,49152-49216,s0)
+-network_port(vnc, tcp,5900,s0)
++network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
+ network_port(wccp, udp,2048,s0)
+ network_port(websm, tcp,9090,s0, udp,9090,s0)
+-network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0)
++network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
+ network_port(winshadow, tcp,3161,s0, udp,3261,s0)
+ network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
+ network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
+@@ -288,19 +356,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(zookeeper_election, tcp,3888,s0)
+ network_port(zookeeper_leader, tcp,2888,s0)
+-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
++network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0)
+ network_port(zented, tcp,1229,s0, udp,1229,s0)
+ network_port(zope, tcp,8021,s0)
+
+ # Defaults for reserved ports. Earlier portcon entries take precedence;
+ # these entries just cover any remaining reserved ports not otherwise declared.
+
+-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+
+ ########################################
+ #
+@@ -333,6 +405,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+
+ build_option(`enable_mls',`
+ network_interface(lo, lo, s0 - mls_systemhigh)
++allow netlabel_peer_t lo_netif_t:netif ingress;
++allow netlabel_peer_type lo_netif_t:netif egress;
+ ',`
+ typealias netif_t alias { lo_netif_t netif_lo_t };
+ ')
+@@ -345,9 +419,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+ allow corenet_unconfined_type node_type:node *;
+ allow corenet_unconfined_type netif_type:netif *;
+ allow corenet_unconfined_type packet_type:packet *;
++allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
+ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+ # Bind to any network address.
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
++allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
++allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
++
++#
++# Rules coverning the use of unlabeled types
++#
++kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type)
++
++allow netlabel_peer_type netlabel_peer_t:peer recv;
++allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
++allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
++allow netlabel_peer_t node_t:node recvfrom;
++
++typealias neutron_port_t alias quantum_port_t;
++typealias neutron_server_packet_t alias quantum_server_packet_t;
++typealias neutron_client_packet_t alias quantum_client_packet_t;
+diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
+index 3f6e168..340e49f 100644
+--- a/policy/modules/kernel/corenetwork.te.m4
++++ b/policy/modules/kernel/corenetwork.te.m4
+@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl
+ ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
+ ')
+
++define(`add_ephemeral_attribute',`dnl
++ifelse(eval(range_start($3) >= 50000 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
++',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
++')
++
+ # bindresvport in glibc starts searching for reserved ports at 512
+ define(`add_rpc_attribute',`dnl
+ ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
+@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type;
+ type $1_server_packet_t, packet_type, server_packet_type;
+ ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
+ ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
++ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl
+ ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
+ ')
+
+diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
+index b31c054..1f28afb 100644
+--- a/policy/modules/kernel/devices.fc
++++ b/policy/modules/kernel/devices.fc
+@@ -15,15 +15,18 @@
+ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
++/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+-/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0)
+ /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
+ /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+-/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
++/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
++/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -44,6 +47,8 @@
+ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
++/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
+ /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -61,7 +66,8 @@
+ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+-/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
++/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
+ /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -72,6 +78,7 @@
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
++/dev/monwriter -c gen_context(system_u:object_r:monitor_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
+@@ -80,6 +87,8 @@
+ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0)
++/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0)
+ /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -90,6 +99,7 @@
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/prandom -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+@@ -106,6 +116,7 @@
+ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+ /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+@@ -118,6 +129,11 @@
+ ifdef(`distro_suse', `
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+ ')
++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
+ /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -129,12 +145,14 @@ ifdef(`distro_suse', `
+ /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
++/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
+ /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+ /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+
++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
+@@ -172,6 +190,8 @@ ifdef(`distro_suse', `
+ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
++/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -198,12 +218,27 @@ ifdef(`distro_debian',`
+ /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+-
+ ifdef(`distro_redhat',`
+ # originally from named.fc
+ /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
+ /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+ /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0)
++/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
++/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
++/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/
++/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
+ ')
++
++#
++# /sys
++#
++/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
++/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
++
++/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
++/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
++/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
++/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index 76f285e..0e6161d 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
+ type device_t;
+ ')
+
+- relabelfrom_dirs_pattern($1, device_t, device_node)
+- relabelfrom_files_pattern($1, device_t, device_node)
+- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+- relabelfrom_fifo_files_pattern($1, device_t, device_node)
+- relabelfrom_sock_files_pattern($1, device_t, device_node)
+- relabel_blk_files_pattern($1, device_t, { device_t device_node })
+- relabel_chr_files_pattern($1, device_t, { device_t device_node })
++ relabel_dirs_pattern($1, device_t, device_node)
++ relabel_files_pattern($1, device_t, device_node)
++ relabel_lnk_files_pattern($1, device_t, device_node)
++ relabel_fifo_files_pattern($1, device_t, device_node)
++ relabel_sock_files_pattern($1, device_t, device_node)
++ relabel_blk_files_pattern($1, device_t, device_node)
++ relabel_chr_files_pattern($1, device_t, device_node)
++')
++
++########################################
++##
++## Allow full relabeling (to and from) of all device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_relabel_all_dev_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ relabel_files_pattern($1, device_t, device_t)
+ ')
+
+ ########################################
+@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
+
+ ########################################
+ ##
++## Dontaudit attempts to list all device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_all_access_check',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ dontaudit $1 device_node:file_class_set audit_access;
++')
++
++########################################
++##
+ ## Add entries to directories in /dev.
+ ##
+ ##
+@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
+ read_files_pattern($1, device_t, device_t)
+ ')
+
++#######################################
++##
++## Read generic files in /dev.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_generic_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ dontaudit $1 device_t:file { read getattr };
++')
++
+ ########################################
+ ##
+ ## Read and write generic files in /dev.
+@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',`
+
+ ########################################
+ ##
++## Rename generic block device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rename_generic_blk_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ rename_blk_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
++## write generic sock files in /dev.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_write_generic_sock_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ write_sock_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
+ ## Dontaudit getattr on generic block devices.
+ ##
+ ##
+@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
+
+ ########################################
+ ##
++## Rename generic character device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rename_generic_chr_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ rename_chr_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
+ ## Dontaudit setattr for generic character device files.
+ ##
+ ##
+@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
+ ##
+ ##
+ ##
+-## Domain to dontaudit access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+
+ ########################################
+ ##
+-## Read symbolic links in device directories.
++## Create symbolic links in device directories.
+ ##
+ ##
+ ##
+@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+ ##
+ ##
+ #
+-interface(`dev_read_generic_symlinks',`
++interface(`dev_create_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- allow $1 device_t:lnk_file read_lnk_file_perms;
++ create_lnk_files_pattern($1, device_t, device_t)
+ ')
+
+ ########################################
+ ##
+-## Create symbolic links in device directories.
++## Delete symbolic links in device directories.
+ ##
+ ##
+ ##
+@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
+ ##
+ ##
+ #
+-interface(`dev_create_generic_symlinks',`
++interface(`dev_delete_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- create_lnk_files_pattern($1, device_t, device_t)
++ delete_lnk_files_pattern($1, device_t, device_t)
+ ')
+
+ ########################################
+ ##
+-## Delete symbolic links in device directories.
++## Read symbolic links in device directories.
+ ##
+ ##
+ ##
+@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
+ ##
+ ##
+ #
+-interface(`dev_delete_generic_symlinks',`
++interface(`dev_read_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- delete_lnk_files_pattern($1, device_t, device_t)
++ allow $1 device_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -877,6 +986,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
+
+ ########################################
+ ##
++## Read block device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_generic_blk_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ read_blk_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
+ ## Create, delete, read, and write block device files.
+ ##
+ ##
+@@ -983,6 +1110,25 @@ interface(`dev_tmpfs_filetrans_dev',`
+
+ ########################################
+ ##
++## Allow getattr on all device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_all',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ allow $1 { device_t device_node }:dir_file_class_set getattr;
++')
++
++########################################
++##
+ ## Getattr on all block file device nodes.
+ ##
+ ##
+@@ -1003,6 +1149,26 @@ interface(`dev_getattr_all_blk_files',`
+
+ ########################################
+ ##
++## Read on all block file device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_read_all_blk_files',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ read_blk_files_pattern($1, device_t, device_node)
++')
++
++########################################
++##
+ ## Dontaudit getattr on all block file device nodes.
+ ##
+ ##
+@@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+ interface(`dev_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
++ type device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, device_node)
+@@ -1206,6 +1373,42 @@ interface(`dev_create_all_chr_files',`
+
+ ########################################
+ ##
++## rw all inherited character device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_chr_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## rw all inherited blk device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_blk_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++')
++
++########################################
++##
+ ## Delete all block device files.
+ ##
+ ##
+@@ -1560,25 +1763,6 @@ interface(`dev_relabel_autofs_dev',`
+
+ ########################################
+ ##
+-## Read and write cachefiles character
+-## device nodes.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`dev_rw_cachefiles',`
+- gen_require(`
+- type device_t, cachefiles_device_t;
+- ')
+-
+- rw_chr_files_pattern($1, device_t, cachefiles_device_t)
+-')
+-
+-########################################
+-##
+ ## Read and write the PCMCIA card manager device.
+ ##
+ ##
+@@ -1682,6 +1866,26 @@ interface(`dev_filetrans_cardmgr',`
+
+ ########################################
+ ##
++## Automatic type transition to the type
++## for xserver misc device nodes when
++## created in /dev.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
++')
++
++########################################
++##
+ ## Get the attributes of the CPU
+ ## microcode and id interfaces.
+ ##
+@@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',`
+ rw_chr_files_pattern($1, device_t, crypt_device_t)
+ ')
+
++########################################
++##
++## Read and write the the ecrypt filesystem device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_ecryptfs',`
++ gen_require(`
++ type device_t, ecryptfs_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
++')
++
+ #######################################
+ ##
+ ## Set the attributes of the dlm control devices.
+@@ -1883,6 +2105,25 @@ interface(`dev_rw_dri',`
+
+ ########################################
+ ##
++## Read and write the dri devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_inherited_dri',`
++ gen_require(`
++ type device_t, dri_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
+ ## Dontaudit read and write on the dri devices.
+ ##
+ ##
+@@ -2017,7 +2258,7 @@ interface(`dev_rw_input_dev',`
+
+ ########################################
+ ##
+-## Get the attributes of the framebuffer device node.
++## Read input event devices (/dev/input).
+ ##
+ ##
+ ##
+@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_framebuffer_dev',`
++interface(`dev_rw_inherited_input_dev',`
+ gen_require(`
+- type device_t, framebuf_device_t;
++ type device_t, event_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of the framebuffer device node.
++## Read ipmi devices.
+ ##
+ ##
+ ##
+@@ -2043,7 +2285,99 @@ interface(`dev_getattr_framebuffer_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
++ gen_require(`
++ type device_t, ipmi_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++##
++## Read and write ipmi devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_ipmi_dev',`
++ gen_require(`
++ type device_t, ipmi_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++##
++## Read infiniband devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_infiniband_dev',`
++ gen_require(`
++ type device_t, infiniband_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, infiniband_device_t)
++ read_blk_files_pattern($1, device_t, infiniband_device_t)
++')
++
++########################################
++##
++## Read and write ipmi devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_infiniband_dev',`
++ gen_require(`
++ type device_t, infiniband_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, infiniband_device_t)
++ rw_blk_files_pattern($1, device_t, infiniband_device_t)
++')
++
++########################################
++##
++## Get the attributes of the framebuffer device node.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_framebuffer_dev',`
++ gen_require(`
++ type device_t, framebuf_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, framebuf_device_t)
++')
++
++########################################
++##
++## Set the attributes of the framebuffer device node.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+@@ -2402,7 +2736,97 @@ interface(`dev_filetrans_lirc',`
+
+ ########################################
+ ##
+-## Get the attributes of the lvm comtrol device.
++## Get the attributes of the loop comtrol device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++##
++## Read the loop comtrol device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++##
++## Read and write the loop control device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to read and write loop control device.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_rw_loop_control',`
++ gen_require(`
++ type loop_control_device_t;
++ ')
++
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
++')
++
++########################################
++##
++## Delete the loop control device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_delete_loop_control_dev',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++##
++## Get the attributes of the loop comtrol device.
+ ##
+ ##
+ ##
+@@ -2725,7 +3149,7 @@ interface(`dev_write_misc',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2811,6 +3235,78 @@ interface(`dev_rw_modem',`
+
+ ########################################
+ ##
++## Get the attributes of the monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
++## Set the attributes of the monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
++## Read the monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
++## Read and write to monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
+ ## Get the attributes of the mouse devices.
+ ##
+ ##
+@@ -2903,20 +3399,20 @@ interface(`dev_getattr_mtrr_dev',`
+
+ ########################################
+ ##
+-## Read the memory type range
++## Write the memory type range
+ ## registers (MTRR). (Deprecated)
+ ##
+ ##
+ ##
+-## Read the memory type range
++## Write the memory type range
+ ## registers (MTRR). This interface has
+ ## been deprecated, dev_rw_mtrr() should be
+ ## used instead.
+ ##
+ ##
+ ## The MTRR device ioctls can be used for
+-## reading and writing; thus, read access to the
+-## device cannot be separated from write access.
++## reading and writing; thus, write access to the
++## device cannot be separated from read access.
+ ##
+ ##
+ ##
+@@ -2925,43 +3421,34 @@ interface(`dev_getattr_mtrr_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_mtrr',`
++interface(`dev_write_mtrr',`
+ refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ dev_rw_mtrr($1)
+ ')
+
+ ########################################
+ ##
+-## Write the memory type range
+-## registers (MTRR). (Deprecated)
++## Do not audit attempts to write the memory type
++## range registers (MTRR).
+ ##
+-##
+-##
+-## Write the memory type range
+-## registers (MTRR). This interface has
+-## been deprecated, dev_rw_mtrr() should be
+-## used instead.
+-##
+-##
+-## The MTRR device ioctls can be used for
+-## reading and writing; thus, write access to the
+-## device cannot be separated from read access.
+-##
+-##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_mtrr',`
+- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+- dev_rw_mtrr($1)
++interface(`dev_dontaudit_write_mtrr',`
++ gen_require(`
++ type mtrr_device_t;
++ ')
++
++ dontaudit $1 mtrr_device_t:file write_file_perms;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write the memory type
++## Do not audit attempts to read the memory type
+ ## range registers (MTRR).
+ ##
+ ##
+@@ -2970,13 +3457,13 @@ interface(`dev_write_mtrr',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_write_mtrr',`
++interface(`dev_dontaudit_read_mtrr',`
+ gen_require(`
+ type mtrr_device_t;
+ ')
+
+- dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file { open read };
++ dontaudit $1 mtrr_device_t:chr_file { open read };
+ ')
+
+ ########################################
+@@ -3144,52 +3631,106 @@ interface(`dev_create_null_dev',`
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of the BIOS non-volatile RAM device.
++## Get the status of a null device service.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_nvram_dev',`
++interface(`dev_service_status_null_dev',`
+ gen_require(`
+- type nvram_device_t;
++ type null_device_t;
+ ')
+
+- dontaudit $1 nvram_device_t:chr_file getattr;
++ allow $1 null_device_t:service status;
+ ')
+
+ ########################################
+ ##
+-## Read and write BIOS non-volatile RAM.
++## Configure null_device as a unit files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`dev_rw_nvram',`
++interface(`dev_config_null_dev_service',`
+ gen_require(`
+- type nvram_device_t;
++ type null_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, nvram_device_t)
++ allow $1 null_device_t:service manage_service_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of the printer device nodes.
++## Do not audit attempts to get the attributes
++## of the BIOS non-volatile RAM device.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_getattr_printer_dev',`
++interface(`dev_dontaudit_getattr_nvram_dev',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ dontaudit $1 nvram_device_t:chr_file getattr;
++')
++
++########################################
++##
++## Read BIOS non-volatile RAM.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_nvram',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, nvram_device_t)
++')
++
++########################################
++##
++## Read and write BIOS non-volatile RAM.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_nvram',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, nvram_device_t)
++')
++
++########################################
++##
++## Get the attributes of the printer device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+@@ -3254,7 +3795,7 @@ interface(`dev_rw_printer',`
+
+ ########################################
+ ##
+-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
++## Relabel the printer device node.
+ ##
+ ##
+ ##
+@@ -3262,12 +3803,31 @@ interface(`dev_rw_printer',`
+ ##
+ ##
+ #
+-interface(`dev_read_printk',`
++interface(`dev_relabel_printer',`
+ gen_require(`
+- type device_t, printk_device_t;
++ type printer_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, printk_device_t)
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++##
++## Read and write the printer device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_printer',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, printer_device_t)
++ dev_filetrans_printer_named_dev($1)
+ ')
+
+ ########################################
+@@ -3399,7 +3959,7 @@ interface(`dev_dontaudit_read_rand',`
+
+ ########################################
+ ##
+-## Do not audit attempts to append to random
++## Do not audit attempts to append to the random
+ ## number generator devices (e.g., /dev/random)
+ ##
+ ##
+@@ -3413,7 +3973,7 @@ interface(`dev_dontaudit_append_rand',`
+ type random_device_t;
+ ')
+
+- dontaudit $1 random_device_t:chr_file append_chr_file_perms;
++ dontaudit $1 random_device_t:chr_file { append };
+ ')
+
+ ########################################
+@@ -3855,6 +4415,96 @@ interface(`dev_getattr_sysfs_dirs',`
+
+ ########################################
+ ##
++## Set the attributes of sysfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:dir setattr_dir_perms;
++')
++
++########################################
++##
++## Get attributes of sysfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_sysfs_fs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem getattr;
++')
++
++########################################
++##
++## Mount a filesystem on /sys
++##
++##
++##
++## Domain allow access.
++##
++##
++#
++interface(`dev_mounton_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:dir mounton;
++')
++
++########################################
++##
++## Mount sysfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_mount_sysfs_fs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem mount;
++')
++
++########################################
++##
++## Unmount sysfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_unmount_sysfs_fs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem unmount;
++')
++
++########################################
++##
+ ## Search the sysfs directories.
+ ##
+ ##
+@@ -3904,6 +4554,7 @@ interface(`dev_list_sysfs',`
+ type sysfs_t;
+ ')
+
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+@@ -3946,23 +4597,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete sysfs
+-## directories.
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_manage_sysfs_dirs',`
++interface(`dev_read_cpu_online',`
++ gen_require(`
++ type cpu_online_t;
++ ')
++
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
++')
++
++########################################
++##
++## Relabel cpu online hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
++ type cpu_online_t;
+ type sysfs_t;
+ ')
+
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+ ')
+
++
+ ########################################
+ ##
+ ## Read hardware state information.
+@@ -4016,6 +4693,62 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ##
++## Relabel hardware state directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Relabel hardware state files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Allow caller to modify hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
+ ## Read and write the TPM device.
+ ##
+ ##
+@@ -4113,6 +4846,25 @@ interface(`dev_write_urand',`
+
+ ########################################
+ ##
++## Do not audit attempts to write to pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_write_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file write;
++')
++
++########################################
++##
+ ## Getattr generic the USB devices.
+ ##
+ ##
+@@ -4123,7 +4875,7 @@ interface(`dev_write_urand',`
+ #
+ interface(`dev_getattr_generic_usb_dev',`
+ gen_require(`
+- type usb_device_t;
++ type usb_device_t,device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, usb_device_t)
+@@ -4409,9 +5161,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Get the attributes of video4linux devices.
++## Read and write userio device.
+ ##
+ ##
+ ##
+@@ -4419,17 +5171,17 @@ interface(`dev_rw_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, userio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+-######################################
++########################################
+ ##
+-## Read and write userio device.
++## Get the attributes of video4linux devices.
+ ##
+ ##
+ ##
+@@ -4437,12 +5189,12 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, v4l_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+@@ -4539,6 +5291,134 @@ interface(`dev_write_video_dev',`
+
+ ########################################
+ ##
++## Get the attributes of vfio devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_vfio_dev',`
++ gen_require(`
++ type vfio_device_t;
++ ')
++
++ dontaudit $1 vfio_device_t:chr_file getattr;
++')
++
++########################################
++##
++## Set the attributes of vfio device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_setattr_vfio_dev',`
++ gen_require(`
++ type vfio_device_t;
++ ')
++
++ dontaudit $1 vfio_device_t:chr_file setattr;
++')
++
++########################################
++##
++## Read the vfio devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Write the vfio devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Read and write the VFIO devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
+ ## Allow read/write the vhost net device
+ ##
+ ##
+@@ -4557,6 +5437,24 @@ interface(`dev_rw_vhost',`
+
+ ########################################
+ ##
++## Allow read/write inheretid the vhost net device
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_inherited_vhost',`
++ gen_require(`
++ type device_t, vhost_device_t;
++ ')
++
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
+ ## Read and write VMWare devices.
+ ##
+ ##
+@@ -4762,6 +5660,44 @@ interface(`dev_rw_xserver_misc',`
+
+ ########################################
+ ##
++## Dontaudit attempts to Read and write X server miscellaneous devices.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_leaked_xserver_misc',`
++ gen_require(`
++ type xserver_misc_device_t;
++ ')
++
++ dontaudit $1 xserver_misc_device_t:chr_file { read write };
++')
++
++########################################
++##
++## Read and write X server miscellaneous devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
++
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++##
+ ## Read and write to the zero device (/dev/zero).
+ ##
+ ##
+@@ -4851,3 +5787,966 @@ interface(`dev_unconfined',`
+
+ typeattribute $1 devices_unconfined_type;
+ ')
++
++########################################
++##
++## Dontaudit getattr on all device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_all',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
++')
++
++########################################
++##
++## Get the attributes of the mei devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++##
++## Read the mei devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++##
++## Read and write to mei devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++##
++## Read and write uhid devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_uhid_dev',`
++ gen_require(`
++ type device_t, uhid_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, uhid_device_t)
++')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_printer_named_dev',`
++
++ gen_require(`
++ type printer_device_t;
++
++ ')
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
++')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_all_named_dev',`
++
++gen_require(`
++ type device_t;
++ type usb_device_t;
++ type uhid_device_t;
++ type sound_device_t;
++ type apm_bios_t;
++ type mouse_device_t;
++ type autofs_device_t;
++ type lvm_control_t;
++ type crash_device_t;
++ type dlm_control_device_t;
++ type clock_device_t;
++ type v4l_device_t;
++ type vfio_device_t;
++ type event_device_t;
++ type xen_device_t;
++ type framebuf_device_t;
++ type null_device_t;
++ type random_device_t;
++ type dri_device_t;
++ type ipmi_device_t;
++ type memory_device_t;
++ type kmsg_device_t;
++ type qemu_device_t;
++ type ksm_device_t;
++ type kvm_device_t;
++ type lirc_device_t;
++ type cpu_device_t;
++ type scanner_device_t;
++ type modem_device_t;
++ type monitor_device_t;
++ type vhost_device_t;
++ type netcontrol_device_t;
++ type nvram_device_t;
++ type power_device_t;
++ type wireless_device_t;
++ type tpm_device_t;
++ type userio_device_t;
++ type urandom_device_t;
++ type usbmon_device_t;
++ type vmware_device_t;
++ type watchdog_device_t;
++ type crypt_device_t;
++ type zero_device_t;
++ type smartcard_device_t;
++ type mtrr_device_t;
++ type ecryptfs_device_t;
++')
++
++ dev_filetrans_printer_named_dev($1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
++ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
++ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
++ filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
++ filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
++ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
++ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
++ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
++ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
++ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
++ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
++ filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
++ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
++ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
++ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
++ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
++ filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
++ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
++ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
++ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
++ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
++ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
++ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_xserver_named_dev',`
++
++ gen_require(`
++ type xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
++')
+diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
+index 0b1a871..f260e6f 100644
+--- a/policy/modules/kernel/devices.te
++++ b/policy/modules/kernel/devices.te
+@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
+ #
+ type device_t;
+ fs_associate_tmpfs(device_t)
+-files_type(device_t)
++files_base_file(device_t)
+ files_mountpoint(device_t)
+ files_associate_tmp(device_t)
+ fs_type(device_t)
+ fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
++dev_node(device_t)
+
+ #
+ # Type for /dev/agpgart
+@@ -43,9 +44,6 @@ type cardmgr_dev_t;
+ dev_node(cardmgr_dev_t)
+ files_tmp_file(cardmgr_dev_t)
+
+-type cachefiles_device_t;
+-dev_node(cachefiles_device_t)
+-
+ #
+ # clock_device_t is the type of
+ # /dev/rtc.
+@@ -65,6 +63,9 @@ dev_node(cpu_device_t)
+ type crash_device_t;
+ dev_node(crash_device_t)
+
++type ecryptfs_device_t;
++dev_node(ecryptfs_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -94,6 +95,12 @@ type ipmi_device_t;
+ dev_node(ipmi_device_t)
+
+ #
++# Type for /dev/infiniband
++#
++type infiniband_device_t;
++dev_node(infiniband_device_t)
++
++#
+ # Type for /dev/kmsg
+ #
+ type kmsg_device_t;
+@@ -111,6 +118,7 @@ dev_node(ksm_device_t)
+ #
+ type kvm_device_t;
+ dev_node(kvm_device_t)
++mls_trusted_object(kvm_device_t)
+
+ #
+ # Type for /dev/lirc
+@@ -118,6 +126,9 @@ dev_node(kvm_device_t)
+ type lirc_device_t;
+ dev_node(lirc_device_t)
+
++#
++# Type for /dev/mapper/control
++#
+ type loop_control_device_t;
+ dev_node(loop_control_device_t)
+
+@@ -150,6 +161,12 @@ type modem_device_t;
+ dev_node(modem_device_t)
+
+ #
++# A general type for monitor devices.
++#
++type monitor_device_t;
++dev_node(monitor_device_t)
++
++#
+ # A more general type for mouse devices.
+ #
+ type mouse_device_t;
+@@ -183,6 +200,12 @@ type nvram_device_t;
+ dev_node(nvram_device_t)
+
+ #
++# Type for controller device nodes
++#
++type nvme_device_t;
++dev_node(nvme_device_t)
++
++#
+ # Type for /dev/pmu
+ #
+ type power_device_t;
+@@ -227,6 +250,10 @@ files_mountpoint(sysfs_t)
+ fs_type(sysfs_t)
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
++type cpu_online_t;
++files_type(cpu_online_t)
++dev_associate_sysfs(cpu_online_t)
++
+ #
+ # Type for /dev/tpm
+ #
+@@ -266,6 +293,15 @@ dev_node(usbmon_device_t)
+ type userio_device_t;
+ dev_node(userio_device_t)
+
++#
++# uhid_device_t is the type for /dev/uhid
++#
++type uhid_device_t;
++dev_node(uhid_device_t)
++
++type vfio_device_t;
++dev_node(vfio_device_t)
++
+ type v4l_device_t;
+ dev_node(v4l_device_t)
+
+@@ -274,6 +310,7 @@ dev_node(v4l_device_t)
+ #
+ type vhost_device_t;
+ dev_node(vhost_device_t)
++mls_trusted_object(vhost_device_t)
+
+ # Type for vmware devices.
+ type vmware_device_t;
+@@ -319,5 +356,6 @@ files_associate_tmp(device_node)
+ #
+
+ allow devices_unconfined_type self:capability sys_rawio;
+-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+-allow devices_unconfined_type mtrr_device_t:file *;
++allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
++allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
++allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
+diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
+index 6a1e4d1..7ac2831 100644
+--- a/policy/modules/kernel/domain.if
++++ b/policy/modules/kernel/domain.if
+@@ -76,33 +76,8 @@ interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+
+- ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_use_fds($1)
+- ')
+- ')
+-
+- # send init a sigchld and signull
+- optional_policy(`
+- init_sigchld($1)
+- init_signull($1)
+- ')
+-
+- # these seem questionable:
+-
+- optional_policy(`
+- rpm_use_fds($1)
+- rpm_read_pipes($1)
+- ')
+-
+- optional_policy(`
+- selinux_dontaudit_getattr_fs($1)
+- selinux_dontaudit_read_fs($1)
+- ')
+-
+- optional_policy(`
+- seutil_dontaudit_read_config($1)
+- ')
++ # Only way to get corenet_unlabeled packets disabled to work
++ corenet_all_recvfrom_unlabeled($1)
+ ')
+
+ ########################################
+@@ -128,7 +103,7 @@ interface(`domain_entry_file',`
+ ')
+
+ allow $1 $2:file entrypoint;
+- allow $1 $2:file { mmap_file_perms ioctl lock };
++ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
+
+ typeattribute $2 entry_type;
+
+@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
+
+ ########################################
+ ##
++## Do not audit attempts to send
++## signulls to all domains.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`domain_dontaudit_signull_all_domains',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:process signull;
++')
++
++########################################
++##
+ ## Send a stop signal to all domains.
+ ##
+ ##
+@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',`
+
+ ########################################
+ ##
++## Destroy all domains semaphores
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`domain_destroy_all_semaphores',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:sem destroy;
++')
++
++########################################
++##
+ ## Search the process state directory (/proc/pid) of all domains.
+ ##
+ ##
+@@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',`
+
+ ########################################
+ ##
+-## Get the attributes of all domains of all domains.
++## Get the attributes of all domains.
+ ##
+ ##
+ ##
+@@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1356,6 +1370,24 @@ interface(`domain_manage_all_entry_files',`
+
+ ########################################
+ ##
++## Relabel from domain types on files if a user managed to mislable
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_relabelfrom',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:dir_file_class_set relabelfrom_file_perms;
++')
++
++########################################
++##
+ ## Relabel to and from all entry point
+ ## file types.
+ ##
+@@ -1421,7 +1453,7 @@ interface(`domain_entry_file_spec_domtrans',`
+ ##
+ ## Ability to mmap a low area of the address
+ ## space conditionally, as configured by
+-## /proc/sys/kernel/mmap_min_addr.
++## /proc/sys/vm/mmap_min_addr.
+ ## Preventing such mappings helps protect against
+ ## exploiting null deref bugs in the kernel.
+ ##
+@@ -1448,7 +1480,7 @@ interface(`domain_mmap_low',`
+ ##
+ ## Ability to mmap a low area of the address
+ ## space unconditionally, as configured
+-## by /proc/sys/kernel/mmap_min_addr.
++## by /proc/sys/vm/mmap_min_addr.
+ ## Preventing such mappings helps protect against
+ ## exploiting null deref bugs in the kernel.
+ ##
+@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
+
+ ########################################
+ ##
++## Named Filetrans Domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_named_filetrans',`
++ gen_require(`
++ attribute named_filetrans_domain;
++ ')
++
++ typeattribute $1 named_filetrans_domain;
++')
++
++########################################
++##
+ ## Unconfined access to domains.
+ ##
+ ##
+@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
+ typeattribute $1 can_change_object_identity;
+ typeattribute $1 set_curr_context;
+ typeattribute $1 process_uncond_exempt;
++
++ mcs_process_set_categories($1)
++
++ userdom_filetrans_home_content($1)
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked sockets.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`domain_dontaudit_leaks',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:socket_class_set { read write };
++')
++
++########################################
++##
++## Allow caller to transition to any domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_transition_all',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:process transition;
++')
++
++########################################
++##
++## Do not audit attempts to access check /proc
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`domain_dontaudit_access_check',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:dir_file_class_set audit_access;
+ ')
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index cf04cb5..7fad46c 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
+ #
+ # Declarations
+ #
++##
++##
++## Allow all domains to use other domains file descriptors
++##
++##
++#
++gen_tunable(domain_fd_use, true)
++
++##
++##
++## Allow all domains to execute in fips_mode
++##
++##
++#
++gen_tunable(fips_mode, true)
++
++##
++##
++## Allow all domains to have the kernel load modules
++##
++##
++#
++gen_tunable(domain_kernel_load_modules, false)
+
+ ##
+ ##
+ ## Control the ability to mmap a low area of the address space,
+-## as configured by /proc/sys/kernel/mmap_min_addr.
++## as configured by /proc/sys/vm/mmap_min_addr.
+ ##
+ ##
+ gen_tunable(mmap_low_allowed, false)
+
+ # Mark process types as domains
+ attribute domain;
++attribute named_filetrans_domain;
+
+ # Transitions only allowed from domains to other domains
+ neverallow domain ~domain:process { transition dyntransition };
+@@ -86,23 +110,51 @@ neverallow ~{ domain unlabeled_t } *:process *;
+ allow domain self:dir list_dir_perms;
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
++allow domain self:fifo_file rw_fifo_file_perms;
++allow domain self:sem create_sem_perms;
++allow domain self:shm create_shm_perms;
++
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
++kernel_read_vm_overcommit_sysctls(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
+ kernel_dontaudit_search_key(domain)
+ kernel_dontaudit_link_key(domain)
++kernel_dontaudit_search_debugfs(domain)
+
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { getcap fork getsched signal_perms };
+
+ # Use trusted objects in /dev
++dev_read_cpu_online(domain)
+ dev_rw_null(domain)
+ dev_rw_zero(domain)
+ term_use_controlling_term(domain)
+
+ # list the root directory
+ files_list_root(domain)
++# allow all domains to search through base_file_type directory, since users
++# sometimes place labels within these directories. (samba_share_t) for example.
++files_search_base_file_types(domain)
++
++files_read_inherited_tmp_files(domain)
++files_append_inherited_tmp_files(domain)
++files_read_all_base_ro_files(domain)
++files_dontaduit_getattr_kernel_symbol_table(domain)
++
++# All executables should be able to search the directory they are in
++corecmd_search_bin(domain)
++
++optional_policy(`
++ userdom_search_admin_dir(domain)
++')
++
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
+
+ ifdef(`hide_broken_symptoms',`
+ # This check is in the general socket
+@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',`
+ ')
+
+ optional_policy(`
++ afs_rw_cache(domain)
++')
++
++optional_policy(`
+ libs_use_ld_so(domain)
+ libs_use_shared_libs(domain)
++ libs_read_lib_files(domain)
++')
++
++optional_policy(`
++ miscfiles_read_localization(domain)
++ miscfiles_read_man_pages(domain)
++ miscfiles_read_fonts(domain)
+ ')
+
+ optional_policy(`
+@@ -133,6 +196,9 @@ optional_policy(`
+ optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
++ xserver_dontaudit_append_xdm_home_files(domain)
++ xserver_dontaudit_write_log(domain)
++ xserver_dontaudit_xdm_rw_stream_sockets(domain)
+ ')
+
+ ########################################
+@@ -147,12 +213,18 @@ optional_policy(`
+ # Use/sendto/connectto sockets created by any domain.
+ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
++allow unconfined_domain_type domain:system all_system_perms;
+ # Use descriptors and pipes created by any domain.
+ allow unconfined_domain_type domain:fd use;
+ allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
++allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
++
+ # Act upon any other process.
+-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
++allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
++tunable_policy(`deny_ptrace',`',`
++ allow unconfined_domain_type domain:process ptrace;
++')
+
+ # Create/access any System V IPC objects.
+ allow unconfined_domain_type domain:{ sem msgq shm } *;
+@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ # act on all domains keys
+ allow unconfined_domain_type domain:key *;
+
++corenet_filetrans_all_named_dev(named_filetrans_domain)
++
++dev_filetrans_all_named_dev(named_filetrans_domain)
++
+ # receive from all domains over labeled networking
+ domain_all_recvfrom_all_domains(unconfined_domain_type)
++
++files_filetrans_named_content(named_filetrans_domain)
++files_filetrans_system_conf_named_files(named_filetrans_domain)
++files_config_all_files(unconfined_domain_type)
++dev_config_null_dev_service(unconfined_domain_type)
++
++optional_policy(`
++ kdump_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ locallogin_filetrans_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ mandb_filetrans_named_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ seutil_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ wine_filetrans_named_content(named_filetrans_domain)
++')
++
++storage_filetrans_all_named_dev(named_filetrans_domain)
++
++term_filetrans_all_named_dev(named_filetrans_domain)
++
++optional_policy(`
++ init_disable_services(unconfined_domain_type)
++ init_enable_services(unconfined_domain_type)
++ init_reload_services(unconfined_domain_type)
++ init_status(unconfined_domain_type)
++ init_reboot(unconfined_domain_type)
++ init_halt(unconfined_domain_type)
++ init_undefined(unconfined_domain_type)
++ init_filetrans_named_content(named_filetrans_domain)
++')
++
++# Allow manage transient unit files
++optional_policy(`
++ init_start_transient_unit(unconfined_domain_type)
++ init_stop_transient_unit(unconfined_domain_type)
++ init_status_transient_unit(unconfined_domain_type)
++ init_reload_transient_unit(unconfined_domain_type)
++')
++
++optional_policy(`
++ auth_filetrans_named_content(named_filetrans_domain)
++ auth_filetrans_admin_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ libs_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ logging_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ abrt_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ apache_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ apcupsd_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ bootloader_filetrans_config(named_filetrans_domain)
++')
++
++optional_policy(`
++ clock_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ cups_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ cvs_filetrans_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ dbus_filetrans_named_content_system(named_filetrans_domain)
++')
++
++optional_policy(`
++ devicekit_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ docker_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ gnome_filetrans_admin_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ iscsi_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ mta_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ mplayer_filetrans_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ modules_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ mysql_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ networkmanager_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ ntp_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ plymouthd_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ postgresql_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ postfix_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ prelink_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_admin_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ quota_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ rpcbind_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ rsync_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ sysnet_filetrans_named_content(named_filetrans_domain)
++ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
++')
++
++optional_policy(`
++ systemd_login_status(unconfined_domain_type)
++ systemd_login_reboot(unconfined_domain_type)
++ systemd_login_halt(unconfined_domain_type)
++ systemd_login_undefined(unconfined_domain_type)
++ systemd_filetrans_named_content(named_filetrans_domain)
++ systemd_filetrans_named_hostname(named_filetrans_domain)
++ systemd_filetrans_home_content(named_filetrans_domain)
++ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file })
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(named_filetrans_domain)
++ ssh_filetrans_keys(unconfined_domain_type)
++')
++
++optional_policy(`
++ userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
++')
++
++optional_policy(`
++ virt_filetrans_named_content(named_filetrans_domain)
++')
++
++selinux_getattr_fs(domain)
++selinux_search_fs(domain)
++selinux_dontaudit_read_fs(domain)
++
++optional_policy(`
++ seutil_dontaudit_read_config(domain)
++')
++
++optional_policy(`
++ init_sigchld(domain)
++ init_signull(domain)
++ init_read_machineid(domain)
++')
++
++ifdef(`distro_redhat',`
++ files_search_mnt(domain)
++')
++
++# these seem questionable:
++
++optional_policy(`
++ abrt_domtrans_helper(domain)
++ abrt_read_pid_files(domain)
++ abrt_read_state(domain)
++ abrt_signull(domain)
++ abrt_append_cache(domain)
++ abrt_rw_fifo_file(domain)
++')
++
++optional_policy(`
++ sosreport_append_tmp_files(domain)
++')
++
++tunable_policy(`domain_fd_use',`
++ # Allow all domains to use fds past to them
++ allow domain domain:fd use;
++')
++
++optional_policy(`
++ cron_dontaudit_write_system_job_tmp_files(domain)
++ cron_rw_pipes(domain)
++ cron_rw_system_job_pipes(domain)
++')
++
++optional_policy(`
++ devicekit_dbus_chat_power(domain)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit domain self:udp_socket listen;
++ allow domain domain:key { link search };
++ dontaudit domain domain:socket_class_set { read write };
++ dontaudit domain self:capability sys_module;
++')
++
++optional_policy(`
++ ipsec_match_default_spd(domain)
++')
++
++optional_policy(`
++ ifdef(`hide_broken_symptoms',`
++ afs_rw_udp_sockets(domain)
++ ')
++')
++
++optional_policy(`
++ rolekit_dbus_chat(domain)
++')
++
++optional_policy(`
++ ssh_rw_pipes(domain)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(domain)
++ unconfined_sigchld(domain)
++')
++
++# broken kernel
++dontaudit can_change_object_identity can_change_object_identity:key link;
++
++ifdef(`distro_redhat',`
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# these seem questionable:
++
++optional_policy(`
++ puppet_rw_tmp(domain)
++')
++
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
++
++optional_policy(`
++ rkhunter_append_lib_files(domain)
++')
++
++optional_policy(`
++ rpm_rw_script_inherited_pipes(domain)
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++ rpm_search_log(domain)
++ rpm_append_tmp_files(domain)
++ rpm_dontaudit_leaks(domain)
++ rpm_read_script_tmp_files(domain)
++ rpm_inherited_fifo(domain)
++')
++
++tunable_policy(`fips_mode',`
++ allow domain self:fifo_file manage_fifo_file_perms;
++ kernel_read_kernel_sysctls(domain)
++')
++
++optional_policy(`
++ tunable_policy(`fips_mode',`
++ prelink_exec(domain)
++ ')
++')
++
++optional_policy(`
++ unconfined_server_stream_connect(domain)
++')
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index b876c48..6bfb954 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
+ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+ ifdef(`distro_suse',`
+@@ -27,7 +28,7 @@ ifdef(`distro_suse',`
+ #
+ # /boot
+ #
+-/boot -d gen_context(system_u:object_r:boot_t,s0)
++/boot gen_context(system_u:object_r:boot_t,s0)
+ /boot/.* gen_context(system_u:object_r:boot_t,s0)
+ /boot/\.journal <>
+ /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+@@ -38,27 +39,36 @@ ifdef(`distro_suse',`
+ #
+ # /emul
+ #
+-/emul -d gen_context(system_u:object_r:usr_t,s0)
++/emul gen_context(system_u:object_r:usr_t,s0)
+ /emul/.* gen_context(system_u:object_r:usr_t,s0)
+
+ #
+ # /etc
+ #
+-/etc -d gen_context(system_u:object_r:etc_t,s0)
++/etc gen_context(system_u:object_r:etc_t,s0)
+ /etc/.* gen_context(system_u:object_r:etc_t,s0)
+ /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
++/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
++
++/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
++/ostree/deploy/rhel-atomic-host/deploy(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
+
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+@@ -70,7 +80,10 @@ ifdef(`distro_suse',`
+
+ /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
+
+ ifdef(`distro_gentoo', `
+ /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -78,10 +91,6 @@ ifdef(`distro_gentoo', `
+ /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+-ifdef(`distro_redhat',`
+-/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
+-')
+-
+ ifdef(`distro_suse',`
+ /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -104,7 +113,7 @@ HOME_ROOT/lost\+found/.* <>
+ /initrd -d gen_context(system_u:object_r:root_t,s0)
+
+ #
+-# /lib(64)?
++# /lib
+ #
+ /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+@@ -125,10 +134,13 @@ ifdef(`distro_debian',`
+ #
+ # Mount points; do not relabel subdirectories, since
+ # we don't want to change any removable media by default.
+-/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
++/media(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0)
+ /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+ /media/[^/]*/.* <>
+ /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media/.* <>
++/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ #
+ # /misc
+@@ -138,7 +150,7 @@ ifdef(`distro_debian',`
+ #
+ # /mnt
+ #
+-/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
++/mnt(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0)
+ /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+ /mnt/[^/]*/.* <>
+
+@@ -150,10 +162,10 @@ ifdef(`distro_debian',`
+ #
+ # /opt
+ #
+-/opt -d gen_context(system_u:object_r:usr_t,s0)
++/opt gen_context(system_u:object_r:usr_t,s0)
+ /opt/.* gen_context(system_u:object_r:usr_t,s0)
+
+-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
++/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ #
+ # /proc
+@@ -161,6 +173,12 @@ ifdef(`distro_debian',`
+ /proc -d <>
+ /proc/.* <>
+
++ifdef(`distro_redhat',`
++/rhev -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev/[^/]*/.* <>
++')
++
+ #
+ # /run
+ #
+@@ -169,6 +187,7 @@ ifdef(`distro_debian',`
+ /run/.*\.*pid <>
+ /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
++/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
+ #
+ # /selinux
+ #
+@@ -178,13 +197,14 @@ ifdef(`distro_debian',`
+ #
+ # /srv
+ #
+-/srv -d gen_context(system_u:object_r:var_t,s0)
++/srv gen_context(system_u:object_r:var_t,s0)
+ /srv/.* gen_context(system_u:object_r:var_t,s0)
+
+ #
+ # /tmp
+ #
+-/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <>
+ /tmp/\.journal <>
+
+@@ -194,9 +214,11 @@ ifdef(`distro_debian',`
+ #
+ # /usr
+ #
+-/usr -d gen_context(system_u:object_r:usr_t,s0)
++/usr gen_context(system_u:object_r:usr_t,s0)
+ /usr/.* gen_context(system_u:object_r:usr_t,s0)
+ /usr/\.journal <>
++/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
++/ostree(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+ /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+@@ -204,15 +226,9 @@ ifdef(`distro_debian',`
+
+ /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+-/usr/local/\.journal <>
+-
+-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+-
+-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+-/usr/local/lost\+found/.* <>
+-
+ /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /usr/lost\+found/.* <>
++/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+ /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
+
+@@ -220,8 +236,6 @@ ifdef(`distro_debian',`
+ /usr/tmp/.* <>
+
+ ifndef(`distro_redhat',`
+-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+-
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+ ')
+@@ -229,7 +243,7 @@ ifndef(`distro_redhat',`
+ #
+ # /var
+ #
+-/var -d gen_context(system_u:object_r:var_t,s0)
++/var gen_context(system_u:object_r:var_t,s0)
+ /var/.* gen_context(system_u:object_r:var_t,s0)
+ /var/\.journal <>
+
+@@ -237,11 +251,25 @@ ifndef(`distro_redhat',`
+
+ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
++/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
+ /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ /var/lib/nfs/rpc_pipefs(/.*)? <>
+
+-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
++/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
++/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0)
++
++/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock/.* <>
+
+ /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/log/lost\+found/.* <>
+@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
+ /var/run -l gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.*\.*pid <>
++/var/run/lock/.* <>
+
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+ /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
++/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp/.* <>
+ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/tmp/lost\+found/.* <>
+@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
+ /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f962f76..f39d066 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -19,6 +19,136 @@
+ ## Comains the file initial SID.
+ ##
+
++#####################################
++##
++## files stub etc_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++')
++
++#####################################
++##
++## files stub var_lock_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_var_lock',`
++ gen_require(`
++ type var_lock_t;
++ ')
++')
++
++#####################################
++##
++## files stub var_log_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_var_log',`
++ gen_require(`
++ type var_log_t;
++ ')
++')
++
++#####################################
++##
++## files stub var_lib_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_var_lib',`
++ gen_require(`
++ type var_lib_t;
++ ')
++')
++
++#####################################
++##
++## files stub var_run_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_var_run',`
++ gen_require(`
++ type var_run_t;
++ ')
++')
++
++#####################################
++##
++## files stub var_run_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_var_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++')
++
++#####################################
++##
++## files stub var_run_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_var',`
++ gen_require(`
++ type var_t;
++ ')
++')
++
++
++#####################################
++##
++## files stub tmp_t interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`files_stub_tmp',`
++ gen_require(`
++ type tmp_t;
++ ')
++')
++
++
+ ########################################
+ ##
+ ## Make the specified type usable for files
+@@ -55,6 +185,7 @@
+ ## files_pid_file()
+ ## files_security_file()
+ ## files_security_mountpoint()
++## files_spool_file()
+ ## files_tmp_file()
+ ## files_tmpfs_file()
+ ## logging_log_file()
+@@ -125,44 +256,59 @@ interface(`files_security_file',`
+ typeattribute $1 file_type, security_file_type, non_auth_file_type;
+ ')
+
++
+ ########################################
+ ##
+ ## Make the specified type usable for
+-## lock files.
++## filesystem mount points.
+ ##
+ ##
+ ##
+-## Type to be used for lock files.
++## Type to be used for mount points.
+ ##
+ ##
+ #
+-interface(`files_lock_file',`
++interface(`files_mountpoint',`
+ gen_require(`
+- attribute lockfile;
++ attribute mountpoint;
+ ')
+
+ files_type($1)
+- typeattribute $1 lockfile;
++ typeattribute $1 mountpoint;
+ ')
+
+ ########################################
+ ##
+-## Make the specified type usable for
+-## filesystem mount points.
++## Create a private type object in mountpoint dir
++## with an automatic type transition
+ ##
+-##
++##
+ ##
+-## Type to be used for mount points.
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
+ ##
+ ##
+ #
+-interface(`files_mountpoint',`
++interface(`files_mountpoint_filetrans',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+- files_type($1)
+- typeattribute $1 mountpoint;
++ filetrans_pattern($1, mountpoint, $2, $3, $4)
+ ')
+
+ ########################################
+@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',`
+ ########################################
+ ##
+ ## Make the specified type usable for
++## lock files.
++##
++##
++##
++## Type to be used for lock files.
++##
++##
++#
++interface(`files_lock_file',`
++ gen_require(`
++ attribute lockfile;
++ ')
++
++ files_type($1)
++ typeattribute $1 lockfile;
++')
++
++########################################
++##
++## Make the specified type usable for
+ ## runtime process ID files.
+ ##
+ ##
+@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',`
+ attribute non_security_file_type;
+ ')
+
+- allow $1 non_security_file_type:dir mounton;
++ allow $1 non_security_file_type:dir { write setattr mounton };
+ allow $1 non_security_file_type:file mounton;
+ ')
+
+@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',`
+
+ ########################################
+ ##
++## Get the attributes of all chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_chr_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_chr_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
++## Get the attributes of all blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_blk_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_blk_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes
+ ## of all files.
+ ##
+@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to search
++## non security dirs.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of non security files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_setattr_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file setattr;
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of non security directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_setattr_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:dir setattr;
++')
++
++########################################
++##
+ ## Read all files.
+ ##
+ ##
+@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',`
+ attribute non_security_file_type;
+ ')
+
++ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
+ read_files_pattern($1, non_security_file_type, non_security_file_type)
+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+
+ ########################################
+ ##
+-## Read all directories on the filesystem, except
+-## the listed exceptions.
++## Read/Write all inherited non-security files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
++##
+ #
+-interface(`files_read_all_dirs_except',`
++interface(`files_rw_inherited_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- allow $1 { file_type $2 }:dir list_dir_perms;
++ allow $1 non_security_file_type:file { read write };
+ ')
+
+ ########################################
+ ##
+-## Read all files on the filesystem, except
+-## the listed exceptions.
++## Manage all non-security files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
++##
+ #
+-interface(`files_read_all_files_except',`
++interface(`files_manage_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- read_files_pattern($1, { file_type $2 }, { file_type $2 })
++ manage_files_pattern($1, non_security_file_type, non_security_file_type)
++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+
+ ########################################
+ ##
+-## Read all symbolic links on the filesystem, except
+-## the listed exceptions.
++## Relabel all non-security files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
++##
+ #
+-interface(`files_read_all_symlinks_except',`
++interface(`files_relabel_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
++ allow $1 { non_security_file_type }:dir list_dir_perms;
++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all symbolic links.
++## Search all base file dirs.
+ ##
+ ##
+ ##
+@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',`
+ ##
+ ##
+ #
+-interface(`files_getattr_all_symlinks',`
++interface(`files_search_base_file_types',`
+ gen_require(`
+- attribute file_type;
++ attribute base_file_type;
+ ')
+
+- getattr_lnk_files_pattern($1, file_type, file_type)
++ allow $1 base_file_type:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all symbolic links.
++## Relabel all base file types.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_getattr_all_symlinks',`
++interface(`files_relabel_base_file_types',`
+ gen_require(`
+- attribute file_type;
++ attribute base_file_type;
+ ')
+
+- dontaudit $1 file_type:lnk_file getattr;
++ allow $1 base_file_type:dir list_dir_perms;
++ relabel_dirs_pattern($1, base_file_type , base_file_type )
++ relabel_files_pattern($1, base_file_type , base_file_type )
++ relabel_lnk_files_pattern($1, base_file_type , base_file_type )
++ relabel_fifo_files_pattern($1, base_file_type , base_file_type )
++ relabel_sock_files_pattern($1, base_file_type , base_file_type )
++ relabel_blk_files_pattern($1, base_file_type , base_file_type )
++ relabel_chr_files_pattern($1, base_file_type , base_file_type )
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read all symbolic links.
++## Read all directories on the filesystem, except
++## the listed exceptions.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_all_symlinks',`
++interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+- dontaudit $1 file_type:lnk_file read;
++ allow $1 { file_type $2 }:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of non security symbolic links.
++## Read all files on the filesystem, except
++## the listed exceptions.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
++##
++##
++#
++interface(`files_read_all_files_except',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ read_files_pattern($1, { file_type $2 }, { file_type $2 })
++')
++
++########################################
++##
++## Read all symbolic links on the filesystem, except
++## the listed exceptions.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
++##
++##
++#
++interface(`files_read_all_symlinks_except',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
++')
++
++########################################
++##
++## Get the attributes of all symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_symlinks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_lnk_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of all symbolic links.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_all_symlinks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:lnk_file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to read all symbolic links.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_all_symlinks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:lnk_file read;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of non security symbolic links.
+ ##
+ ##
+ ##
+@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+
+ ########################################
+ ##
++## Do not audit attempts to read/write
++## of non security named pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_pipes',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
+ ## Get the attributes of all named sockets.
+ ##
+ ##
+@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
+
+ ########################################
+ ##
++## Do not audit attempts to read
++## of all named sockets.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_all_sockets',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:sock_file read;
++')
++
++########################################
++##
++## Do not audit attempts to read
++## of all security file types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_all_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file read_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes
+ ## of non security named sockets.
+ ##
+@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',`
+ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+- # this is only relabelfrom since there should be no
+- # device nodes with file types.
+- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+@@ -1182,24 +1609,6 @@ interface(`files_list_all',`
+
+ ########################################
+ ##
+-## Create all files as is.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`files_create_all_files_as',`
+- gen_require(`
+- attribute file_type;
+- ')
+-
+- allow $1 file_type:kernel_service create_files_as;
+-')
+-
+-########################################
+-##
+ ## Do not audit attempts to search the
+ ## contents of any directories on extended
+ ## attribute filesystems.
+@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',`
+ # device nodes with file types.
+ relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
+-
+- # satisfy the assertions:
+- seutil_relabelto_bin_policy($1)
+ ')
+
+ #############################################
+@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',`
+
+ ########################################
+ ##
++## Set the attributes of all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir relabelto;
++')
++
++########################################
++##
+ ## Do not audit attempts to set the attributes on all mount points.
+ ##
+ ##
+@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+
+ ########################################
+ ##
++## Write all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir write;
++')
++
++########################################
++##
+ ## Do not audit attempts to write to mount points.
+ ##
+ ##
+@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',`
+
+ ########################################
+ ##
+-## List the contents of the root directory.
++## Do not audit attempts to unmount all mount points.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`files_list_root',`
++interface(`files_dontaudit_unmount_all_mountpoints',`
+ gen_require(`
+- type root_t;
++ attribute mountpoint;
+ ')
+
+- allow $1 root_t:dir list_dir_perms;
+- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
++ dontaudit $1 mountpoint:filesystem unmount;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write to / dirs.
++## Read all mountpoint symbolic links.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_write_root_dirs',`
++interface(`files_read_all_mountpoint_symlinks',`
+ gen_require(`
+- type root_t;
++ attribute mountpoint;
+ ')
+
+- dontaudit $1 root_t:dir write;
++ allow $1 mountpoint:lnk_file read_lnk_file_perms;
+ ')
+
+-###################
++########################################
+ ##
+-## Do not audit attempts to write
+-## files in the root directory.
++## Write all file type directories.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_rw_root_dir',`
++interface(`files_write_all_dirs',`
+ gen_require(`
+- type root_t;
++ attribute file_type;
+ ')
+
+- dontaudit $1 root_t:dir rw_dir_perms;
++ allow $1 file_type:dir write;
+ ')
+
+ ########################################
+ ##
+-## Create an object in the root directory, with a private
+-## type using a type transition.
++## List the contents of the root directory.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The type of the object to be created.
+-##
+-##
+-##
+-##
+-## The object class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+ #
+-interface(`files_root_filetrans',`
++interface(`files_list_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+- filetrans_pattern($1, root_t, $2, $3, $4)
++ allow $1 root_t:dir list_dir_perms;
++ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+-
+ ########################################
+ ##
+-## Do not audit attempts to read files in
+-## the root directory.
++## Do not audit attempts to write to / dirs.
+ ##
+ ##
+ ##
+@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_root_files',`
++interface(`files_write_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+- dontaudit $1 root_t:file { getattr read };
++ allow $1 root_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read or write
++## Do not audit attempts to write to / dirs.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_write_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir write;
++')
++
++###################
++##
++## Do not audit attempts to write
++## files in the root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_root_dir',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir rw_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## access on root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_root',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir_file_class_set audit_access;
++')
++
++
++########################################
++##
++## Create an object in the root directory, with a private
++## type using a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_root_filetrans',`
++ gen_require(`
++ type root_t;
++ ')
++
++ filetrans_pattern($1, root_t, $2, $3, $4)
++')
++
++########################################
++##
++## Do not audit attempts to read files in
++## the root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_root_files',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:file { getattr read };
++')
++
++########################################
++##
++## Do not audit attempts to read or write
+ ## files in the root directory.
+ ##
+ ##
+@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',`
+
+ ########################################
+ ##
+-## Associate to root file system.
++## Set attributes of the root directory.
+ ##
+-##
++##
+ ##
+-## Type of the file to associate.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_associate_rootfs',`
++interface(`files_setattr_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+- allow $1 root_t:filesystem associate;
++ allow $1 root_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Relabel to and from rootfs file system.
++## Relabel a rootfs filesystem.
+ ##
+ ##
+ ##
+@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',`
+ type root_t;
+ ')
+
+- allow $1 root_t:filesystem { relabelto relabelfrom };
++ allow $1 root_t:filesystem relabel_file_perms;
+ ')
+
+ ########################################
+@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',`
+
+ ########################################
+ ##
++## Mount a filesystem on the root file system
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir { search_dir_perms mounton };
++')
++
++########################################
++##
++## Mount a filesystem on the root file system
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir mounton;
++')
++
++########################################
++##
+ ## Get attributes of the /boot directory.
+ ##
+ ##
+@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',`
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+ ')
+
++########################################
++##
++## Relabel to files in the /boot directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_boot_files',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ relabelto_files_pattern($1, boot_t, boot_t)
++')
++
+ ######################################
+ ##
+ ## Read symbolic links in the /boot directory.
+@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',`
+ allow $1 etc_t:dir rw_dir_perms;
+ ')
+
++#######################################
++##
++## Dontaudit remove dir /etc directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_remove_etc_dir',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 etc_t:dir rmdir;
++')
++
+ ##########################################
+ ##
+ ## Manage generic directories in /etc
+@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',`
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
++ files_read_etc_runtime_files($1)
+ ')
+
+ ########################################
+@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on etc files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 etc_t:dir_file_class_set audit_access;
++')
++
++########################################
++##
+ ## Delete system configuration files in /etc.
+ ##
+ ##
+@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',`
+
+ ########################################
+ ##
++## Remove entries from the etc directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_etc_dir_entry',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir del_entry_dir_perms;
++')
++
++########################################
++##
+ ## Execute generic files in /etc.
+ ##
+ ##
+@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',`
+
+ ########################################
+ ##
+-## Do not audit attempts to set the attributes of the etc_runtime files
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`files_dontaudit_setattr_etc_runtime_files',`
+- gen_require(`
+- type etc_runtime_t;
+- ')
+-
+- dontaudit $1 etc_runtime_t:file setattr;
+-')
+-
+-########################################
+-##
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ##
+@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',`
+
+ ########################################
+ ##
+-## Do not audit attempts to read files
+-## in /etc that are dynamically
+-## created on boot, such as mtab.
++## Do not audit attempts to set the attributes of the etc_runtime files
+ ##
+ ##
+ ##
+@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_etc_runtime_files',`
++interface(`files_dontaudit_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+- dontaudit $1 etc_runtime_t:file { getattr read };
++ dontaudit $1 etc_runtime_t:file setattr;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write
+-## etc runtime files.
++## Do not audit attempts to write etc_runtime files
+ ##
+ ##
+ ##
+@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to read files
++## in /etc that are dynamically
++## created on boot, such as mtab.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file { getattr read };
++')
++
++########################################
++##
+ ## Read and write files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ##
+@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',`
+
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1, etc_t, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_t)
+ ')
+
+ ########################################
+@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',`
+ ')
+
+ manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+ ')
+
+ ########################################
+@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',`
+ #
+ interface(`files_getattr_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir getattr;
++ allow $1 unlabeled_t:dir getattr;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to search directories on new filesystems
++## Getattr all file opbjects on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_search_isid_type_dirs',`
++interface(`files_getattr_isid_type',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- dontaudit $1 file_t:dir search_dir_perms;
++ allow $1 unlabeled_t:dir_file_class_set getattr;
+ ')
+
+ ########################################
+ ##
+-## List the contents of directories on new filesystems
++## Setattr of directories on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+ ##
+ ##
+ #
+-interface(`files_list_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir list_dir_perms;
++ allow $1 unlabeled_t:dir setattr;
+ ')
+
+ ########################################
+ ##
+-## Read and write directories on new filesystems
++## Do not audit attempts to search directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_isid_type_dirs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_isid_type_dirs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Read and write directories on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',`
+ #
+ interface(`files_rw_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir rw_dir_perms;
++ allow $1 unlabeled_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',`
+ #
+ interface(`files_delete_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
++ ')
++
++ delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
++')
++########################################
++##
++## Execute files on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_exec_isid_files',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ can_exec($1, unlabeled_t)
++')
++
++########################################
++##
++## Moundon directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_mounton_isid',`
++ gen_require(`
++ type unlabeled_t;
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
++ allow $1 unlabeled_t:dir mounton;
++')
++
++########################################
++##
++## Relabelfrom all file opbjects on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_isid_type',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
+ ')
+
+ ########################################
+@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',`
+ #
+ interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir manage_dir_perms;
++ allow $1 unlabeled_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',`
+ #
+ interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir { search_dir_perms mounton };
++')
++
++########################################
++##
++## Mount a filesystem on a new chr_file
++## that has not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_mounton_isid_type_chr_file',`
++ gen_require(`
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir { search_dir_perms mounton };
++ allow $1 unlabeled_t:chr_file mounton;
+ ')
+
+ ########################################
+@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',`
+ #
+ interface(`files_read_isid_type_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:file read_file_perms;
++ allow $1 unlabeled_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',`
+ #
+ interface(`files_delete_isid_type_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_files_pattern($1, file_t, file_t)
++ delete_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',`
+ #
+ interface(`files_delete_isid_type_symlinks',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_lnk_files_pattern($1, file_t, file_t)
++ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',`
+ #
+ interface(`files_delete_isid_type_fifo_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_fifo_files_pattern($1, file_t, file_t)
++ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',`
+ #
+ interface(`files_delete_isid_type_sock_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_sock_files_pattern($1, file_t, file_t)
++ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',`
+ #
+ interface(`files_delete_isid_type_blk_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_blk_files_pattern($1, file_t, file_t)
++ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',`
+ #
+ interface(`files_dontaudit_write_isid_chr_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- dontaudit $1 file_t:chr_file write;
++ dontaudit $1 unlabeled_t:chr_file write;
+ ')
+
+ ########################################
+@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+ #
+ interface(`files_delete_isid_type_chr_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_chr_files_pattern($1, file_t, file_t)
++ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',`
+ #
+ interface(`files_manage_isid_type_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:file manage_file_perms;
++ allow $1 unlabeled_t:file manage_file_perms;
+ ')
+
+ ########################################
+@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',`
+ #
+ interface(`files_manage_isid_type_symlinks',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:lnk_file manage_lnk_file_perms;
++ allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',`
+ #
+ interface(`files_rw_isid_type_blk_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
++')
++
++########################################
++##
++## rw any files inherited from another process
++## on new filesystems that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_isid_type_files',`
++ gen_require(`
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:blk_file rw_blk_file_perms;
++ allow $1 unlabeled_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',`
+ #
+ interface(`files_manage_isid_type_blk_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:blk_file manage_blk_file_perms;
++ allow $1 unlabeled_t:blk_file manage_blk_file_perms;
+ ')
+
+ ########################################
+@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',`
+ #
+ interface(`files_manage_isid_type_chr_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:chr_file manage_chr_file_perms;
++ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+ ')
+
+ ########################################
+@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on home root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_home_dir',`
++ gen_require(`
++ type home_root_t;
++ ')
++
++ dontaudit $1 home_root_t:dir_file_class_set audit_access;
++')
++
++
++
++########################################
++##
+ ## Search home directories root (/home).
+ ##
+ ##
+@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',`
+
+ ######################################
+ ##
+-## Do not audit attempts to list the contents of /mnt.
++## dontaudit List the contents of /mnt.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## write access on mnt files
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_list_mnt',`
++interface(`files_dontaudit_access_check_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+-
+- dontaudit $1 mnt_t:dir list_dir_perms;
++ dontaudit $1 mnt_t:dir_file_class_set audit_access;
+ ')
+
+ ########################################
+@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',`
+ allow $1 readable_t:sock_file read_sock_file_perms;
+ ')
+
++#######################################
++##
++## Read manageable system configuration files in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ allow $1 etc_t:dir list_dir_perms;
++ read_files_pattern($1, etc_t, system_conf_t)
++ read_lnk_files_pattern($1, etc_t, system_conf_t)
++')
++
++######################################
++##
++## Manage manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++ files_filetrans_system_conf_named_files($1)
++')
++
++#####################################
++##
++## File name transition for system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_filetrans_system_conf_named_files',`
++ gen_require(`
++ type etc_t, system_conf_t, usr_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
++ filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
++ filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
++ filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++###################################
++##
++## Create files in /etc with the type used for
++## the manageable system config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_etc_filetrans_system_conf',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file)
++')
++
++######################################
++##
++## Manage manageable system db files in /var/lib.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_db_files',`
++ gen_require(`
++ type var_lib_t, system_db_t;
++ ')
++
++ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
++ files_filetrans_system_db_named_files($1)
++')
++
++#####################################
++##
++## File name transition for system db files in /var/lib.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_filetrans_system_db_named_files',`
++ gen_require(`
++ type var_lib_t, system_db_t;
++ ')
++
++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
++')
++
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',`
+
+ ########################################
+ ##
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## / file system
++##
++##
++##
++## Type of the file to associate.
++##
++##
++#
++interface(`files_associate_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:filesystem associate;
++')
++
++########################################
++##
+ ## Get the attributes of the tmp directory (/tmp).
+ ##
+ ##
+@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on tmp files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_tmp',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 tmp_t:dir_file_class_set audit_access;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',`
+ type tmp_t;
+ ')
+
++ fs_search_tmpfs($1)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
+ ')
+
+@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir list_dir_perms;
+ ')
+
+@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Remove entries from the tmp directory.
++## Allow read and write to the tmp directory (/tmp).
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain not to audit.
++##
++##
++#
++interface(`files_rw_generic_tmp_dir',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 tmp_t:dir rw_dir_perms;
++')
++
++########################################
++##
++## Remove entries from the tmp directory.
++##
++##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+
+@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow shared library text relocations in tmp files.
++##
++##
++##
++## Allow shared library text relocations in tmp files.
++##
++##
++## This is added to support java policy.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ##
++## Relabel a dir from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
++## Relabel a file from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
+ ##
+ ##
+@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow caller to read inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++##
++## Allow caller to append inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_append_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Allow caller to read and write inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_tmp_file',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## List all tmp directories.
+ ##
+ ##
+@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_tmp_file_leaks',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmp_file_leaks',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create an object in the tmp directories, with a private
+ ## type using a type transition.
+ ##
+@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',`
+
+ ########################################
+ ##
++## Dontaudit getattr attempts on the system.map file
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++ gen_require(`
++ type system_map_t;
++ ')
++
++ dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++##
+ ## Read system.map in the /boot directory.
+ ##
+ ##
+@@ -5241,6 +6470,24 @@ interface(`files_list_var',`
+
+ ########################################
+ ##
++## Do not audit listing of the var directory (/var).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ##
+@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',`
+
+ ########################################
+ ##
++## Create directories in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
++
++########################################
++##
+ ## Create objects in the /var/lib directory
+ ##
+ ##
+@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
++########################################
++##
++## manage generic symbolic links
++## in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
+-## Set the attributes of the generic lock directories.
++## List generic lock directories.
+ ##
+ ##
+ ##
+@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',`
+ ##
+ ##
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5672,6 +6958,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',`
+
+ ########################################
+ ##
+-## List generic lock directories.
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Set the attributes of the /var/lock directory.
+ ##
+ ##
+ ##
+@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',`
+ ##
+ ##
+ #
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_lock_t:dir setattr;
+ ')
+
+ ########################################
+@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',`
+
+ ########################################
+ ##
+-## Get the attributes of generic lock files.
++## Relabel to and from all lock file types.
+ ##
+ ##
+ ##
+@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ##
+ ##
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_relabel_all_lock_files',`
+ gen_require(`
++ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
++## Get the attributes of generic lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:dir setattr;
+ ')
+
+@@ -5999,10 +7317,48 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
+ ')
+
++ allow $1 var_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
++######################################
++##
++## Add and remove entries from pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++##
++## Create generic pid directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ##
++## Do not audit attempts to search
++## the all /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7414,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ##
++## rw generic pid files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Read and write generic process ID files.
+ ##
+ ##
+@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
+-## Read all process ID files.
++## Relable all pid directories
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Delete all process IDs.
++## Delete all pid sockets
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete all process ID directories.
++## Create all pid sockets
+ ##
+ ##
+ ##
+@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Create all pid named pipes
+ ##
+ ##
+ ##
+-## Domain alloed access.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid named pipes
+ ##
+ ##
+ ##
+@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+- attribute polymember;
++ attribute pidfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## manage all pidfile directories
++## in the /var/run directory.
+ ##
+ ##
+ ##
+@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',`
+ ##
+ ##
+ #
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
+ ')
+
++
+ ########################################
+ ##
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Relable all pid files
+ ##
+ ##
+ ##
+@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',`
+ ##
+ ##
+ #
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Execute generic programs in /var/run in the caller domain.
+ ##
+ ##
+ ##
+@@ -6424,18 +7799,18 @@ interface(`files_list_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
+ ')
+
+ ########################################
+ ##
+-## Read generic spool files.
++## manage all pidfiles
++## in the /var/run directory.
+ ##
+ ##
+ ##
+@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_spool',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool files.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ##
+ ##
+ ##
+@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+ ##
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Delete all process IDs.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Type to which the created node will be transitioned.
+-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
++##
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process ID directories.
+ ##
+ ##
+ ##
+@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
++########################################
++##
++## Make the specified type a file
++## used for spool files.
++##
++##
++##
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++##
++##
++## Related interfaces:
++##
++##
++## - files_spool_filetrans()
++##
++##
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++##
++##
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++##
++##
++##
++##
++## Type of the file to be used as a
++## spool file.
++##
++##
++##
++#
++interface(`files_spool_file',`
++ gen_require(`
++ attribute spoolfile;
+ ')
++
++ files_type($1)
++ typeattribute $1 spoolfile;
+ ')
+
+ ########################################
+ ##
+-## Unconfined access to files.
++## Create all spool sockets
+ ##
+ ##
+ ##
+@@ -6573,10 +7950,875 @@ interface(`files_polyinstantiate_all',`
+ ##
+ ##
+ #
+-interface(`files_unconfined',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
+- attribute files_unconfined_type;
++ attribute spoolfile;
+ ')
+
+- typeattribute $1 files_unconfined_type;
++ allow $1 spoolfile:sock_file create_sock_file_perms;
++')
++
++########################################
++##
++## Delete all spool sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++##
++## Relabel to and from all spool
++## directory types.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabel_all_spool_dirs',`
++ gen_require(`
++ attribute spoolfile;
++ type var_t;
++ ')
++
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
++')
++
++########################################
++##
++## Search the contents of generic spool
++## directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++##
++## Do not audit attempts to search generic
++## spool directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of generic spool
++## (/var/spool) directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Read generic spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Create objects in the spool directory
++## with a private type with a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Type to which the created node will be transitioned.
++##
++##
++##
++##
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++##
++## Allow access to manage all polyinstantiated
++## directories on the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++##
++## Unconfined access to files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_unconfined',`
++ gen_require(`
++ attribute files_unconfined_type;
++ ')
++
++ typeattribute $1 files_unconfined_type;
++')
++
++########################################
++##
++## Create a core files in /
++##
++##
++##
++## Create a core file in /,
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_manage_root_files',`
++ gen_require(`
++ type root_t;
++ ')
++
++ manage_files_pattern($1, root_t, root_t)
++')
++
++########################################
++##
++## Create a default directory
++##
++##
++##
++## Create a default_t direcrory
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
++
++ allow $1 default_t:dir create;
++')
++
++########################################
++##
++## Create, default_t objects with an automatic
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object being created.
++##
++##
++#
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
++
++ filetrans_pattern($1, root_t, default_t, $2)
++')
++
++########################################
++##
++## Create, lib_t objects with an automatic
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Type of the directory to be transitioned from
++##
++##
++##
++##
++## The class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_filetrans_lib',`
++ gen_require(`
++ type lib_t, lib_t;
++ ')
++
++ filetrans_pattern($1, $2, lib_t, $3, $4)
++')
++
++########################################
++##
++## manage generic symbolic links
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_pids_symlinks',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++')
++
++########################################
++##
++## Do not audit attempts to getattr
++## all tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file getattr;
++')
++
++########################################
++##
++## Allow delete all tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_delete_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file delete_file_perms;
++')
++
++########################################
++##
++## Allow read write all tmpfs files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read security dirs
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_security_dirs',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:dir list_dir_perms;
++')
++
++########################################
++##
++## rw any files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Object type.
++##
++##
++#
++interface(`files_rw_all_inherited_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 { file_type $2 }:file rw_inherited_file_perms;
++ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
++ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Allow any file point to be the entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_entrypoint_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++ allow $1 file_type:file entrypoint;
++')
++
++########################################
++##
++## Do not audit attempts to rw inherited file perms
++## of non security files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_non_security_leaks',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_leaks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
++')
++
++########################################
++##
++## Allow domain to create_file_ass all types
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_as_is_all_files',`
++ gen_require(`
++ attribute file_type;
++ class kernel_service create_files_as;
++ ')
++
++ allow $1 file_type:kernel_service create_files_as;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## access on all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_access_check',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:dir_file_class_set audit_access;
++')
++
++########################################
++##
++## Do not audit attempts to write to all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_write_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:dir_file_class_set write;
++')
++
++########################################
++##
++## Allow domain to delete to all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_delete_all_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir del_entry_dir_perms;
++ allow $1 non_security_file_type:file_class_set delete_file_perms;
++')
++
++########################################
++##
++## Allow domain to delete to all dirs
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_delete_all_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
++')
++
++########################################
++##
++## Transition named content in the var_run_t directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_filetrans_named_content',`
++ gen_require(`
++ type etc_t;
++ type mnt_t;
++ type usr_t;
++ type tmp_t;
++ type var_t;
++ type var_run_t;
++ type var_lock_t;
++ type tmp_t;
++ ')
++
++ files_pid_filetrans($1, mnt_t, dir, "media")
++ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
++ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
++ files_root_filetrans($1, mnt_t, dir, "afs")
++ files_root_filetrans($1, mnt_t, dir, "misc")
++ files_root_filetrans($1, mnt_t, dir, "net")
++ files_root_filetrans($1, usr_t, dir, "export")
++ files_root_filetrans($1, usr_t, dir, "opt")
++ files_root_filetrans($1, usr_t, dir, "ostree")
++ files_root_filetrans($1, usr_t, dir, "emul")
++ files_root_filetrans($1, var_t, dir, "srv")
++ files_root_filetrans($1, var_run_t, dir, "run")
++ files_root_filetrans($1, var_run_t, lnk_file, "run")
++ files_root_filetrans($1, var_lock_t, lnk_file, "lock")
++ files_root_filetrans($1, tmp_t, dir, "sandbox")
++ files_root_filetrans($1, tmp_t, dir, "tmp")
++ files_root_filetrans($1, var_t, dir, "nsr")
++ files_etc_filetrans($1, etc_t, file, "system-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "postlogin-ac")
++ files_etc_filetrans($1, etc_t, file, "password-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "hwdb.bin")
++ files_etc_filetrans_etc_runtime($1, file, ".updated")
++ files_etc_filetrans_etc_runtime($1, file, "runtime")
++ files_etc_filetrans_etc_runtime($1, dir, "blkid")
++ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
++ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
++ files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
++ files_etc_filetrans_etc_runtime($1, file, "nologin")
++ files_etc_filetrans_etc_runtime($1, file, "securetty")
++ files_etc_filetrans_etc_runtime($1, file, "ifstate")
++ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
++ files_etc_filetrans_etc_runtime($1, file, "hwconf")
++ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
++ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
++ files_var_filetrans($1, tmp_t, dir, "tmp")
++ files_var_filetrans($1, var_run_t, dir, "run")
++ files_var_filetrans($1, etc_runtime_t, file, ".updated")
++')
++
++########################################
++##
++## Make the specified type a
++## base file.
++##
++##
++##
++## Identify file type as base file type. Tools will use this attribute,
++## to help users diagnose problems.
++##
++##
++##
++##
++## Type to be used as a base files.
++##
++##
++##
++#
++interface(`files_base_file',`
++ gen_require(`
++ attribute base_file_type;
++ ')
++ files_type($1)
++ typeattribute $1 base_file_type;
++')
++
++########################################
++##
++## Make the specified type a
++## base read only file.
++##
++##
++##
++## Make the specified type readable for all domains.
++##
++##
++##
++##
++## Type to be used as a base read only files.
++##
++##
++##
++#
++interface(`files_ro_base_file',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++ files_base_file($1)
++ typeattribute $1 base_ro_file_type;
++')
++
++########################################
++##
++## Read all ro base files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_all_base_ro_files',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++
++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
++')
++
++########################################
++##
++## Execute all base ro files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_exec_all_base_ro_files',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++
++ can_exec($1, base_ro_file_type)
++')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## any file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_config_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:service all_service_perms;
++')
++
++########################################
++##
++## Get the status of etc_t files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_status_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:service status;
+ ')
+diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
+index 1a03abd..32a40f8 100644
+--- a/policy/modules/kernel/files.te
++++ b/policy/modules/kernel/files.te
+@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
+ # Declarations
+ #
+
++attribute base_file_type;
++attribute base_ro_file_type;
+ attribute file_type;
+ attribute files_unconfined_type;
+ attribute lockfile;
+ attribute mountpoint;
+ attribute pidfile;
++attribute spoolfile;
+ attribute configfile;
++attribute etcfile;
+
+ # For labeling types that are to be polyinstantiated
+ attribute polydir;
+@@ -48,47 +52,53 @@ attribute usercanread;
+ #
+ type boot_t;
+ files_mountpoint(boot_t)
++files_ro_base_file(boot_t)
+
+ # default_t is the default type for files that do not
+ # match any specification in the file_contexts configuration
+ # other than the generic /.* specification.
+ type default_t;
+ files_mountpoint(default_t)
++files_base_file(default_t)
+
+ #
+ # etc_t is the type of the system etc directories.
+ #
+ type etc_t, configfile;
+-files_type(etc_t)
++files_ro_base_file(etc_t)
++
+ # compatibility aliases for removed types:
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
+
++# system_conf_t is a new type of various
++# files in /etc/ that can be managed and
++# created by several domains.
++#
++type system_conf_t, configfile;
++files_ro_base_file(system_conf_t)
++# compatibility aliases for removed type:
++typealias system_conf_t alias iptables_conf_t;
++
++# system_db_t is a new type of various
++# db files.
++type system_db_t;
++files_ro_base_file(system_db_t)
++
+ #
+ # etc_runtime_t is the type of various
+ # files in /etc that are automatically
+ # generated during initialization.
+ #
+-type etc_runtime_t;
+-files_type(etc_runtime_t)
+-#Temporarily in policy until FC5 dissappears
+-typealias etc_runtime_t alias firstboot_rw_t;
+-
+-#
+-# file_t is the default type of a file that has not yet been
+-# assigned an extended attribute (EA) value (when using a filesystem
+-# that supports EAs).
+-#
+-type file_t;
+-files_mountpoint(file_t)
+-kernel_rootfs_mountpoint(file_t)
+-sid file gen_context(system_u:object_r:file_t,s0)
++type etc_runtime_t, configfile;
++files_ro_base_file(etc_runtime_t)
+
+ #
+ # home_root_t is the type for the directory where user home directories
+ # are created
+ #
+ type home_root_t;
++files_base_file(home_root_t)
+ files_mountpoint(home_root_t)
+ files_poly_parent(home_root_t)
+
+@@ -96,12 +106,13 @@ files_poly_parent(home_root_t)
+ # lost_found_t is the type for the lost+found directories.
+ #
+ type lost_found_t;
+-files_type(lost_found_t)
++files_base_file(lost_found_t)
+
+ #
+ # mnt_t is the type for mount points such as /mnt/cdrom
+ #
+ type mnt_t;
++files_base_file(mnt_t)
+ files_mountpoint(mnt_t)
+
+ #
+@@ -123,6 +134,7 @@ files_type(readable_t)
+ # root_t is the type for rootfs and the root directory.
+ #
+ type root_t;
++files_base_file(root_t)
+ files_mountpoint(root_t)
+ files_poly_parent(root_t)
+ kernel_rootfs_mountpoint(root_t)
+@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+ #
+ type src_t;
+ files_mountpoint(src_t)
++files_ro_base_file(src_t)
+
+ #
+ # system_map_t is for the system.map files in /boot
+ #
+ type system_map_t;
+ files_type(system_map_t)
++kernel_proc_type(system_map_t)
+ genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
+
+ #
+ # tmp_t is the type of the temporary directories
+ #
+ type tmp_t;
++files_base_file(tmp_t)
+ files_tmp_file(tmp_t)
+ files_mountpoint(tmp_t)
+ files_poly(tmp_t)
+ files_poly_parent(tmp_t)
++typealias tmp_t alias firstboot_tmp_t;
+
+ #
+ # usr_t is the type for /usr.
+ #
+ type usr_t;
++files_ro_base_file(usr_t)
+ files_mountpoint(usr_t)
+
+ #
+ # var_t is the type of /var
+ #
+ type var_t;
++files_base_file(var_t)
+ files_mountpoint(var_t)
+
+ #
+ # var_lib_t is the type of /var/lib
+ #
+ type var_lib_t;
++files_base_file(var_lib_t)
+ files_mountpoint(var_lib_t)
++files_poly(var_lib_t)
+
+ #
+ # var_lock_t is tye type of /var/lock
+ #
+ type var_lock_t;
++files_base_file(var_lock_t)
+ files_lock_file(var_lock_t)
+ files_mountpoint(var_lock_t)
+
+@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t)
+ # used for pid and other runtime files.
+ #
+ type var_run_t;
++files_base_file(var_run_t)
+ files_pid_file(var_run_t)
+ files_mountpoint(var_run_t)
+
+@@ -187,7 +209,9 @@ files_mountpoint(var_run_t)
+ # var_spool_t is the type of /var/spool
+ #
+ type var_spool_t;
++files_base_file(var_spool_t)
+ files_tmp_file(var_spool_t)
++files_spool_file(var_spool_t)
+
+ ########################################
+ #
+@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile)
+ #
+
+ # Create/access any file in a labeled filesystem;
+-allow files_unconfined_type file_type:{ file chr_file } ~execmod;
++allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint };
+ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
++allow files_unconfined_type file_type:service *;
+
+ # Mount/unmount any filesystem with the context= option.
+ allow files_unconfined_type file_type:filesystem *;
+
+-tunable_policy(`allow_execmod',`
++tunable_policy(`selinuxuser_execmod',`
+ allow files_unconfined_type file_type:file execmod;
+ ')
+diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
+index d7c11a0..6b3331d 100644
+--- a/policy/modules/kernel/filesystem.fc
++++ b/policy/modules/kernel/filesystem.fc
+@@ -1,23 +1,26 @@
+-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+-/cgroup/.* <>
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
+
+ /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+ /dev/hugepages(/.*)? <>
+-/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+-/dev/shm/.* <>
+
+-/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+-/lib/udev/devices/hugepages/.* <>
+-/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+-/lib/udev/devices/shm/.* <>
++/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
++/dev/shm/.* <>
+
++/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/usr/lib/udev/devices/hugepages/.* <>
++/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++/usr/lib/udev/devices/shm/.* <>
++/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
++/var/run/user/[^/]*/gvfs/.* <>
++
++# for systemd systems:
+ /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup/.* <>
+
+ /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
+ /sys/fs/pstore/.* <>
+
+-ifdef(`distro_debian',`
+ /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+ /var/run/shm/.* <>
+-')
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index 8416beb..75c7b9d 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
+
+ ########################################
+ ##
++## Get attributes of cgroup files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ getattr_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++##
+ ## Search cgroup directories.
+ ##
+ ##
+@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
+ ')
+
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+ ########################################
+ ##
++## Relabel cgroup directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_cgroup_dirs',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
+ ## list cgroup directories.
+ ##
+ ##
+@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',`
+ ##
+ ##
+ #
+-interface(`fs_list_cgroup_dirs', `
++interface(`fs_list_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
++#######################################
++##
++## Do not audit attempts to search cgroup directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_search_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ dontaudit $1 cgroup_t:dir search_dir_perms;
++ dev_dontaudit_search_sysfs($1)
++')
++
+ ########################################
+ ##
+ ## Delete cgroup directories.
+@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
+ ')
+
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',`
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', `
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+
+ ')
+
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
+ ')
+
+ manage_files_pattern($1, cgroup_t, cgroup_t)
++ manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
+
+ ########################################
+ ##
++## Read/Write all inherited noxattrfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_noxattr_fs_files',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ allow $1 noxattrfs:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read all
+ ## noxattrfs files.
+ ##
+@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
+
+ ########################################
+ ##
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a CIFS filesystem.
+ ##
+ ##
+@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/Write inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a CIFS or SMB filesystem.
+ ##
+@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+ type cifs_t;
+ ')
+
+- dontaudit $1 cifs_t:file rw_file_perms;
++ dontaudit $1 cifs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
+ domain_auto_transition_pattern($1, cifs_t, $2)
+ ')
+
++########################################
++##
++## Make general progams in cifs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which cifs_t is an entrypoint.
++##
++##
++#
++interface(`fs_cifs_entry_type',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ domain_entry_file($1, cifs_t)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete dirs
+@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
+
+ ########################################
+ ##
++## Unmount a configfs filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_configfs',`
++ gen_require(`
++ type configfs_t;
++ ')
++
++ allow $1 configfs_t:filesystem unmount;
++')
++
++########################################
++##
+ ## Mount a DOS filesystem, such as
+ ## FAT32 or NTFS.
+ ##
+@@ -1793,6 +1954,205 @@ interface(`fs_read_eventpollfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
++
++#######################################
++##
++## Search directories
++## on a ecrypt filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_search_ecryptfs',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_manage_ecryptfs_dirs',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++ allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++##
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_read_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++##
++## Read symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_ecryptfs_symlinks',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++#######################################
++##
++## Dontaudit append files on ecrypt filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_append_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++ dontaudit $1 ecryptfs_t:file append;
++')
++
++########################################
++##
++## Manage symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_ecryptfs_symlinks',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++##
++##
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`fs_ecryptfs_domtrans',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ##
+ ## Mount a FUSE filesystem.
+@@ -2025,6 +2385,87 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ##
++## Manage symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++##
++##
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`fs_fusefs_domtrans',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++##
++## Get the attributes of a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_getattr_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem getattr;
++')
++
++########################################
++##
+ ## Get the attributes of an hugetlbfs
+ ## filesystem.
+ ##
+@@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+
+ ########################################
+ ##
++## Read hugetlbfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++##
+ ## Read and write hugetlbfs files.
+ ##
+ ##
+@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',`
+
+ ########################################
+ ##
++## Execute hugetlbfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_exec_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:dir list_dir_perms;
++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++##
+ ## Allow the type to associate to hugetlbfs filesystems.
+ ##
+ ##
+@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',`
+ ')
+
+ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
++## Do not audit attempts to list inotifyfs filesystem.
+ ##
+ ##
+ ##
+@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',`
+
+ ########################################
+ ##
++## Make general progams in nfs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which nfs_t is an entrypoint.
++##
++##
++#
++interface(`fs_nfs_entry_type',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ domain_entry_file($1, nfs_t)
++')
++
++########################################
++##
+ ## Append files
+ ## on a NFS filesystem.
+ ##
+@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',`
+
+ ########################################
+ ##
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a NFS filesystem.
+ ##
+ ##
+@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/write inherited files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
+ ##
+@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file rw_file_perms;
++ dontaudit $1 nfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',`
+
+ ########################################
+ ##
+-## Dontaudit read symbolic links on a NFS filesystem.
++## Do not audit attempts to read symbolic links on a NFS filesystem.
+ ##
+ ##
+ ##
+@@ -2719,6 +3255,47 @@ interface(`fs_search_rpc',`
+
+ ########################################
+ ##
++## Do not audit attempts to list removable storage directories.
++##
++##
++##
++## Do not audit attempts to list removable storage directories
++##
++##
++## This interface has been deprecated, and will
++## be removed in the future.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_pstorefs',`
++ refpolicywarn(`$0($*) has been deprecated.')
++')
++
++########################################
++##
++## Do not audit attempts to list removable storage directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_list_pstore',`
++ gen_require(`
++ type pstore_t;
++ ')
++
++ allow $1 pstore_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Search removable storage directories.
+ ##
+ ##
+@@ -2741,7 +3318,7 @@ interface(`fs_search_removable',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2777,7 +3354,7 @@ interface(`fs_read_removable_files',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2970,6 +3547,7 @@ interface(`fs_manage_nfs_dirs',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir manage_dir_perms;
+ ')
+
+@@ -3010,6 +3588,7 @@ interface(`fs_manage_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ manage_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+@@ -3050,6 +3629,7 @@ interface(`fs_manage_nfs_symlinks',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ manage_lnk_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+@@ -3137,6 +3717,24 @@ interface(`fs_nfs_domtrans',`
+
+ ########################################
+ ##
++## Mount on nfsd_fs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mounton_nfsd_fs', `
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ allow $1 nfsd_fs_t:dir mounton;
++')
++
++########################################
++##
+ ## Mount a NFS server pseudo filesystem.
+ ##
+ ##
+@@ -3255,17 +3853,53 @@ interface(`fs_list_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_nfsd_files',`
++interface(`fs_getattr_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
++#######################################
++##
++## read files on an nfsd filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
++########################################
++##
++## Read and write NFS server files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write NFS server files.
++## Manage NFS server files.
+ ##
+ ##
+ ##
+@@ -3273,12 +3907,12 @@ interface(`fs_getattr_nfsd_files',`
+ ##
+ ##
+ #
+-interface(`fs_rw_nfsd_fs',`
++interface(`fs_manage_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+ ########################################
+@@ -3392,7 +4026,7 @@ interface(`fs_search_ramfs',`
+
+ ########################################
+ ##
+-## Dontaudit Search directories on a ramfs
++## Do not audit attempts to search directories on a ramfs
+ ##
+ ##
+ ##
+@@ -3429,7 +4063,7 @@ interface(`fs_manage_ramfs_dirs',`
+
+ ########################################
+ ##
+-## Dontaudit read on a ramfs files.
++## Do not audit attempts to read on a ramfs files.
+ ##
+ ##
+ ##
+@@ -3447,7 +4081,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+
+ ########################################
+ ##
+-## Dontaudit read on a ramfs fifo_files.
++## Do not audit attempts to read on a ramfs fifo_files.
+ ##
+ ##
+ ##
+@@ -3815,6 +4449,24 @@ interface(`fs_unmount_tmpfs',`
+
+ ########################################
+ ##
++## Mount on tmpfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mounton_tmpfs', `
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:dir mounton;
++')
++
++########################################
++##
+ ## Get the attributes of a tmpfs
+ ## filesystem.
+ ##
+@@ -3908,7 +4560,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+
+ ########################################
+ ##
+-## Mount on tmpfs directories.
++## Set the attributes of tmpfs directories.
+ ##
+ ##
+ ##
+@@ -3916,17 +4568,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+ ##
+ ##
+ #
+-interface(`fs_mounton_tmpfs',`
++interface(`fs_setattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir mounton;
++ allow $1 tmpfs_t:dir setattr;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of tmpfs directories.
++## Search tmpfs directories.
+ ##
+ ##
+ ##
+@@ -3934,17 +4586,17 @@ interface(`fs_mounton_tmpfs',`
+ ##
+ ##
+ #
+-interface(`fs_setattr_tmpfs_dirs',`
++interface(`fs_search_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir setattr;
++ allow $1 tmpfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Search tmpfs directories.
++## List the contents of generic tmpfs directories.
+ ##
+ ##
+ ##
+@@ -3952,17 +4604,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+ ##
+ ##
+ #
+-interface(`fs_search_tmpfs',`
++interface(`fs_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir search_dir_perms;
++ allow $1 tmpfs_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## List the contents of generic tmpfs directories.
++## Do not audit attempts to list the
++## contents of generic tmpfs directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_list_tmpfs',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Relabel directory on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -3970,31 +4641,48 @@ interface(`fs_search_tmpfs',`
+ ##
+ ##
+ #
+-interface(`fs_list_tmpfs',`
++interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to list the
+-## contents of generic tmpfs directories.
++## Relabel fifo_file on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_tmpfs',`
++interface(`fs_relabel_tmpfs_fifo_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:dir list_dir_perms;
++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Relabel files on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+@@ -4105,7 +4793,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file rw_file_perms;
++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -4165,6 +4853,24 @@ interface(`fs_rw_tmpfs_files',`
+
+ ########################################
+ ##
++## Read and write generic tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file { read write };
++')
++
++########################################
++##
+ ## Read tmpfs link files.
+ ##
+ ##
+@@ -4202,7 +4908,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+
+ ########################################
+ ##
+-## dontaudit Read and write character nodes on tmpfs filesystems.
++## Do not audit attempts to read and write character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4221,6 +4927,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ##
++## Do not audit attempts to create character nodes on tmpfs filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_create_tmpfs_chr_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:chr_file create;
++')
++
++########################################
++##
++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read files on tmpfs filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read;
++')
++
++########################################
++##
+ ## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+@@ -4278,6 +5038,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+
+ ########################################
+ ##
++## Relabel sock nodes on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_sock_file',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Delete generic files in tmpfs directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_delete_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:dir del_entry_dir_perms;
++ allow $1 tmpfs_t:file_class_set delete_file_perms;
++')
++
++########################################
++##
+ ## Read and write, create and delete generic
+ ## files on tmpfs filesystems.
+ ##
+@@ -4297,6 +5095,25 @@ interface(`fs_manage_tmpfs_files',`
+
+ ########################################
+ ##
++## Execute files on a tmpfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_exec_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ exec_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
+ ## Read and write, create and delete symbolic
+ ## links on tmpfs filesystems.
+ ##
+@@ -4503,6 +5320,8 @@ interface(`fs_mount_all_fs',`
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
++# Mount checks write access on the dir
++ allow $1 filesystem_type:dir write;
+ ')
+
+ ########################################
+@@ -4549,7 +5368,7 @@ interface(`fs_unmount_all_fs',`
+ ##
+ ##
+ ## Allow the specified domain to
+-## et the attributes of all filesystems.
++## get the attributes of all filesystems.
+ ## Example attributes:
+ ##
+ ##
+@@ -4596,6 +5415,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on all filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_all_access_check',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:dir_file_class_set audit_access;
++')
++
++
++########################################
++##
+ ## Get the quotas of all filesystems.
+ ##
+ ##
+@@ -4671,6 +5510,25 @@ interface(`fs_getattr_all_dirs',`
+
+ ########################################
+ ##
++## Dontaudit Get the attributes of all directories
++## with a filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_getattr_all_dirs',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:dir getattr;
++')
++
++########################################
++##
+ ## Search all directories with a filesystem type.
+ ##
+ ##
+@@ -4912,3 +5770,43 @@ interface(`fs_unconfined',`
+
+ typeattribute $1 filesystem_unconfined_type;
+ ')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked filesystems files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_leaks',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++ dontaudit $1 filesystem_type:lnk_file { read };
++')
++
++
++########################################
++##
++## Transition named content in tmpfs_t directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_tmpfs_filetrans_named_content',`
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
++')
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index e7d1738..c0b17f8 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -53,6 +57,7 @@ type anon_inodefs_t;
+ fs_type(anon_inodefs_t)
+ files_mountpoint(anon_inodefs_t)
+ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++mls_trusted_object(anon_inodefs_t)
+
+ type bdev_t;
+ fs_type(bdev_t)
+@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t)
+ files_mountpoint(binfmt_misc_fs_t)
+ genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+
++type oracleasmfs_t;
++fs_type(oracleasmfs_t)
++dev_node(oracleasmfs_t)
++files_mountpoint(oracleasmfs_t)
++genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
++
+ type capifs_t;
+ fs_type(capifs_t)
+ files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+-type cgroup_t;
++type cgroup_t alias cgroupfs_t;
+ fs_type(cgroup_t)
+ files_mountpoint(cgroup_t)
+ dev_associate_sysfs(cgroup_t)
+@@ -88,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
+ files_mountpoint(ecryptfs_t)
+ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
++type efivarfs_t;
++fs_noxattr_type(efivarfs_t)
++files_mountpoint(efivarfs_t)
++genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
++
+ type futexfs_t;
+ fs_type(futexfs_t)
+ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
+@@ -96,6 +112,7 @@ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
++dev_associate(hugetlbfs_t)
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
+@@ -118,13 +135,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type oprofilefs_t;
+ fs_type(oprofilefs_t)
+ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
+-type pstore_t;
++type pstore_t alias pstorefs_t;
+ fs_type(pstore_t)
+ files_mountpoint(pstore_t)
+ dev_associate_sysfs(pstore_t)
+@@ -150,11 +168,6 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+-
+ type sysv_t;
+ fs_noxattr_type(sysv_t)
+ files_mountpoint(sysv_t)
+@@ -172,6 +185,8 @@ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+ files_mountpoint(vxfs_t)
+ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
++genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0)
++genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0)
+
+ #
+ # tmpfs_t is the type for tmpfs filesystems
+@@ -182,6 +197,8 @@ fs_type(tmpfs_t)
+ files_type(tmpfs_t)
+ files_mountpoint(tmpfs_t)
+ files_poly_parent(tmpfs_t)
++dev_associate(tmpfs_t)
++mls_trusted_object(tmpfs_t)
+
+ # Use a transition SID based on the allocating task SID and the
+ # filesystem SID to label inodes in the following filesystem types,
+@@ -261,6 +278,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+ type removable_t;
+ allow removable_t noxattrfs:filesystem associate;
+ fs_noxattr_type(removable_t)
++files_type(removable_t)
++dev_node(removable_t)
+ files_mountpoint(removable_t)
+
+ #
+@@ -280,6 +299,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
+diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
+index 7be4ddf..71e675a 100644
+--- a/policy/modules/kernel/kernel.fc
++++ b/policy/modules/kernel/kernel.fc
+@@ -1 +1,3 @@
+-# This module currently does not have any file contexts.
++
++/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
++/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index e100d88..85da370 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
+
+ ########################################
+ ##
++## Dontaudit attempts to set the priority of kernel threads.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dontaudit_setsched',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:process setsched;
++')
++
++########################################
++##
+ ## Send a SIGCHLD signal to kernel threads.
+ ##
+ ##
+@@ -180,6 +198,24 @@ interface(`kernel_signal',`
+
+ ########################################
+ ##
++## Send signull to kernel threads.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_signull',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:process signull;
++')
++
++########################################
++##
+ ## Allows the kernel to share state information with
+ ## the caller.
+ ##
+@@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
+ type kernel_t;
+ ')
+
+- allow $1 kernel_t:unix_dgram_socket { read write ioctl };
++ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl };
+ ')
+
+ ########################################
+@@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',`
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
++ manage_dirs_pattern($1,debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+- list_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+
+ ########################################
+@@ -786,6 +822,24 @@ interface(`kernel_mount_kvmfs',`
+
+ ########################################
+ ##
++## Mount the proc filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mount_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:filesystem mount;
++')
++
++########################################
++##
+ ## Unmount the proc filesystem.
+ ##
+ ##
+@@ -804,6 +858,24 @@ interface(`kernel_unmount_proc',`
+
+ ########################################
+ ##
++## Mounton a proc filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:dir mounton;
++')
++
++########################################
++##
+ ## Get the attributes of the proc filesystem.
+ ##
+ ##
+@@ -991,13 +1063,10 @@ interface(`kernel_read_proc_symlinks',`
+ #
+ interface(`kernel_read_system_state',`
+ gen_require(`
+- type proc_t;
++ attribute kernel_system_state_reader;
+ ')
+
+- read_files_pattern($1, proc_t, proc_t)
+- read_lnk_files_pattern($1, proc_t, proc_t)
+-
+- list_dirs_pattern($1, proc_t, proc_t)
++ typeattribute $1 kernel_system_state_reader;
+ ')
+
+ ########################################
+@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to write the
++## file in /proc.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_write_proc_files',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:file write;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## access on generic proc entries.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_access_check_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to
+ ## read system state information in proc.
+ ##
+@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',`
+
+ ########################################
+ ##
++## Allow caller to mounton the kernel messages file
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_messages',`
++ gen_require(`
++ type proc_kmsg_t;
++ ')
++
++ allow $1 proc_kmsg_t:file mounton;
++')
++
++########################################
++##
+ ## Allow caller to get the attributes of kernel message
+ ## interface (/proc/kmsg).
+ ##
+@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',`
+
+ ########################################
+ ##
++## Allow attempts to mounton all proc directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_all_proc',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ allow $1 proc_type:dir mounton;
++ allow $1 proc_type:file mounton;
++')
++
++########################################
++##
+ ## Do not audit attempts to list all proc directories.
+ ##
+ ##
+@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+
+ ########################################
+ ##
++## Allow attempts to read all proc types.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_all_proc',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ read_files_pattern($1, proc_type, proc_type)
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to search
+ ## the base directory of sysctls.
+ ##
+@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',`
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+-
++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',`
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+-
++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',`
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+-
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`kernel_read_hotplug_sysctls',`
+- gen_require(`
+- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+- ')
+-
+- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+-
+- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+ ########################################
+@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`kernel_rw_hotplug_sysctls',`
+- gen_require(`
+- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+- ')
+-
+- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+-
+- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+ ########################################
+@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`kernel_read_modprobe_sysctls',`
+- gen_require(`
+- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+- ')
+-
+- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+-
+- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+ ########################################
+@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`kernel_rw_modprobe_sysctls',`
+- gen_require(`
+- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+- ')
+-
+- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+-
+- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+ ########################################
+@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ dontaudit $1 sysctl_type:file read_file_perms;
++')
++
++########################################
++##
++## Allow attempts to mounton all sysctl directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ ')
++
++ allow $1 sysctl_type:dir mounton;
+ ')
+
++
+ ########################################
+ ##
+ ## Allow caller to read all sysctls.
+@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',`
+
+ ########################################
+ ##
++## Delete unlabeled files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_delete_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir delete_dir_perms;
++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
++')
++
++########################################
++##
+ ## Read the process state (/proc/pid) of all unlabeled_t.
+ ##
+ ##
+@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+
+ ########################################
+ ##
++## Read and write unlabeled sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:socket rw_socket_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to get attributes for
+ ## unlabeled character devices.
+ ##
+@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+
+ ########################################
+ ##
++## Allow caller to relabel unlabeled filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelfrom_unlabeled_fs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:filesystem relabelfrom;
++')
++
++########################################
++##
+ ## Allow caller to relabel unlabeled files.
+ ##
+ ##
+@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+
+ ########################################
+ ##
++## Receive DCCP packets from an unlabeled connection.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dccp_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Receive TCP packets from an unlabeled connection.
+ ##
+ ##
+@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+
+ ########################################
+ ##
+-## Do not audit attempts to receive TCP packets from an unlabeled
++## Do not audit attempts to receive DCCP packets from an unlabeled
+ ## connection.
+ ##
+-##
+-##
+-## Do not audit attempts to receive TCP packets from an unlabeled
+-## connection.
+-##
+-##
+-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+-## should be used instead of this one.
+-##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:dccp_socket recvfrom;
++')
++
++########################################
++##
++## Do not audit attempts to receive TCP packets from an unlabeled
++## connection.
++##
++##
++##
++## Do not audit attempts to receive TCP packets from an unlabeled
++## connection.
++##
++##
++## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
++## should be used instead of this one.
++##
+ ##
+ ##
+ ##
+@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+
+ allow $1 unlabeled_t:rawip_socket recvfrom;
+ ')
++########################################
++##
++## Read/Write Raw IP packets from an unlabeled connection.
++##
++##
++##
++## Receive Raw IP packets from an unlabeled connection.
++##
++##
++## The corenetwork interface corenet_raw_recv_unlabeled() should
++## be used instead of this one.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_rawip_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
++')
++
+
+ ########################################
+ ##
+@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+
+ ########################################
+ ##
++## Relabel to unlabeled context .
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelto_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set relabelto;
++')
++
++########################################
++##
+ ## Unconfined access to kernel module resources.
+ ##
+ ##
+@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
+ ')
+
+ typeattribute $1 kern_unconfined;
+- kernel_load_module($1)
++ kernel_load_module($1)
++')
++
++########################################
++##
++## Allow the specified domain to getattr on
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_read',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket { read getattr };
++')
++
++#######################################
++##
++## Allow the specified domain to write on
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_write',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket { write getattr };
++')
++
++#######################################
++##
++## Allow the specified domain to read/write on
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_stream_socket_perms',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
++ allow $1 kernel_t:fd use;
++')
++
++########################################
++##
++## Make the specified type usable for regular entries in proc
++##
++##
++##
++## Type to be used for /proc entries.
++##
++##
++#
++interface(`kernel_proc_type',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ typeattribute $1 proc_type;
++')
++
++########################################
++##
++## Do not audit attempts by caller to get attributes on all sysctls.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_getattr_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ ')
++
++ dontaudit $1 sysctl_type:file getattr;
++')
++
++########################################
++##
++## Read the process state (/proc/pid) of the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_state',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:dir search_dir_perms;
++ allow $1 kernel_t:file read_file_perms;
++ allow $1 kernel_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Dontaudit attempts to read the process state (/proc/pid) of the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dontaudit_read_state',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:dir search_dir_perms;
++ dontaudit $1 kernel_t:file read_file_perms;
++ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Allow searching of numa state directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_search_numa_state',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ search_dirs_pattern($1, proc_t, proc_numa_t)
++')
++
++########################################
++##
++## Do not audit attempts to search the numa
++## state directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`kernel_dontaudit_search_numa_state',`
++ gen_require(`
++ type proc_numa_t;
++ ')
++
++ dontaudit $1 proc_numa_t:dir search;
++')
++
++########################################
++##
++## Allow caller to read the numa state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_numa_state',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++
++ list_dirs_pattern($1, proc_t, proc_numa_t)
++')
++
++########################################
++##
++## Allow caller to read the numa state symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_numa_state_symlinks',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++
++ list_dirs_pattern($1, proc_t, proc_numa_t)
++')
++
++########################################
++##
++## Allow caller to write numa state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_write_numa_state',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++')
++
++########################################
++##
++## Allow caller to search virtual memory overcommit sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_search_vm_overcommit_sysctl',`
++ gen_require(`
++ type sysctl_vm_overcommit_t;
++ ')
++
++ kernel_search_vm_sysctl($1)
++ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++')
++
++########################################
++##
++## Allow caller to read virtual memory overcommit sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_vm_overcommit_sysctls',`
++ gen_require(`
++ type sysctl_vm_overcommit_t;
++ ')
++
++ kernel_search_vm_sysctl($1)
++ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++')
++
++########################################
++##
++## Read and write virtual memory overcommit sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_rw_vm_overcommit_sysctls',`
++ gen_require(`
++ type sysctl_vm_overcommit_t;
++ ')
++
++ kernel_search_vm_sysctl($1)
++ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++')
++
++########################################
++##
++## Do not audit attempts to search the security
++## state directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`kernel_dontaudit_search_security_state',`
++ gen_require(`
++ type proc_security_t;
++ ')
++
++ dontaudit $1 proc_security_t:dir search;
++')
++
++########################################
++##
++## Allow searching of security state directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_search_security_state',`
++ gen_require(`
++ type proc_security_t;
++ ')
++
++ search_dirs_pattern($1, proc_t, proc_security_t)
++')
++
++########################################
++##
++## Read the security state information.
++##
++##
++##
++## Allow the specified domain to read the security
++## state information.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++#
++interface(`kernel_read_security_state',`
++ gen_require(`
++ type proc_t, proc_security_t;
++ ')
++
++ read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++
++ list_dirs_pattern($1, proc_t, proc_security_t)
++')
++
++########################################
++##
++## Write the security state information.
++##
++##
++##
++## Allow the specified domain to write the security
++## state information.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++#
++interface(`kernel_write_security_state',`
++ gen_require(`
++ type proc_t, proc_security_t;
++ ')
++
++ write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++')
++
++########################################
++##
++## Allow caller to read the security state symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_security_state_symlinks',`
++ gen_require(`
++ type proc_t, proc_security_t;
++ ')
++
++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++
++ list_dirs_pattern($1, proc_t, proc_security_t)
++')
++
++########################################
++##
++## Allow caller to read the security state symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_security_state',`
++ gen_require(`
++ type proc_t, proc_security_t;
++ ')
++
++ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
++
++ list_dirs_pattern($1, proc_t, proc_security_t)
++')
++
++########################################
++##
++## Do not audit attempts to search the usermodehelper
++## state directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`kernel_dontaudit_search_usermodehelper_state',`
++ gen_require(`
++ type usermodehelper_t;
++ ')
++
++ dontaudit $1 usermodehelper_t:dir search;
++')
++
++########################################
++##
++## Allow searching of usermodehelper state directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_search_usermodehelper_state',`
++ gen_require(`
++ type usermodehelper_t;
++ ')
++
++ search_dirs_pattern($1, proc_t, usermodehelper_t)
++')
++
++########################################
++##
++## Read the usermodehelper state information.
++##
++##
++##
++## Allow the specified domain to read the usermodehelpering
++## state information. This includes several pieces
++## of usermodehelpering information, such as usermodehelper interface
++## names, usermodehelperfilter (iptables) statistics, protocol
++## information, routes, and remote procedure call (RPC)
++## information.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++#
++interface(`kernel_read_usermodehelper_state',`
++ gen_require(`
++ type proc_t, usermodehelper_t;
++ ')
++
++ read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
++ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
++
++ list_dirs_pattern($1, proc_t, usermodehelper_t)
++')
++
++########################################
++##
++## Allow caller to read the usermodehelper state symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_usermodehelper_state_symlinks',`
++ gen_require(`
++ type proc_t, usermodehelper_t;
++ ')
++
++ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
++
++ list_dirs_pattern($1, proc_t, usermodehelper_t)
++')
++
++########################################
++##
++## Read and write usermodehelper state
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_rw_usermodehelper_state',`
++ gen_require(`
++ type proc_t, usermodehelper_t;
++ ')
++
++ dev_search_sysfs($1)
++ rw_files_pattern($1, proc_t, usermodehelper_t)
++ list_dirs_pattern($1, proc_t, usermodehelper_t)
++')
++
++########################################
++##
++## Relabel to usermodehelper context .
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelto_usermodehelper',`
++ gen_require(`
++ type usermodehelper_t;
++ ')
++
++ allow $1 usermodehelper_t:file relabelto;
+ ')
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 8dbab4c..15230be 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -25,6 +25,9 @@ attribute kern_unconfined;
+ # regular entries in proc
+ attribute proc_type;
+
++# attribute for domains which read proc_t
++attribute kernel_system_state_reader;
++
+ # sysctls
+ attribute sysctl_type;
+
+@@ -48,6 +51,7 @@ ifdef(`enable_mls',`
+ type kernel_t, can_load_kernmodule;
+ domain_base_type(kernel_t)
+ mls_rangetrans_source(kernel_t)
++mls_trusted_object(kernel_t)
+ role system_r types kernel_t;
+ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+ type debugfs_t;
+ files_mountpoint(debugfs_t)
+ fs_type(debugfs_t)
++
+ allow debugfs_t self:filesystem associate;
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+ type proc_mdstat_t, proc_type;
+ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+
++type proc_numa_t, proc_type;
++genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0)
++mls_trusted_object(proc_numa_t)
++
+ type proc_net_t, proc_type;
+ genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+
++type proc_security_t, proc_type;
++genfscon proc /sys/fs/protected_hardlinks gen_context(system_u:object_r:proc_security_t,s0)
++genfscon proc /sys/fs/protected_symlinks gen_context(system_u:object_r:proc_security_t,s0)
++genfscon proc /sys/fs/suid_dumpable gen_context(system_u:object_r:proc_security_t,s0)
++genfscon proc /sys/kernel/dmesg_restrict gen_context(system_u:object_r:proc_security_t,s0)
++genfscon proc /sys/kernel/kptr_restrict gen_context(system_u:object_r:proc_security_t,s0)
++genfscon proc /sys/kernel/modules_disabled gen_context(system_u:object_r:proc_security_t,s0)
++genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0)
++
++type usermodehelper_t, proc_type, sysctl_type;
++typealias usermodehelper_t alias sysctl_hotplug_t;
++typealias usermodehelper_t alias sysctl_modprobe_t;
++dev_associate_sysfs(usermodehelper_t)
++genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0)
++genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0)
++genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0)
++genfscon proc /sys/kernel/poweroff_cmd gen_context(system_u:object_r:usermodehelper_t,s0)
++genfscon proc /sys/kernel/usermodehelper gen_context(system_u:object_r:usermodehelper_t,s0)
++
+ type proc_xen_t, proc_type;
+ files_mountpoint(proc_xen_t)
+ genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+ type sysctl_kernel_t, sysctl_type;
+ genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
+
+-# /proc/sys/kernel/modprobe file
+-type sysctl_modprobe_t, sysctl_type;
+-genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
+-
+-# /proc/sys/kernel/hotplug file
+-type sysctl_hotplug_t, sysctl_type;
+-genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
+-
+ # /proc/sys/net directory and files
+ type sysctl_net_t, sysctl_type;
+ genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
+@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+ type sysctl_vm_t, sysctl_type;
+ genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
+
++# /proc/sys/vm/overcommit_memory
++type sysctl_vm_overcommit_t, sysctl_type;
++genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
++
+ # /proc/sys/dev directory and files
+ type sysctl_dev_t, sysctl_type;
+ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+ type unlabeled_t;
+ fs_associate(unlabeled_t)
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
++allow unlabeled_t self:filesystem associate;
++
++# Need the following because we are type alias of file_t.
++files_mountpoint(unlabeled_t)
++files_base_file(unlabeled_t)
++kernel_rootfs_mountpoint(unlabeled_t)
++sid file gen_context(system_u:object_r:unlabeled_t,s0)
++typealias unlabeled_t alias file_t;
+
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+ # kernel local policy
+ #
+
++allow kernel_t self:capability2 mac_admin;
+ allow kernel_t self:capability ~sys_module;
+ allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow kernel_t self:shm create_shm_perms;
+@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+ corenet_in_generic_if(unlabeled_t)
+ corenet_in_generic_node(unlabeled_t)
+
+-corenet_all_recvfrom_unlabeled(kernel_t)
+ corenet_all_recvfrom_netlabel(kernel_t)
+ # Kernel-generated traffic e.g., ICMP replies:
+ corenet_raw_sendrecv_all_if(kernel_t)
+@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+ corenet_tcp_sendrecv_all_nodes(kernel_t)
+ corenet_raw_send_generic_node(kernel_t)
+ corenet_send_all_packets(kernel_t)
++corenet_filetrans_all_named_dev(kernel_t)
+
+ dev_read_sysfs(kernel_t)
+ dev_search_usbfs(kernel_t)
+ # devtmpfs handling:
+ dev_create_generic_dirs(kernel_t)
+ dev_delete_generic_dirs(kernel_t)
+-dev_create_generic_blk_files(kernel_t)
+-dev_delete_generic_blk_files(kernel_t)
+-dev_create_generic_chr_files(kernel_t)
+-dev_delete_generic_chr_files(kernel_t)
++dev_create_all_blk_files(kernel_t)
++dev_delete_all_blk_files(kernel_t)
++dev_create_all_chr_files(kernel_t)
++dev_delete_all_chr_files(kernel_t)
+ dev_mounton(kernel_t)
++dev_filetrans_all_named_dev(kernel_t)
++storage_filetrans_all_named_dev(kernel_t)
++term_filetrans_all_named_dev(kernel_t)
+
+ # Mount root file system. Used when loading a policy
+ # from initrd, then mounting the root filesystem
+@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
+
+ selinux_load_policy(kernel_t)
+
+-term_use_console(kernel_t)
++term_use_all_terms(kernel_t)
++term_use_ptmx(kernel_t)
+
+ corecmd_exec_shell(kernel_t)
+ corecmd_list_bin(kernel_t)
+@@ -277,25 +314,49 @@ files_list_root(kernel_t)
+ files_list_etc(kernel_t)
+ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
++files_manage_mounttab(kernel_t)
++files_manage_generic_spool_dirs(kernel_t)
+
+ mcs_process_set_categories(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_socket_write_all_levels(kernel_t)
+
+ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_share_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
++mls_process_set_level(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+ fs_rw_tmpfs_chr_files(kernel_t)
+ ')
+
++
++optional_policy(`
++ apache_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_home_content(kernel_t)
++')
++
+ optional_policy(`
+ hotplug_search_config(kernel_t)
+ ')
+
+ optional_policy(`
+ init_sigchld(kernel_t)
++ init_dyntrans(kernel_t)
+ ')
+
+ optional_policy(`
+@@ -305,6 +366,19 @@ optional_policy(`
+
+ optional_policy(`
+ logging_send_syslog_msg(kernel_t)
++ logging_manage_generic_logs(kernel_t)
++')
++
++optional_policy(`
++ mta_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ ssh_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+ ')
+
+ optional_policy(`
+@@ -312,6 +386,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ plymouthd_create_log(kernel_t)
++ plymouthd_filetrans_named_content(kernel_t)
++')
++
++optional_policy(`
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ allow kernel_t self:tcp_socket create_stream_socket_perms;
+@@ -332,9 +411,6 @@ optional_policy(`
+
+ sysnet_read_config(kernel_t)
+
+- rpc_manage_nfs_ro_content(kernel_t)
+- rpc_manage_nfs_rw_content(kernel_t)
+- rpc_tcp_rw_nfs_sockets(kernel_t)
+ rpc_udp_rw_nfs_sockets(kernel_t)
+
+ tunable_policy(`nfs_export_all_ro',`
+@@ -343,9 +419,7 @@ optional_policy(`
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+- files_list_non_auth_dirs(kernel_t)
+- files_read_non_auth_files(kernel_t)
+- files_read_non_auth_symlinks(kernel_t)
++ files_read_non_security_files(kernel_t)
+ ')
+
+ tunable_policy(`nfs_export_all_rw',`
+@@ -354,7 +428,7 @@ optional_policy(`
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+- files_manage_non_auth_files(kernel_t)
++ files_manage_non_security_files(kernel_t)
+ ')
+ ')
+
+@@ -367,6 +441,15 @@ optional_policy(`
+ unconfined_domain_noaudit(kernel_t)
+ ')
+
++optional_policy(`
++ virt_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ xserver_xdm_manage_spool(kernel_t)
++ xserver_filetrans_home_content(kernel_t)
++')
++
+ ########################################
+ #
+ # Unlabeled process local policy
+@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+ allow kern_unconfined unlabeled_t:filesystem *;
+ allow kern_unconfined unlabeled_t:association *;
+ allow kern_unconfined unlabeled_t:packet *;
+-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
++allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
++
++gen_require(`
++ bool secure_mode_insmod;
++')
++
++if( ! secure_mode_insmod ) {
++ allow can_load_kernmodule self:capability sys_module;
++ allow can_load_kernmodule self:capability2 compromise_kernel;
++ # load_module() calls stop_machine() which
++ # calls sched_setscheduler()
++ allow can_load_kernmodule self:capability sys_nice;
++ kernel_setsched(can_load_kernmodule)
++}
++
++#######################################
++#
++# Kernel system state reader policy
++#
++
++read_files_pattern(kernel_system_state_reader, proc_t, proc_t)
++read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
++list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
+diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
+index b08a6e8..43d504b 100644
+--- a/policy/modules/kernel/mcs.if
++++ b/policy/modules/kernel/mcs.if
+@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
+ ##
+ #
+ interface(`mcs_file_read_all',`
+- gen_require(`
+- attribute mcsreadall;
+- ')
+-
+- typeattribute $1 mcsreadall;
++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+
+ ########################################
+@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
+ ##
+ #
+ interface(`mcs_file_write_all',`
+- gen_require(`
+- attribute mcswriteall;
+- ')
+-
+- typeattribute $1 mcswriteall;
++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+
+ ########################################
+@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
+ ##
+ #
+ interface(`mcs_killall',`
+- gen_require(`
+- attribute mcskillall;
+- ')
+-
+- typeattribute $1 mcskillall;
++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+
+ ########################################
+@@ -104,11 +92,7 @@ interface(`mcs_killall',`
+ ##
+ #
+ interface(`mcs_ptrace_all',`
+- gen_require(`
+- attribute mcsptraceall;
+- ')
+-
+- typeattribute $1 mcsptraceall;
++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+
+ ########################################
+@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',`
+
+ typeattribute $1 mcssetcats;
+ ')
++
++########################################
++##
++## Make specified domain MCS trusted
++## for writing to sockets at any level.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`mcs_socket_write_all_levels',`
++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
++')
+diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
+index 2da98c2..31bed0a 100644
+--- a/policy/modules/kernel/mcs.te
++++ b/policy/modules/kernel/mcs.te
+@@ -11,3 +11,4 @@ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
+ attribute mcs_constrained_type;
++attribute mcsnetwrite;
+diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
+index 7be4ddf..4d4c577 100644
+--- a/policy/modules/kernel/selinux.fc
++++ b/policy/modules/kernel/selinux.fc
+@@ -1 +1 @@
+-# This module currently does not have any file contexts.
++/selinux -l gen_context(system_u:object_r:security_t,s0)
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 6d0811d..f67bd8f 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
+
+ # because of this statement, any module which
+ # calls this interface must be in the base module:
+- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
++# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+ ')
+
+ ########################################
+@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',`
+ type security_t;
+ ')
+
++ allow $1 security_t:lnk_file read_lnk_file_perms;
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:filesystem getattr;
+
+ # read /proc/filesystems to see if selinuxfs is supported
+@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem unmount;
+ ')
+
+@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',`
+ type security_t;
+ ')
+
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem getattr;
+ ')
+
+@@ -221,6 +235,7 @@ interface(`selinux_search_fs',`
+ ')
+
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -244,6 +259,28 @@ interface(`selinux_dontaudit_search_fs',`
+
+ ########################################
+ ##
++## Mount on selinuxfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_mounton_fs',`
++ gen_require(`
++ type security_t;
++ ')
++
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
++ allow $1 security_t:dir mounton;
++')
++
++
++########################################
++##
+ ## Do not audit attempts to read
+ ## generic selinuxfs entries
+ ##
+@@ -258,6 +295,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ selinux_dontaudit_getattr_fs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -280,8 +318,10 @@ interface(`selinux_get_enforce_mode',`
+ ')
+
+ dev_search_sysfs($1)
++ selinux_get_fs_mount($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -310,22 +350,12 @@ interface(`selinux_set_enforce_mode',`
+ gen_require(`
+ type security_t;
+ attribute can_setenforce;
+- bool secure_mode_policyload;
+ ')
+
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ typeattribute $1 can_setenforce;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security setenforce;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setenforce;
+- ')
+- }
+ ')
+
+ ########################################
+@@ -342,22 +372,13 @@ interface(`selinux_load_policy',`
+ gen_require(`
+ type security_t;
+ attribute can_load_policy;
+- bool secure_mode_policyload;
+ ')
+
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 can_load_policy;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security load_policy;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security load_policy;
+- ')
+- }
+ ')
+
+ ########################################
+@@ -378,6 +399,7 @@ interface(`selinux_read_policy',`
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:security read_policy;
+ ')
+
+@@ -438,19 +460,15 @@ interface(`selinux_set_boolean',`
+ interface(`selinux_set_generic_booleans',`
+ gen_require(`
+ type security_t;
++ attribute can_setbool;
+ ')
+
++ typeattribute $1 can_setbool;
+ dev_search_sysfs($1)
+-
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+
+- allow $1 security_t:security setbool;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setbool;
+- ')
+ ')
+
+ ########################################
+@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',`
+ gen_require(`
+ type security_t, secure_mode_policyload_t;
+ attribute boolean_type;
+- bool secure_mode_policyload;
++ attribute can_setbool;
+ ')
+
++ typeattribute $1 can_setbool;
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
+-
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+- allow $1 secure_mode_policyload_t:file read_file_perms;
+-
+- allow $1 security_t:security setbool;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setbool;
+- ')
+-
+- if(!secure_mode_policyload) {
+- allow $1 secure_mode_policyload_t:file write_file_perms;
+- }
++ allow $1 boolean_type:dir list_dir_perms;
++ allow $1 boolean_type:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',`
+ attribute can_setsecparam;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security setsecparam;
+@@ -552,7 +563,9 @@ interface(`selinux_validate_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security check_context;
+@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_av;
+@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_create;
+@@ -639,7 +656,9 @@ interface(`selinux_compute_member',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_member;
+@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_relabel;
+@@ -677,6 +698,29 @@ interface(`selinux_compute_relabel_context',`
+
+ ########################################
+ ##
++## Allows caller to setcheckreqprot
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_setcheckreqprot',`
++ gen_require(`
++ type security_t;
++ ')
++
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
++ allow $1 security_t:dir list_dir_perms;
++ allow $1 security_t:file rw_file_perms;
++ allow $1 security_t:security setcheckreqprot;
++')
++
++########################################
++##
+ ## Allows caller to compute possible contexts for a user.
+ ##
+ ##
+@@ -690,7 +734,9 @@ interface(`selinux_compute_user_contexts',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_user;
+@@ -712,4 +758,28 @@ interface(`selinux_unconfined',`
+ ')
+
+ typeattribute $1 selinux_unconfined_type;
++ selinux_set_all_booleans($1)
++ selinux_load_policy($1)
++ selinux_set_parameters($1)
++ selinux_set_enforce_mode($1)
++')
++
++########################################
++##
++## Generate a file context for a boolean type
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_genbool',`
++ gen_require(`
++ attribute boolean_type;
++ ')
++
++ type $1, boolean_type;
++ fs_type($1)
++ mls_trusted_object($1)
+ ')
+diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
+index e0a973b..7d3e431 100644
+--- a/policy/modules/kernel/selinux.te
++++ b/policy/modules/kernel/selinux.te
+@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
+ attribute boolean_type;
+ attribute can_load_policy;
+ attribute can_setenforce;
++attribute can_setbool;
+ attribute can_setsecparam;
+ attribute selinux_unconfined_type;
+
+@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+ genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
+
+-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
++neverallow ~{ can_load_policy } security_t:security load_policy;
++neverallow ~{ can_setenforce } security_t:security setenforce;
++neverallow ~{ can_setsecparam } security_t:security setsecparam;
+
+ ########################################
+ #
+@@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
+ allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
+
+ # Access the security API.
+-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
++allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',`
+ ')
+
+ if(!secure_mode_policyload) {
+- allow selinux_unconfined_type security_t:security { load_policy setenforce };
+- allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
++ allow can_setenforce security_t:security setenforce;
++ dev_getattr_sysfs_fs(can_setenforce)
++ dev_search_sysfs(can_setenforce)
++ allow can_setenforce security_t:dir list_dir_perms;
++ allow can_setenforce security_t:file rw_file_perms;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+- auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
++ auditallow can_setenforce security_t:security setenforce;
++ ')
++
++ allow can_load_policy security_t:security load_policy;
++
++ ifdef(`distro_rhel4',`
++ # needed for systems without audit support
++ auditallow can_load_policy security_t:security load_policy;
++ ')
++
++ allow can_setbool boolean_type:security setbool;
++
++ ifdef(`distro_rhel4',`
++ # needed for systems without audit support
++ auditallow can_setbool boolean_type:security setbool;
+ ')
+ }
+diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
+index 54f1827..6910c88 100644
+--- a/policy/modules/kernel/storage.fc
++++ b/policy/modules/kernel/storage.fc
+@@ -7,6 +7,7 @@
+ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/bcache[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -28,7 +29,8 @@
+ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -51,7 +53,8 @@ ifdef(`distro_redhat', `
+ /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
++/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+ /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
+
+ /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
++
++/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
+index 64c4cd0..b9d9660 100644
+--- a/policy/modules/kernel/storage.if
++++ b/policy/modules/kernel/storage.if
+@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
+
+ ########################################
+ ##
++## Allow the caller to read/write inherited fixed disk
++## device nodes.
++##
++##
++##
++## The domain allowed access.
++##
++##
++#
++interface(`storage_rw_inherited_fixed_disk_dev',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ allow $1 fixed_disk_device_t:chr_file { read write };
++ allow $1 fixed_disk_device_t:blk_file { read write };
++')
++
++########################################
++##
+ ## Do not audit attempts made by the caller to get
+ ## the attributes of fixed disk device nodes.
+ ##
+@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',`
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++ #577012
++ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+ ')
+
+@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
+ interface(`storage_raw_rw_fixed_disk',`
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
++ dev_rw_generic_blk_files($1)
+ ')
+
+ ########################################
+@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',`
+
+ allow $1 self:capability mknod;
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
++ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
+
+@@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+ ')
+
++#######################################
++##
++## Create block devices in /dev with the fixed disk type
++## via an automatic type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_dev_filetrans_named_fixed_disk',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
++')
++
+ ########################################
+ ##
+ ## Create block devices in on a tmpfs filesystem with the
+@@ -716,6 +782,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+ ')
+
++#######################################
++##
++## Alow read and write inherited removable devices.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`storage_rw_inherited_removable_device',`
++ gen_require(`
++ type removable_device_t;
++ ')
++
++ dontaudit $1 removable_device_t:blk_file { read write };
++')
++
+ ########################################
+ ##
+ ## Allow the caller to directly read
+@@ -813,3 +897,452 @@ interface(`storage_unconfined',`
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tape_device_t;
++ type fixed_disk_device_t;
++ type removable_device_t;
++ type scsi_generic_device_t;
++ type fuse_device_t;
++ ')
++
++ dev_filetrans($1, tape_device_t, chr_file, "ht00")
++ dev_filetrans($1, tape_device_t, chr_file, "ht01")
++ dev_filetrans($1, tape_device_t, chr_file, "ht02")
++ dev_filetrans($1, tape_device_t, chr_file, "ht03")
++ dev_filetrans($1, tape_device_t, chr_file, "ht04")
++ dev_filetrans($1, tape_device_t, chr_file, "ht05")
++ dev_filetrans($1, tape_device_t, chr_file, "ht06")
++ dev_filetrans($1, tape_device_t, chr_file, "ht07")
++ dev_filetrans($1, tape_device_t, chr_file, "ht08")
++ dev_filetrans($1, tape_device_t, chr_file, "ht09")
++ dev_filetrans($1, tape_device_t, chr_file, "st00")
++ dev_filetrans($1, tape_device_t, chr_file, "st01")
++ dev_filetrans($1, tape_device_t, chr_file, "st02")
++ dev_filetrans($1, tape_device_t, chr_file, "st03")
++ dev_filetrans($1, tape_device_t, chr_file, "st04")
++ dev_filetrans($1, tape_device_t, chr_file, "st05")
++ dev_filetrans($1, tape_device_t, chr_file, "st06")
++ dev_filetrans($1, tape_device_t, chr_file, "st07")
++ dev_filetrans($1, tape_device_t, chr_file, "st08")
++ dev_filetrans($1, tape_device_t, chr_file, "st09")
++ dev_filetrans($1, tape_device_t, chr_file, "qft0")
++ dev_filetrans($1, tape_device_t, chr_file, "qft1")
++ dev_filetrans($1, tape_device_t, chr_file, "qft2")
++ dev_filetrans($1, tape_device_t, chr_file, "qft3")
++ dev_filetrans($1, tape_device_t, chr_file, "osst00")
++ dev_filetrans($1, tape_device_t, chr_file, "osst01")
++ dev_filetrans($1, tape_device_t, chr_file, "osst02")
++ dev_filetrans($1, tape_device_t, chr_file, "osst03")
++ dev_filetrans($1, tape_device_t, chr_file, "osst04")
++ dev_filetrans($1, tape_device_t, chr_file, "osst05")
++ dev_filetrans($1, tape_device_t, chr_file, "osst06")
++ dev_filetrans($1, tape_device_t, chr_file, "osst07")
++ dev_filetrans($1, tape_device_t, chr_file, "osst08")
++ dev_filetrans($1, tape_device_t, chr_file, "osst09")
++ dev_filetrans($1, tape_device_t, chr_file, "pt0")
++ dev_filetrans($1, tape_device_t, chr_file, "pt1")
++ dev_filetrans($1, tape_device_t, chr_file, "pt2")
++ dev_filetrans($1, tape_device_t, chr_file, "pt3")
++ dev_filetrans($1, tape_device_t, chr_file, "pt4")
++ dev_filetrans($1, tape_device_t, chr_file, "pt5")
++ dev_filetrans($1, tape_device_t, chr_file, "pt6")
++ dev_filetrans($1, tape_device_t, chr_file, "pt7")
++ dev_filetrans($1, tape_device_t, chr_file, "pt8")
++ dev_filetrans($1, tape_device_t, chr_file, "pt9")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
++ dev_filetrans($1, removable_device_t, blk_file, "aztcd")
++ dev_filetrans($1, removable_device_t, blk_file, "bpcd")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu0")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu1")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu2")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu3")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu4")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu5")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu6")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu7")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu8")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu9")
++ dev_filetrans($1, removable_device_t, blk_file, "cm200")
++ dev_filetrans($1, removable_device_t, blk_file, "cm201")
++ dev_filetrans($1, removable_device_t, blk_file, "cm202")
++ dev_filetrans($1, removable_device_t, blk_file, "cm203")
++ dev_filetrans($1, removable_device_t, blk_file, "cm204")
++ dev_filetrans($1, removable_device_t, blk_file, "cm205")
++ dev_filetrans($1, removable_device_t, blk_file, "cm206")
++ dev_filetrans($1, removable_device_t, blk_file, "cm207")
++ dev_filetrans($1, removable_device_t, blk_file, "cm208")
++ dev_filetrans($1, removable_device_t, blk_file, "cm209")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
++ dev_filetrans($1, removable_device_t, blk_file, "gscd")
++ dev_filetrans($1, removable_device_t, blk_file, "hitcd")
++ dev_filetrans($1, tape_device_t, blk_file, "ht0")
++ dev_filetrans($1, tape_device_t, blk_file, "ht1")
++ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++ dev_filetrans($1, removable_device_t, blk_file, "mcd")
++ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
++ dev_filetrans($1, removable_device_t, blk_file, "optcd")
++ dev_filetrans($1, removable_device_t, blk_file, "pf0")
++ dev_filetrans($1, removable_device_t, blk_file, "pf1")
++ dev_filetrans($1, removable_device_t, blk_file, "pf2")
++ dev_filetrans($1, removable_device_t, blk_file, "pf3")
++ dev_filetrans($1, removable_device_t, blk_file, "pg0")
++ dev_filetrans($1, removable_device_t, blk_file, "pg1")
++ dev_filetrans($1, removable_device_t, blk_file, "pg2")
++ dev_filetrans($1, removable_device_t, blk_file, "pg3")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd0")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd1")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd2")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd3")
++ dev_filetrans($1, removable_device_t, chr_file, "pg0")
++ dev_filetrans($1, removable_device_t, chr_file, "pg1")
++ dev_filetrans($1, removable_device_t, chr_file, "pg2")
++ dev_filetrans($1, removable_device_t, chr_file, "pg3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
++ dev_filetrans($1, removable_device_t, blk_file, "sr0")
++ dev_filetrans($1, removable_device_t, blk_file, "sr1")
++ dev_filetrans($1, removable_device_t, blk_file, "sr2")
++ dev_filetrans($1, removable_device_t, blk_file, "sr3")
++ dev_filetrans($1, removable_device_t, blk_file, "sr4")
++ dev_filetrans($1, removable_device_t, blk_file, "sr5")
++ dev_filetrans($1, removable_device_t, blk_file, "sr6")
++ dev_filetrans($1, removable_device_t, blk_file, "sr7")
++ dev_filetrans($1, removable_device_t, blk_file, "sr8")
++ dev_filetrans($1, removable_device_t, blk_file, "sr9")
++ dev_filetrans($1, removable_device_t, blk_file, "sjcd")
++ dev_filetrans($1, removable_device_t, blk_file, "sonycd")
++ dev_filetrans($1, tape_device_t, chr_file, "tape0")
++ dev_filetrans($1, tape_device_t, chr_file, "tape1")
++ dev_filetrans($1, tape_device_t, chr_file, "tape2")
++ dev_filetrans($1, tape_device_t, chr_file, "tape3")
++ dev_filetrans($1, tape_device_t, chr_file, "tape4")
++ dev_filetrans($1, tape_device_t, chr_file, "tape5")
++ dev_filetrans($1, tape_device_t, chr_file, "tape6")
++ dev_filetrans($1, tape_device_t, chr_file, "tape7")
++ dev_filetrans($1, tape_device_t, chr_file, "tape8")
++ dev_filetrans($1, tape_device_t, chr_file, "tape9")
++ dev_filetrans($1, fuse_device_t, chr_file, "fuse")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
++ dev_filetrans($1, removable_device_t, chr_file, "rio500")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
++
++')
+diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
+index 156c333..02f5a3c 100644
+--- a/policy/modules/kernel/storage.te
++++ b/policy/modules/kernel/storage.te
+@@ -57,3 +57,9 @@ dev_node(tape_device_t)
+
+ allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
+ allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
++
++# Since block devices are some times used before being labeled correctly
++ifdef(`hide_broken_symptoms',`
++ dev_read_generic_blk_files(fixed_disk_raw_read)
++ dev_manage_generic_blk_files(fixed_disk_raw_write)
++')
+diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
+index 0ea25b6..01b968e 100644
+--- a/policy/modules/kernel/terminal.fc
++++ b/policy/modules/kernel/terminal.fc
+@@ -14,11 +14,12 @@
+ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+ /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+ /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
+ /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
+ # used by init scripts to initally populate udev /dev
+ /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
+ ')
++
++/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
++
++/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index cbb729b..ef15aac 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -124,7 +124,7 @@ interface(`term_user_tty',`
+ type_change $1 ttynode:chr_file $2;
+ ')
+
+- tunable_policy(`console_login',`
++ tunable_policy(`login_console_enabled',`
+ # When user logs in from /dev/console, relabel it
+ # to user tty type as well.
+ type_change $1 console_device_t:chr_file $2;
+@@ -133,6 +133,25 @@ interface(`term_user_tty',`
+
+ ########################################
+ ##
++## Create the /dev/pts directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_create_pty_dir',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir create_dir_perms;
++ dev_filetrans($1, devpts_t, dir, "devpts")
++')
++
++########################################
++##
+ ## Create a pty in the /dev/pts directory.
+ ##
+ ##
+@@ -208,6 +227,27 @@ interface(`term_use_all_terms',`
+
+ ########################################
+ ##
++## Read and write the inherited console, all inherited
++## ttys and ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_terms',`
++ gen_require(`
++ attribute ttynode, ptynode;
++ type console_device_t, devpts_t, tty_device_t;
++ ')
++
++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
+ ## Write to the console.
+ ##
+ ##
+@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`term_use_console',`
+ gen_require(`
+@@ -299,9 +338,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
+- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ init_dontaudit_use_fds($1)
++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',`
+
+ ########################################
+ ##
++## Mount a pty filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_mount_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem mount;
++')
++
++########################################
++##
++## Unmount a pty filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_unmount_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem unmount;
++')
++
++########################################
++##
+ ## Relabel from and to pty filesystem.
+ ##
+ ##
+@@ -481,6 +559,24 @@ interface(`term_list_ptys',`
+
+ ########################################
+ ##
++## Relabel the /dev/pts directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_relabel_ptys_dirs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir relabel_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read the
+ ## /dev/pts directory.
+ ##
+@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',`
+
+ ########################################
+ ##
+-## Dot not audit attempts to read and
++## Do not audit attempts to read and
+ ## write the generic pty type. This is
+ ## generally only used in the targeted policy.
+ ##
+@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+ type devpts_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+
+@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',`
+
+ ########################################
+ ##
++## Read and write all inherited ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_ptys',`
++ gen_require(`
++ attribute ptynode;
++ type devpts_t;
++ ')
++
++ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
++')
++
++########################################
++##
+ ## Do not audit attempts to read or write any ptys.
+ ##
+ ##
+@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',`
+ attribute ptynode;
+ ')
+
+- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+ ')
+
+ ########################################
+@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- relabel_chr_files_pattern($1, devpts_t, ptynode)
++ relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } )
+ ')
+
+ ########################################
+@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',`
+
+ ########################################
+ ##
++## Mounton unallocated tty device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_mounton_unallocated_ttys',`
++ gen_require(`
++ type tty_device_t;
++ ')
++
++ allow $1 tty_device_t:chr_file mounton;
++')
++
++########################################
++##
+ ## Relabel from all user tty types to
+ ## the unallocated tty type.
+ ##
+@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ type tty_device_t;
+ ')
+
+- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++ init_dontaudit_use_fds($1)
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Read and write USB tty character
++## device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_use_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
++')
++
++#######################################
++##
++## Setattr on USB tty character
++## device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_setattr_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ allow $1 usbtty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ #
+ interface(`term_getattr_all_ttys',`
+ gen_require(`
++ type tty_device_t;
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file getattr;
++ allow $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',`
+ interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file rw_chr_file_perms;
++ allow $1 ttynode:chr_file rw_term_perms;
++')
++
++########################################
++##
++## Read and write all inherited ttys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_ttys',`
++ gen_require(`
++ attribute ttynode;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 ttynode:chr_file rw_inherited_term_perms;
+ ')
+
+ ########################################
+@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',`
+ attribute ttynode;
+ ')
+
+- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
+ term_dontaudit_use_all_ttys($1)
+ ')
+
++####################################
++##
++## Getattr on the virtio console.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_getattr_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
++')
++
+ #####################################
+ ##
+-## Read from and write virtio console.
++## Read from and write to the virtio console.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`term_use_virtio_console',`
+- gen_require(`
+- type virtio_device_t;
+- ')
+-
+- dev_list_all_dev_nodes($1)
+- allow $1 virtio_device_t:chr_file rw_term_perms;
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
++')
++
++########################################
++##
++## Create all named term devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tty_device_t;
++ type bsdpty_device_t;
++ type console_device_t;
++ type ptmx_t;
++ type devtty_t;
++ type virtio_device_t;
++ type devpts_t;
++ type usbtty_device_t;
++ ')
++
++ dev_filetrans($1, devtty_t, chr_file, "tty")
++ dev_filetrans($1, tty_device_t, chr_file, "tty0")
++ dev_filetrans($1, tty_device_t, chr_file, "tty1")
++ dev_filetrans($1, tty_device_t, chr_file, "tty2")
++ dev_filetrans($1, tty_device_t, chr_file, "tty3")
++ dev_filetrans($1, tty_device_t, chr_file, "tty4")
++ dev_filetrans($1, tty_device_t, chr_file, "tty5")
++ dev_filetrans($1, tty_device_t, chr_file, "tty6")
++ dev_filetrans($1, tty_device_t, chr_file, "tty7")
++ dev_filetrans($1, tty_device_t, chr_file, "tty8")
++ dev_filetrans($1, tty_device_t, chr_file, "tty9")
++ dev_filetrans($1, tty_device_t, chr_file, "tty10")
++ dev_filetrans($1, tty_device_t, chr_file, "tty11")
++ dev_filetrans($1, tty_device_t, chr_file, "tty12")
++ dev_filetrans($1, tty_device_t, chr_file, "tty13")
++ dev_filetrans($1, tty_device_t, chr_file, "tty14")
++ dev_filetrans($1, tty_device_t, chr_file, "tty15")
++ dev_filetrans($1, tty_device_t, chr_file, "tty16")
++ dev_filetrans($1, tty_device_t, chr_file, "tty17")
++ dev_filetrans($1, tty_device_t, chr_file, "tty18")
++ dev_filetrans($1, tty_device_t, chr_file, "tty19")
++ dev_filetrans($1, tty_device_t, chr_file, "tty20")
++ dev_filetrans($1, tty_device_t, chr_file, "tty21")
++ dev_filetrans($1, tty_device_t, chr_file, "tty22")
++ dev_filetrans($1, tty_device_t, chr_file, "tty23")
++ dev_filetrans($1, tty_device_t, chr_file, "tty24")
++ dev_filetrans($1, tty_device_t, chr_file, "tty25")
++ dev_filetrans($1, tty_device_t, chr_file, "tty26")
++ dev_filetrans($1, tty_device_t, chr_file, "tty27")
++ dev_filetrans($1, tty_device_t, chr_file, "tty28")
++ dev_filetrans($1, tty_device_t, chr_file, "tty29")
++ dev_filetrans($1, tty_device_t, chr_file, "tty30")
++ dev_filetrans($1, tty_device_t, chr_file, "tty31")
++ dev_filetrans($1, tty_device_t, chr_file, "tty32")
++ dev_filetrans($1, tty_device_t, chr_file, "tty33")
++ dev_filetrans($1, tty_device_t, chr_file, "tty34")
++ dev_filetrans($1, tty_device_t, chr_file, "tty35")
++ dev_filetrans($1, tty_device_t, chr_file, "tty36")
++ dev_filetrans($1, tty_device_t, chr_file, "tty37")
++ dev_filetrans($1, tty_device_t, chr_file, "tty38")
++ dev_filetrans($1, tty_device_t, chr_file, "tty39")
++ dev_filetrans($1, tty_device_t, chr_file, "tty40")
++ dev_filetrans($1, tty_device_t, chr_file, "tty41")
++ dev_filetrans($1, tty_device_t, chr_file, "tty42")
++ dev_filetrans($1, tty_device_t, chr_file, "tty43")
++ dev_filetrans($1, tty_device_t, chr_file, "tty44")
++ dev_filetrans($1, tty_device_t, chr_file, "tty45")
++ dev_filetrans($1, tty_device_t, chr_file, "tty46")
++ dev_filetrans($1, tty_device_t, chr_file, "tty47")
++ dev_filetrans($1, tty_device_t, chr_file, "tty48")
++ dev_filetrans($1, tty_device_t, chr_file, "tty49")
++ dev_filetrans($1, tty_device_t, chr_file, "tty50")
++ dev_filetrans($1, tty_device_t, chr_file, "tty51")
++ dev_filetrans($1, tty_device_t, chr_file, "tty52")
++ dev_filetrans($1, tty_device_t, chr_file, "tty53")
++ dev_filetrans($1, tty_device_t, chr_file, "tty54")
++ dev_filetrans($1, tty_device_t, chr_file, "tty55")
++ dev_filetrans($1, tty_device_t, chr_file, "tty56")
++ dev_filetrans($1, tty_device_t, chr_file, "tty57")
++ dev_filetrans($1, tty_device_t, chr_file, "tty58")
++ dev_filetrans($1, tty_device_t, chr_file, "tty59")
++ dev_filetrans($1, tty_device_t, chr_file, "tty60")
++ dev_filetrans($1, tty_device_t, chr_file, "tty61")
++ dev_filetrans($1, tty_device_t, chr_file, "tty62")
++ dev_filetrans($1, tty_device_t, chr_file, "tty63")
++ dev_filetrans($1, tty_device_t, chr_file, "tty64")
++ dev_filetrans($1, tty_device_t, chr_file, "tty65")
++ dev_filetrans($1, tty_device_t, chr_file, "tty66")
++ dev_filetrans($1, tty_device_t, chr_file, "tty67")
++ dev_filetrans($1, tty_device_t, chr_file, "tty68")
++ dev_filetrans($1, tty_device_t, chr_file, "tty69")
++ dev_filetrans($1, tty_device_t, chr_file, "tty70")
++ dev_filetrans($1, tty_device_t, chr_file, "tty71")
++ dev_filetrans($1, tty_device_t, chr_file, "tty72")
++ dev_filetrans($1, tty_device_t, chr_file, "tty73")
++ dev_filetrans($1, tty_device_t, chr_file, "tty74")
++ dev_filetrans($1, tty_device_t, chr_file, "tty75")
++ dev_filetrans($1, tty_device_t, chr_file, "tty76")
++ dev_filetrans($1, tty_device_t, chr_file, "tty77")
++ dev_filetrans($1, tty_device_t, chr_file, "tty78")
++ dev_filetrans($1, tty_device_t, chr_file, "tty79")
++ dev_filetrans($1, tty_device_t, chr_file, "tty80")
++ dev_filetrans($1, tty_device_t, chr_file, "tty81")
++ dev_filetrans($1, tty_device_t, chr_file, "tty82")
++ dev_filetrans($1, tty_device_t, chr_file, "tty83")
++ dev_filetrans($1, tty_device_t, chr_file, "tty84")
++ dev_filetrans($1, tty_device_t, chr_file, "tty85")
++ dev_filetrans($1, tty_device_t, chr_file, "tty86")
++ dev_filetrans($1, tty_device_t, chr_file, "tty87")
++ dev_filetrans($1, tty_device_t, chr_file, "tty88")
++ dev_filetrans($1, tty_device_t, chr_file, "tty89")
++ dev_filetrans($1, tty_device_t, chr_file, "tty90")
++ dev_filetrans($1, tty_device_t, chr_file, "tty91")
++ dev_filetrans($1, tty_device_t, chr_file, "tty92")
++ dev_filetrans($1, tty_device_t, chr_file, "tty93")
++ dev_filetrans($1, tty_device_t, chr_file, "tty94")
++ dev_filetrans($1, tty_device_t, chr_file, "tty95")
++ dev_filetrans($1, tty_device_t, chr_file, "tty96")
++ dev_filetrans($1, tty_device_t, chr_file, "tty97")
++ dev_filetrans($1, tty_device_t, chr_file, "tty98")
++ dev_filetrans($1, tty_device_t, chr_file, "tty99")
++ dev_filetrans($1, tty_device_t, chr_file, "pty")
++ dev_filetrans($1, tty_device_t, chr_file, "pty0")
++ dev_filetrans($1, tty_device_t, chr_file, "pty1")
++ dev_filetrans($1, tty_device_t, chr_file, "pty2")
++ dev_filetrans($1, tty_device_t, chr_file, "pty3")
++ dev_filetrans($1, tty_device_t, chr_file, "pty4")
++ dev_filetrans($1, tty_device_t, chr_file, "pty5")
++ dev_filetrans($1, tty_device_t, chr_file, "pty6")
++ dev_filetrans($1, tty_device_t, chr_file, "pty7")
++ dev_filetrans($1, tty_device_t, chr_file, "pty8")
++ dev_filetrans($1, tty_device_t, chr_file, "pty9")
++ dev_filetrans($1, tty_device_t, chr_file, "pty10")
++ dev_filetrans($1, tty_device_t, chr_file, "pty11")
++ dev_filetrans($1, tty_device_t, chr_file, "pty12")
++ dev_filetrans($1, tty_device_t, chr_file, "pty13")
++ dev_filetrans($1, tty_device_t, chr_file, "pty14")
++ dev_filetrans($1, tty_device_t, chr_file, "pty15")
++ dev_filetrans($1, tty_device_t, chr_file, "pty16")
++ dev_filetrans($1, tty_device_t, chr_file, "pty17")
++ dev_filetrans($1, tty_device_t, chr_file, "pty18")
++ dev_filetrans($1, tty_device_t, chr_file, "pty19")
++ dev_filetrans($1, tty_device_t, chr_file, "pty20")
++ dev_filetrans($1, tty_device_t, chr_file, "pty21")
++ dev_filetrans($1, tty_device_t, chr_file, "pty22")
++ dev_filetrans($1, tty_device_t, chr_file, "pty23")
++ dev_filetrans($1, tty_device_t, chr_file, "pty24")
++ dev_filetrans($1, tty_device_t, chr_file, "pty25")
++ dev_filetrans($1, tty_device_t, chr_file, "pty26")
++ dev_filetrans($1, tty_device_t, chr_file, "pty27")
++ dev_filetrans($1, tty_device_t, chr_file, "pty28")
++ dev_filetrans($1, tty_device_t, chr_file, "pty29")
++ dev_filetrans($1, tty_device_t, chr_file, "pty30")
++ dev_filetrans($1, tty_device_t, chr_file, "pty31")
++ dev_filetrans($1, tty_device_t, chr_file, "pty32")
++ dev_filetrans($1, tty_device_t, chr_file, "pty33")
++ dev_filetrans($1, tty_device_t, chr_file, "pty34")
++ dev_filetrans($1, tty_device_t, chr_file, "pty35")
++ dev_filetrans($1, tty_device_t, chr_file, "pty36")
++ dev_filetrans($1, tty_device_t, chr_file, "pty37")
++ dev_filetrans($1, tty_device_t, chr_file, "pty38")
++ dev_filetrans($1, tty_device_t, chr_file, "pty39")
++ dev_filetrans($1, tty_device_t, chr_file, "pty40")
++ dev_filetrans($1, tty_device_t, chr_file, "pty41")
++ dev_filetrans($1, tty_device_t, chr_file, "pty42")
++ dev_filetrans($1, tty_device_t, chr_file, "pty43")
++ dev_filetrans($1, tty_device_t, chr_file, "pty44")
++ dev_filetrans($1, tty_device_t, chr_file, "pty45")
++ dev_filetrans($1, tty_device_t, chr_file, "pty46")
++ dev_filetrans($1, tty_device_t, chr_file, "pty47")
++ dev_filetrans($1, tty_device_t, chr_file, "pty48")
++ dev_filetrans($1, tty_device_t, chr_file, "pty49")
++ dev_filetrans($1, tty_device_t, chr_file, "pty50")
++ dev_filetrans($1, tty_device_t, chr_file, "pty51")
++ dev_filetrans($1, tty_device_t, chr_file, "pty52")
++ dev_filetrans($1, tty_device_t, chr_file, "pty53")
++ dev_filetrans($1, tty_device_t, chr_file, "pty54")
++ dev_filetrans($1, tty_device_t, chr_file, "pty55")
++ dev_filetrans($1, tty_device_t, chr_file, "pty56")
++ dev_filetrans($1, tty_device_t, chr_file, "pty57")
++ dev_filetrans($1, tty_device_t, chr_file, "pty58")
++ dev_filetrans($1, tty_device_t, chr_file, "pty59")
++ dev_filetrans($1, tty_device_t, chr_file, "pty60")
++ dev_filetrans($1, tty_device_t, chr_file, "pty61")
++ dev_filetrans($1, tty_device_t, chr_file, "pty62")
++ dev_filetrans($1, tty_device_t, chr_file, "pty63")
++ dev_filetrans($1, tty_device_t, chr_file, "pty64")
++ dev_filetrans($1, tty_device_t, chr_file, "pty65")
++ dev_filetrans($1, tty_device_t, chr_file, "pty66")
++ dev_filetrans($1, tty_device_t, chr_file, "pty67")
++ dev_filetrans($1, tty_device_t, chr_file, "pty68")
++ dev_filetrans($1, tty_device_t, chr_file, "pty69")
++ dev_filetrans($1, tty_device_t, chr_file, "pty70")
++ dev_filetrans($1, tty_device_t, chr_file, "pty71")
++ dev_filetrans($1, tty_device_t, chr_file, "pty72")
++ dev_filetrans($1, tty_device_t, chr_file, "pty73")
++ dev_filetrans($1, tty_device_t, chr_file, "pty74")
++ dev_filetrans($1, tty_device_t, chr_file, "pty75")
++ dev_filetrans($1, tty_device_t, chr_file, "pty76")
++ dev_filetrans($1, tty_device_t, chr_file, "pty77")
++ dev_filetrans($1, tty_device_t, chr_file, "pty78")
++ dev_filetrans($1, tty_device_t, chr_file, "pty79")
++ dev_filetrans($1, tty_device_t, chr_file, "pty80")
++ dev_filetrans($1, tty_device_t, chr_file, "pty81")
++ dev_filetrans($1, tty_device_t, chr_file, "pty82")
++ dev_filetrans($1, tty_device_t, chr_file, "pty83")
++ dev_filetrans($1, tty_device_t, chr_file, "pty84")
++ dev_filetrans($1, tty_device_t, chr_file, "pty85")
++ dev_filetrans($1, tty_device_t, chr_file, "pty86")
++ dev_filetrans($1, tty_device_t, chr_file, "pty87")
++ dev_filetrans($1, tty_device_t, chr_file, "pty88")
++ dev_filetrans($1, tty_device_t, chr_file, "pty89")
++ dev_filetrans($1, tty_device_t, chr_file, "pty90")
++ dev_filetrans($1, tty_device_t, chr_file, "pty91")
++ dev_filetrans($1, tty_device_t, chr_file, "pty92")
++ dev_filetrans($1, tty_device_t, chr_file, "pty93")
++ dev_filetrans($1, tty_device_t, chr_file, "pty94")
++ dev_filetrans($1, tty_device_t, chr_file, "pty95")
++ dev_filetrans($1, tty_device_t, chr_file, "pty96")
++ dev_filetrans($1, tty_device_t, chr_file, "pty97")
++ dev_filetrans($1, tty_device_t, chr_file, "pty98")
++ dev_filetrans($1, tty_device_t, chr_file, "pty99")
++ dev_filetrans($1, tty_device_t, chr_file, "adb0")
++ dev_filetrans($1, tty_device_t, chr_file, "adb1")
++ dev_filetrans($1, tty_device_t, chr_file, "adb2")
++ dev_filetrans($1, tty_device_t, chr_file, "adb3")
++ dev_filetrans($1, tty_device_t, chr_file, "adb4")
++ dev_filetrans($1, tty_device_t, chr_file, "adb5")
++ dev_filetrans($1, tty_device_t, chr_file, "adb6")
++ dev_filetrans($1, tty_device_t, chr_file, "adb7")
++ dev_filetrans($1, tty_device_t, chr_file, "adb8")
++ dev_filetrans($1, tty_device_t, chr_file, "adb9")
++ dev_filetrans($1, tty_device_t, chr_file, "capi0")
++ dev_filetrans($1, tty_device_t, chr_file, "capi1")
++ dev_filetrans($1, tty_device_t, chr_file, "capi2")
++ dev_filetrans($1, tty_device_t, chr_file, "capi3")
++ dev_filetrans($1, tty_device_t, chr_file, "capi4")
++ dev_filetrans($1, tty_device_t, chr_file, "capi5")
++ dev_filetrans($1, tty_device_t, chr_file, "capi6")
++ dev_filetrans($1, tty_device_t, chr_file, "capi7")
++ dev_filetrans($1, tty_device_t, chr_file, "capi8")
++ dev_filetrans($1, tty_device_t, chr_file, "capi9")
++ dev_filetrans($1, console_device_t, chr_file, "console")
++ dev_filetrans($1, tty_device_t, chr_file, "cu0")
++ dev_filetrans($1, tty_device_t, chr_file, "cu1")
++ dev_filetrans($1, tty_device_t, chr_file, "cu2")
++ dev_filetrans($1, tty_device_t, chr_file, "cu3")
++ dev_filetrans($1, tty_device_t, chr_file, "cu4")
++ dev_filetrans($1, tty_device_t, chr_file, "cu5")
++ dev_filetrans($1, tty_device_t, chr_file, "cu6")
++ dev_filetrans($1, tty_device_t, chr_file, "cu7")
++ dev_filetrans($1, tty_device_t, chr_file, "cu8")
++ dev_filetrans($1, tty_device_t, chr_file, "cu9")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsa")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsb")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsc")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsd")
++ dev_filetrans($1, tty_device_t, chr_file, "vcse")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc0")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc1")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc2")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc3")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc4")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc5")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc6")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc7")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc8")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc9")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn0")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn1")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn2")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn3")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn4")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn5")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn6")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
++ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
++ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr0")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr1")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr2")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr3")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr4")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr5")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr6")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr7")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr8")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr9")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM0")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM1")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM2")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM3")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM4")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM5")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM6")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM7")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM8")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM9")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
++ dev_filetrans($1, devpts_t, dir, "pts")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc0")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc1")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc2")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc3")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc4")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc5")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc6")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
+ ')
+diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
+index 66e116a..a0a5d90 100644
+--- a/policy/modules/kernel/terminal.te
++++ b/policy/modules/kernel/terminal.te
+@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
+ fs_associate_tmpfs(devpts_t)
+ fs_type(devpts_t)
+ fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
++dev_associate(devpts_t)
+
+ #
+ # devtty_t is the type of /dev/tty.
+@@ -57,5 +58,8 @@ dev_node(tty_device_t)
+ type usbtty_device_t, serial_device;
+ dev_node(usbtty_device_t)
+
++#
++# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
++#
+ type virtio_device_t, serial_device;
+ dev_node(virtio_device_t)
+diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
+new file mode 100644
+index 0000000..f310b9d
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.fc
+@@ -0,0 +1 @@
++# No unlabelednet file contexts.
+diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
+new file mode 100644
+index 0000000..0ce0470
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.if
+@@ -0,0 +1 @@
++## Policy for allowing confined domains to use unlabeled_t packets
+diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
+new file mode 100644
+index 0000000..48caabc
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.te
+@@ -0,0 +1,12 @@
++policy_module(unlabelednet, 1.0.0)
++
++corenet_enable_unlabeled_packets()
++
++gen_require(`
++ type unlabeled_t;
++ attribute domain;
++')
++
++# temporary hack until labeling on packets is supported
++allow domain unlabeled_t:packet { send recv };
++
+diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
+index 834a065..ff93697 100644
+--- a/policy/modules/roles/auditadm.te
++++ b/policy/modules/roles/auditadm.te
+@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
+
+ role auditadm_r;
+ role system_r;
+-userdom_unpriv_user_template(auditadm)
++userdom_confined_admin_template(auditadm)
+
+ ########################################
+ #
+@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
+
+ domain_kill_all_domains(auditadm_t)
+
++mls_file_read_all_levels(auditadm_t)
++
++selinux_read_policy(auditadm_t)
++
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t, auditadm_r)
+ logging_run_auditd(auditadm_t, auditadm_r)
++logging_stream_connect_syslog(auditadm_t)
+
+ seutil_run_runinit(auditadm_t, auditadm_r)
+ seutil_read_bin_policy(auditadm_t)
+
++userdom_dontaudit_search_admin_dir(auditadm_t)
++
+ optional_policy(`
+ consoletype_exec(auditadm_t)
+ ')
+diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
+index 3a45a3e..7499f24 100644
+--- a/policy/modules/roles/logadm.te
++++ b/policy/modules/roles/logadm.te
+@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
+
+ role logadm_r;
+
+-userdom_base_user_template(logadm)
++userdom_confined_admin_template(logadm)
+
+ ########################################
+ #
+ # logadmin local policy
+ #
+
+-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+-
++allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ logging_admin(logadm_t, logadm_r)
+diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
+index da11120..621ec5a 100644
+--- a/policy/modules/roles/secadm.te
++++ b/policy/modules/roles/secadm.te
+@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
+
+ role secadm_r;
+
+-userdom_unpriv_user_template(secadm)
+-userdom_security_admin_template(secadm_t, secadm_r)
++userdom_confined_admin_template(secadm)
++userdom_security_admin(secadm_t, secadm_r)
++userdom_inherit_append_admin_home_files(secadm_t)
++userdom_read_admin_home_files(secadm_t)
++userdom_manage_tmp_role(secadm_r, secadm_t)
+
+ ########################################
+ #
+@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
+
+ allow secadm_t self:capability { dac_read_search dac_override };
+
++kernel_read_system_state(secadm_t)
++
+ corecmd_exec_shell(secadm_t)
+
+ dev_relabel_all_dev_nodes(secadm_t)
++dev_read_urand(secadm_t)
+
+ domain_obj_id_change_exemption(secadm_t)
+
+@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+
+ auth_role(secadm_r, secadm_t)
+-files_relabel_non_auth_files(secadm_t)
+-auth_relabel_shadow(secadm_t)
++files_relabel_all_files(secadm_t)
+
+ init_exec(secadm_t)
+
+diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
+index 234a940..d340f20 100644
+--- a/policy/modules/roles/staff.if
++++ b/policy/modules/roles/staff.if
+@@ -1,4 +1,4 @@
+-## Administrator's unprivileged user role
++## Administrator's unprivileged user
+
+ ########################################
+ ##
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index 0fef1fc..75442d6 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
+ role staff_r;
+
+ userdom_unpriv_user_template(staff)
++fs_exec_noxattr(staff_t)
++
++##
++##
++## allow staff user to create and transition to svirt domains.
++##
++##
++gen_tunable(staff_use_svirt, false)
+
+ ########################################
+ #
+ # Local policy
+ #
+
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
++kernel_read_fs_sysctls(staff_t)
++kernel_read_numa_state(staff_t)
++kernel_write_numa_state(staff_t)
++
++fs_read_hugetlbfs_files(staff_t)
++files_dontaudit_read_all_symlinks(staff_t)
++
++dev_read_cpuid(staff_t)
++dev_read_kmsg(staff_t)
++
++domain_read_all_domains_state(staff_t)
++domain_getcap_all_domains(staff_t)
++domain_getsched_all_domains(staff_t)
++domain_getattr_all_domains(staff_t)
++domain_obj_id_change_exemption(staff_t)
++
++files_read_kernel_modules(staff_t)
++
++seutil_read_module_store(staff_t)
++seutil_run_newrole(staff_t, staff_r)
++seutil_dbus_chat_semanage(staff_t)
++seutil_read_login_config(staff_t)
++
++storage_read_scsi_generic(staff_t)
++storage_write_scsi_generic(staff_t)
++
++term_use_unallocated_ttys(staff_t)
++
++auth_domtrans_pam_console(staff_t)
++
++init_dbus_chat(staff_t)
++init_dbus_chat_script(staff_t)
++init_status(staff_t)
++
++miscfiles_read_hwdata(staff_t)
++
++ifndef(`enable_mls',`
++ selinux_read_policy(staff_t)
++')
++
++optional_policy(`
++ abrt_read_cache(staff_t)
++')
++
++optional_policy(`
++ accountsd_read_lib_files(staff_t)
++')
++
+ optional_policy(`
+ apache_role(staff_r, staff_t)
+ ')
+@@ -23,11 +83,115 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ blueman_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ kdumpgui_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ bluetooth_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ chrome_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ colord_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ dbadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- git_role(staff_r, staff_t)
++ docker_stream_connect(staff_t)
++ docker_exec(staff_t)
++')
++
++optional_policy(`
++ dnsmasq_read_pid_files(staff_t)
++')
++
++optional_policy(`
++ dmesg_exec(staff_t)
++')
++
++optional_policy(`
++ firewalld_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ firewallgui_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ freqset_run(staff_t, staff_r)
++')
++
++optional_policy(`
++ irc_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ journalctl_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ kerneloops_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ logadm_role_change(staff_r)
++')
++
++optional_policy(`
++ lpd_list_spool(staff_t)
++')
++
++optional_policy(`
++ mock_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(staff_t, staff_r)
++')
++
++optional_policy(`
++ modutils_read_module_config(staff_t)
++ modutils_read_module_deps(staff_t)
++')
++
++optional_policy(`
++ netutils_run_ping(staff_t, staff_r)
++ netutils_run_traceroute(staff_t, staff_r)
++ netutils_signal_ping(staff_t)
++ netutils_kill_ping(staff_t)
++')
++
++optional_policy(`
++ oident_manage_user_content(staff_t)
++ oident_relabel_user_content(staff_t)
++')
++
++optional_policy(`
++ mta_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ mysql_exec(staff_t)
++')
++
++optional_policy(`
++ polipo_role(staff_r, staff_t)
++ polipo_named_filetrans_cache_home_dirs(staff_t)
++ polipo_named_filetrans_config_home_files(staff_t)
++')
++
++optional_policy(`
++ openvpn_exec(staff_t)
+ ')
+
+ optional_policy(`
+@@ -35,15 +199,31 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(staff_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ rwho_read_spool_files(staff_t)
++')
++
++optional_policy(`
+ secadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
++ sandbox_transition(staff_t, staff_r)
+ ')
+
+ optional_policy(`
+- sudo_role_template(staff, staff_r, staff_t)
++ sandbox_x_transition(staff_t, staff_r)
++')
++
++optional_policy(`
++ screen_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+@@ -52,11 +232,60 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_unit_files(staff_t)
++ systemd_exec_systemctl(staff_t)
++')
++
++optional_policy(`
++ setroubleshoot_stream_connect(staff_t)
++ setroubleshoot_dbus_chat(staff_t)
++ setroubleshoot_dbus_chat_fixit(staff_t)
++')
++
++optional_policy(`
++ ssh_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ sudo_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ userhelper_console_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ unconfined_role_change(staff_r)
++')
++
++optional_policy(`
++ usbmuxd_stream_connect(staff_t)
++')
++
++optional_policy(`
++ virt_getattr_exec(staff_t)
++ virt_search_images(staff_t)
++ virt_stream_connect(staff_t)
++')
++
++optional_policy(`
+ vlock_run(staff_t, staff_r)
+ ')
+
+ optional_policy(`
+- xserver_role(staff_r, staff_t)
++ vmtools_run_helper(staff_t, staff_r)
++')
++
++optional_policy(`
++ vnstatd_read_lib_files(staff_t)
++')
++
++optional_policy(`
++ webadm_role_change(staff_r)
++')
++
++optional_policy(`
++ xserver_read_log(staff_t)
+ ')
+
+ ifndef(`distro_redhat',`
+@@ -65,10 +294,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- bluetooth_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+ ')
+
+@@ -78,10 +303,6 @@ ifndef(`distro_redhat',`
+
+ optional_policy(`
+ dbus_role_template(staff, staff_r, staff_t)
+-
+- optional_policy(`
+- gnome_role_template(staff, staff_r, staff_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -101,10 +322,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- irc_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ java_role(staff_r, staff_t)
+ ')
+
+@@ -125,10 +342,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
+@@ -141,10 +354,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- screen_role_template(staff, staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
+
+@@ -176,3 +385,22 @@ ifndef(`distro_redhat',`
+ wireshark_role(staff_r, staff_t)
+ ')
+ ')
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(staff_t)
++')
++
++optional_policy(`
++ virt_transition_svirt(staff_t, staff_r)
++ virt_filetrans_home_content(staff_t)
++')
++
++optional_policy(`
++ tunable_policy(`staff_use_svirt',`
++ allow staff_t self:fifo_file relabelfrom;
++ dev_rw_kvm(staff_t)
++ virt_manage_images(staff_t)
++ virt_stream_connect_svirt(staff_t)
++ virt_exec(staff_t)
++ ')
++')
+diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
+index ff92430..36740ea 100644
+--- a/policy/modules/roles/sysadm.if
++++ b/policy/modules/roles/sysadm.if
+@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',`
+ allow sysadm_t $1:process sigchld;
+ ')
+
++#######################################
++##
++## sysadm stub interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sysadm_stub',`
++ gen_require(`
++ type sysadm_t;
++ role sysadm_r;
++ ')
++')
++
+ ########################################
+ ##
+ ## Execute a generic bin program in the sysadm domain.
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 2522ca6..3651c0c 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
+ # Declarations
+ #
+
+-##
+-##
+-## Allow sysadm to debug or ptrace all processes.
+-##
+-##
+-gen_tunable(allow_ptrace, false)
+-
+ role sysadm_r;
+
+ userdom_admin_user_template(sysadm)
++allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+
+-ifndef(`enable_mls',`
+- userdom_security_admin_template(sysadm_t, sysadm_r)
+-')
+
+ ########################################
+ #
+ # Local policy
+ #
++kernel_read_fs_sysctls(sysadm_t)
++kernel_read_all_proc(sysadm_t)
+
+ corecmd_exec_shell(sysadm_t)
+
++dev_filetrans_all_named_dev(sysadm_t)
++
++domain_dontaudit_read_all_domains_state(sysadm_t)
++
++files_read_kernel_modules(sysadm_t)
++files_filetrans_named_content(sysadm_t)
++files_status_etc(sysadm_t)
++
++fs_mount_fusefs(sysadm_t)
++
++storage_filetrans_all_named_dev(sysadm_t)
++
++term_filetrans_all_named_dev(sysadm_t)
++
+ mls_process_read_up(sysadm_t)
++mls_file_read_all_levels(sysadm_t)
++mls_file_write_all_levels(sysadm_t)
++mls_file_read_to_clearance(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
++
++storage_setattr_fixed_disk_dev(sysadm_t)
+
+ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+
++application_exec(sysadm_t)
++
++init_filetrans_named_content(sysadm_t)
++init_disable_services(sysadm_t)
++init_enable_services(sysadm_t)
++init_reload_services(sysadm_t)
+ init_exec(sysadm_t)
++init_exec_script_files(sysadm_t)
++init_dbus_chat(sysadm_t)
++init_script_role_transition(sysadm_r)
++init_status(sysadm_t)
++init_reboot(sysadm_t)
++init_halt(sysadm_t)
++init_undefined(sysadm_t)
++
++logging_filetrans_named_content(sysadm_t)
++
++miscfiles_filetrans_named_content(sysadm_t)
++miscfiles_read_hwdata(sysadm_t)
++
++sysnet_filetrans_named_content(sysadm_t)
+
+ # Add/remove user home directories
++userdom_manage_user_tmp_chr_files(sysadm_t)
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_tmp_role(sysadm_r, sysadm_t)
++userdom_exec_admin_home_files(sysadm_t)
++
++optional_policy(`
++ abrt_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(sysadm_t)
++ ssh_filetrans_keys(sysadm_t)
++')
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+@@ -55,13 +104,7 @@ ifdef(`distro_gentoo',`
+ init_exec_rc(sysadm_t)
+ ')
+
+-ifndef(`enable_mls',`
+- logging_manage_audit_log(sysadm_t)
+- logging_manage_audit_config(sysadm_t)
+- logging_run_auditctl(sysadm_t, sysadm_r)
+-')
+-
+-tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
+@@ -71,9 +114,9 @@ optional_policy(`
+
+ optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r)
++ apache_filetrans_named_content(sysadm_t)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+- apache_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -87,6 +130,7 @@ optional_policy(`
+
+ optional_policy(`
+ asterisk_stream_connect(sysadm_t)
++ asterisk_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -110,11 +154,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ certmonger_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+ clock_run(sysadm_t, sysadm_r)
++ clock_manage_adjtime(sysadm_t)
++ clock_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -122,11 +172,27 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- consoletype_run(sysadm_t, sysadm_r)
++ cron_admin_role(sysadm_r, sysadm_t)
++')
++
++optional_policy(`
++ consoletype_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+- cvs_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++ dbus_role_template(sysadm, sysadm_r, sysadm_t)
++
++ dontaudit sysadm_dbusd_t self:capability net_admin;
++
++ optional_policy(`
++ systemd_dbus_chat_timedated(sysadm_t)
++ systemd_dbus_chat_hostnamed(sysadm_t)
++ systemd_dbus_chat_localed(sysadm_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -140,6 +206,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ dmesg_exec(sysadm_t)
+ ')
+
+@@ -156,6 +226,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ fstools_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -175,6 +249,13 @@ optional_policy(`
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
++ ipsec_run_setkey(sysadm_t, sysadm_r)
++ ipsec_run_racoon(sysadm_t, sysadm_r)
++ ipsec_stream_connect_racoon(sysadm_t)
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(sysadm_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -182,15 +263,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kudzu_run(sysadm_t, sysadm_r)
++ irc_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- libs_run_ldconfig(sysadm_t, sysadm_r)
++ kerberos_exec_kadmind(sysadm_t)
++ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- lockdev_role(sysadm_r, sysadm_t)
++ libs_run_ldconfig(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -210,22 +296,20 @@ optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
++ modutils_read_module_deps(sysadm_t)
++ modules_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+ mount_run(sysadm_t, sysadm_r)
+-')
+-
+-optional_policy(`
+- mozilla_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+- mplayer_role(sysadm_r, sysadm_t)
++ mount_run_showmount(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+ mta_role(sysadm_r, sysadm_t)
++ # this is defined in userdom_common_user_template
++ #mta_filetrans_home_content(sysadm_t)
++ mta_filetrans_admin_home_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -237,14 +321,28 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ncftool_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
++ networkmanager_filetrans_named_content(sysadm_t)
++ networkmanager_stream_connect(sysadm_t)
++')
++
++optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
++ ntp_admin(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -252,10 +350,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openvpn_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
++ polipo_role(sysadm_r, sysadm_t)
++ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
++ polipo_named_filetrans_admin_config_home_files(sysadm_t)
++')
++
++optional_policy(`
+ portage_run(sysadm_t, sysadm_r)
+ portage_run_fetch(sysadm_t, sysadm_r)
+ portage_run_gcc_config(sysadm_t, sysadm_r)
+@@ -266,35 +374,41 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pyzor_role(sysadm_r, sysadm_t)
++ postfix_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- quota_run(sysadm_t, sysadm_r)
++ postgresql_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- raid_run_mdadm(sysadm_r, sysadm_t)
++ prelink_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- razor_role(sysadm_r, sysadm_t)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- rpc_domtrans_nfsd(sysadm_t)
++ quota_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+- rpm_run(sysadm_t, sysadm_r)
++ raid_domtrans_mdadm(sysadm_t)
+ ')
+
+ optional_policy(`
+- rssh_role(sysadm_r, sysadm_t)
++ rpc_domtrans_nfsd(sysadm_t)
++')
++
++optional_policy(`
++ rpm_run(sysadm_t, sysadm_r)
++ rpm_dbus_chat(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+ rsync_exec(sysadm_t)
++ rsync_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -308,6 +422,7 @@ optional_policy(`
+
+ optional_policy(`
+ screen_role_template(sysadm, sysadm_r, sysadm_t)
++ allow sysadm_screen_t self:capability dac_override;
+ ')
+
+ optional_policy(`
+@@ -315,12 +430,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ setroubleshoot_stream_connect(sysadm_t)
++ setroubleshoot_dbus_chat(sysadm_t)
++ setroubleshoot_dbus_chat_fixit(sysadm_t)
++')
++
++optional_policy(`
+ seutil_run_setfiles(sysadm_t, sysadm_r)
+ seutil_run_runinit(sysadm_t, sysadm_r)
++ seutil_dbus_chat_semanage(sysadm_t)
++ seutil_read_login_config(sysadm_t)
+ ')
+
+ optional_policy(`
+- spamassassin_role(sysadm_r, sysadm_t)
++ shutdown_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -345,7 +468,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- thunderbird_role(sysadm_r, sysadm_t)
++ systemd_passwd_agent_run(sysadm_t, sysadm_r)
++ systemd_config_all_services(sysadm_t)
++ systemd_manage_all_unit_files(sysadm_t)
++ systemd_manage_all_unit_lnk_files(sysadm_t)
++ systemd_login_status(sysadm_t)
++ systemd_login_reboot(sysadm_t)
++ systemd_login_halt(sysadm_t)
++ systemd_login_undefined(sysadm_t)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -356,19 +490,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- tvtime_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ tzdata_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- uml_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+- unconfined_domtrans(sysadm_t)
++ udev_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -380,10 +506,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+ usermanage_run_groupadd(sysadm_t, sysadm_r)
+ usermanage_run_useradd(sysadm_t, sysadm_r)
+@@ -391,6 +513,9 @@ optional_policy(`
+
+ optional_policy(`
+ virt_stream_connect(sysadm_t)
++ virt_filetrans_home_content(sysadm_t)
++ virt_manage_pid_dirs(sysadm_t)
++ virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -398,31 +523,34 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- vpn_run(sysadm_t, sysadm_r)
++ vlock_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- webalizer_run(sysadm_t, sysadm_r)
++ vpn_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- wireshark_role(sysadm_r, sysadm_t)
++ webalizer_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- vlock_run(sysadm_t, sysadm_r)
++ xserver_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- xserver_role(sysadm_r, sysadm_t)
++ yam_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- yam_run(sysadm_t, sysadm_r)
++ zebra_stream_connect(sysadm_t)
+ ')
+
+ ifndef(`distro_redhat',`
+ optional_policy(`
++ apache_role(sysadm_r, sysadm_t)
++ ')
++ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
+
+@@ -435,10 +563,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- cron_admin_role(sysadm_r, sysadm_t)
+- ')
+-
+- optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
+ optional_policy(`
+@@ -459,15 +583,79 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gpg_role(sysadm_r, sysadm_t)
++ gnome_role_template(sysadm, sysadm_r, sysadm_t)
++ gnome_filetrans_admin_home_content(sysadm_t)
+ ')
+
+ optional_policy(`
+- irc_role(sysadm_r, sysadm_t)
++ gpg_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ java_role(sysadm_r, sysadm_t)
+ ')
+-')
+
++ optional_policy(`
++ lockdev_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mock_admin(sysadm_t)
++ ')
++
++ optional_policy(`
++ mozilla_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mplayer_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ pyzor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ razor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ rssh_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ spamassassin_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ thunderbird_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ tvtime_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ uml_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ vmtools_run_helper(sysadm_t, sysadm_r)
++ ')
++
++ optional_policy(`
++ vmware_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ wireshark_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ xserver_role(sysadm_r, sysadm_t)
++ ')
++')
+diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc
+new file mode 100644
+index 0000000..ae3b6db
+--- /dev/null
++++ b/policy/modules/roles/sysadm_secadm.fc
+@@ -0,0 +1 @@
++# No context
+diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if
+new file mode 100644
+index 0000000..bd83148
+--- /dev/null
++++ b/policy/modules/roles/sysadm_secadm.if
+@@ -0,0 +1 @@
++## No Interfaces
+diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
+new file mode 100644
+index 0000000..63bc797
+--- /dev/null
++++ b/policy/modules/roles/sysadm_secadm.te
+@@ -0,0 +1,25 @@
++policy_module(sysadm_secadm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++gen_require(`
++ type sysadm_t;
++ role sysadm_r;
++')
++
++userdom_security_admin_template(sysadm_t, sysadm_r)
++
++#######################################
++#
++# Local policy
++#
++
++mls_file_write_all_levels(sysadm_t)
++
++logging_manage_audit_log(sysadm_t)
++logging_manage_audit_config(sysadm_t)
++logging_run_auditctl(sysadm_t, sysadm_r)
++logging_stream_connect_syslog(sysadm_t)
+diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
+new file mode 100644
+index 0000000..b680867
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.fc
+@@ -0,0 +1,8 @@
++# Add programs here which should not be confined by SELinux
++# e.g.:
++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
++#/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++
++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
+new file mode 100644
+index 0000000..60a9dbd
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.if
+@@ -0,0 +1,671 @@
++## Unconfined user role
++
++########################################
++##
++## Change from the unconfineduser role.
++##
++##
++##
++## Change from the unconfineduser role to
++## the specified role.
++##
++##
++## This is an interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change_to',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow unconfined_r $1;
++')
++
++########################################
++##
++## Transition to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_domtrans',`
++ gen_require(`
++ type unconfined_t, unconfined_exec_t;
++ ')
++
++ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
++')
++
++########################################
++##
++## Execute specified programs in the unconfined domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to allow the unconfined domain.
++##
++##
++#
++interface(`unconfined_run',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ unconfined_domtrans($1)
++ role $2 types unconfined_t;
++')
++
++########################################
++##
++## Transition to the unconfined domain by executing a shell.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_shell_domtrans',`
++ gen_require(`
++ attribute unconfined_login_domain;
++ ')
++ typeattribute $1 unconfined_login_domain;
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_domtrans_to',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_run_to',`
++ gen_require(`
++ type unconfined_t;
++ role unconfined_r;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++ role unconfined_r types $1;
++ userdom_use_user_terminals($1)
++')
++
++######################################
++##
++## Stub unconfined role.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_stub_role',`
++ gen_require(`
++ role unconfined_r;
++ ')
++')
++
++########################################
++##
++## Inherit file descriptors from the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_use_fds',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fd use;
++')
++
++########################################
++##
++## Send a SIGCHLD signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_sigchld',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process sigchld;
++')
++
++########################################
++##
++## Send a SIGNULL signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signull',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signull;
++')
++
++########################################
++##
++## Send generic signals to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signal',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signal;
++')
++
++########################################
++##
++## Send generic signals to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_setsched',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process setsched;
++')
++
++########################################
++##
++## Read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dontaudit_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file read;
++')
++
++########################################
++##
++## Read and write unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain unnamed pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain stream.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_stream',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Connect to the unconfined domain using
++## a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_stream_connect',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++## This interface was added due to a broken
++## symptom in ldconfig.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_tcp_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:tcp_socket { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++## This interface was added due to a broken
++## symptom.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_packet_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:packet_socket { read write };
++')
++
++########################################
++##
++## Create keys for the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_create_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key create;
++')
++
++########################################
++##
++## Write keys for the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_write_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key write;
++')
++
++########################################
++##
++## Send messages to the unconfined domain over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_send',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
++## unconfined_t over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_chat',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++ allow unconfined_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Connect to the the unconfined DBUS
++## for service (acquire_svc).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_connect',`
++ gen_require(`
++ type unconfined_t;
++ class dbus acquire_svc;
++ ')
++
++ allow $1 unconfined_t:dbus acquire_svc;
++')
++
++########################################
++##
++## Allow ptrace of unconfined domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_ptrace',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process ptrace;
++')
++
++########################################
++##
++## Read and write to unconfined shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`unconfined_rw_shm',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:shm rw_shm_perms;
++')
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_set_rlimitnh',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process rlimitinh;
++')
++
++########################################
++##
++## Get the process group of unconfined.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_getpgid',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process getpgid;
++')
++
++########################################
++##
++## Change to the unconfined role.
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow $1 unconfined_r;
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by unconfined_t users.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_attach_tun_iface',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
++########################################
++##
++## Allow domain to transition to unconfined_t user
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_transition',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern($1,$2,unconfined_t)
++ allow unconfined_t $2:file entrypoint;
++ allow $1 unconfined_t:process signal_perms;
++')
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+new file mode 100644
+index 0000000..45aab67
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.te
+@@ -0,0 +1,339 @@
++policy_module(unconfineduser, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++attribute unconfined_login_domain;
++
++##
++##
++## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
++##
++##
++gen_tunable(unconfined_chrome_sandbox_transition, false)
++
++##
++##
++## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
++##
++##
++gen_tunable(unconfined_mozilla_plugin_transition, false)
++
++##
++##
++## Allow a user to login as an unconfined domain
++##
++##
++gen_tunable(unconfined_login, true)
++
++# usage in this module of types created by these
++# calls is not correct, however we dont currently
++# have another method to add access to these types
++userdom_base_user_template(unconfined)
++userdom_manage_home_role(unconfined_r, unconfined_t)
++userdom_manage_tmp_role(unconfined_r, unconfined_t)
++userdom_unpriv_type(unconfined_t)
++
++type unconfined_exec_t;
++application_domain(unconfined_t, unconfined_exec_t)
++role unconfined_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
++
++domain_user_exemption_target(unconfined_t)
++allow system_r unconfined_r;
++allow unconfined_r system_r;
++init_script_role_transition(unconfined_r)
++role system_r types unconfined_t;
++typealias unconfined_t alias unconfined_crontab_t;
++
++########################################
++#
++# Local policy
++#
++
++dontaudit unconfined_t self:dir write;
++dontaudit unconfined_t self:file setattr;
++
++allow unconfined_t self:system syslog_read;
++dontaudit unconfined_t self:capability sys_module;
++
++kernel_rw_unlabeled_socket(unconfined_t)
++kernel_rw_unlabeled_rawip_socket(unconfined_t)
++
++files_create_boot_flag(unconfined_t)
++files_create_default_dir(unconfined_t)
++files_root_filetrans_default(unconfined_t, dir)
++
++init_domtrans_script(unconfined_t)
++init_telinit(unconfined_t)
++
++logging_send_syslog_msg(unconfined_t)
++
++systemd_config_all_services(unconfined_t)
++
++unconfined_domain_noaudit(unconfined_t)
++domain_named_filetrans(unconfined_t)
++domain_transition_all(unconfined_t)
++
++usermanage_run_passwd(unconfined_t, unconfined_r)
++
++tunable_policy(`deny_execmem',`',`
++ allow unconfined_t self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ allow unconfined_t self:process execstack;
++')
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(unconfined_t)
++')
++
++tunable_policy(`unconfined_login',`
++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
++ allow unconfined_t unconfined_login_domain:fd use;
++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
++ allow unconfined_t unconfined_login_domain:process sigchld;
++')
++
++optional_policy(`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ optional_policy(`
++ abrt_dbus_chat(unconfined_t)
++ abrt_run_helper(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ avahi_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ blueman_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ certmonger_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat(unconfined_t)
++ devicekit_dbus_chat_disk(unconfined_t)
++ devicekit_dbus_chat_power(unconfined_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ rtkit_scheduled(unconfined_t)
++ ')
++
++ # Might remove later if this proves to be problematic, but would like to gather AVCs
++ optional_policy(`
++ thumb_role(unconfined_r, unconfined_t)
++ ')
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(unconfined_t)
++ setroubleshoot_dbus_chat_fixit(unconfined_t)
++ ')
++
++ optional_policy(`
++ sandbox_transition(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ sandbox_x_transition(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ vmtools_run_helper(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ xserver_rw_session(unconfined_t, user_tmpfs_t)
++ xserver_dbus_chat_xdm(unconfined_t)
++ ')
++')
++
++ifdef(`distro_gentoo',`
++ seutil_run_runinit(unconfined_t, unconfined_r)
++ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ accountsd_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ cron_unconfined_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
++ chrome_role_notrans(unconfined_r, unconfined_t)
++
++ tunable_policy(`unconfined_chrome_sandbox_transition',`
++ chrome_domtrans_sandbox(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ dbus_role_template(unconfined, unconfined_r, unconfined_t)
++ role system_r types unconfined_dbusd_t;
++
++ optional_policy(`
++ unconfined_domain_noaudit(unconfined_dbusd_t)
++
++ optional_policy(`
++ xserver_rw_shm(unconfined_dbusd_t)
++ ')
++ ')
++
++ init_dbus_chat(unconfined_t)
++ init_dbus_chat_script(unconfined_t)
++
++ dbus_stub(unconfined_t)
++
++ optional_policy(`
++ bluetooth_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ cups_dbus_chat_config(unconfined_t)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ systemd_dbus_chat_timedated(unconfined_t)
++ gnome_dbus_chat_gconfdefault(unconfined_t)
++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
++ ')
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ kerneloops_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
++ ')
++
++ optional_policy(`
++ oddjob_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ firewalld_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ firewallgui_dbus_chat(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ firstboot_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ fsadm_manage_pid(unconfined_t)
++')
++
++optional_policy(`
++ gpsd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ anaconda_run_install(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ java_run_unconfined(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ livecd_run(unconfined_t, unconfined_r)
++')
++
++#optional_policy(`
++# mock_role(unconfined_r, unconfined_t)
++#')
++
++optional_policy(`
++ mozilla_role_plugin(unconfined_r)
++
++ tunable_policy(`unconfined_mozilla_plugin_transition', `
++ mozilla_domtrans_plugin(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ # Allow SELinux aware applications to request rpm_script execution
++ rpm_transition_script(unconfined_t, unconfined_r)
++ rpm_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ optional_policy(`
++ samba_run_unconfined_net(unconfined_t, unconfined_r)
++ ')
++
++ samba_role_notrans(unconfined_r)
++ samba_run_smbcontrol(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ sysnet_run_dhcpc(unconfined_t, unconfined_r)
++ sysnet_dbus_chat_dhcpc(unconfined_t)
++ sysnet_role_transition_dhcpc(unconfined_r)
++')
++
++optional_policy(`
++ openshift_run(unconfined_usertype, unconfined_r)
++')
++
++optional_policy(`
++ virt_transition_svirt(unconfined_t, unconfined_r)
++ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ xserver_run(unconfined_t, unconfined_r)
++ xserver_manage_home_fonts(unconfined_t)
++ xserver_xsession_entry_type(unconfined_t)
++')
++
++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++
+diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
+index 3835596..fbca2be 100644
+--- a/policy/modules/roles/unprivuser.if
++++ b/policy/modules/roles/unprivuser.if
+@@ -1,4 +1,4 @@
+-## Generic unprivileged user role
++## Generic unprivileged user
+
+ ########################################
+ ##
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index 6d77e81..79ee03d 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -1,5 +1,12 @@
+ policy_module(unprivuser, 2.4.0)
+
++##
++##
++## Allow unprivileged user to create and transition to svirt domains.
++##
++##
++gen_tunable(unprivuser_use_svirt, false)
++
+ # this module should be named user, but that is
+ # a compile error since user is a keyword.
+
+@@ -12,12 +19,98 @@ role user_r;
+
+ userdom_unpriv_user_template(user)
+
++kernel_read_numa_state(user_t)
++kernel_write_numa_state(user_t)
++
++fs_exec_noxattr(user_t)
++fs_read_hugetlbfs_files(user_t)
++
++storage_read_scsi_generic(user_t)
++storage_write_scsi_generic(user_t)
++
++seutil_read_module_store(user_t)
++
++init_dbus_chat(user_t)
++init_status(user_t)
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(user_t)
++')
++
++optional_policy(`
++ abrt_read_cache(user_t)
++')
++
+ optional_policy(`
+ apache_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+- git_role(user_r, user_t)
++ blueman_dbus_chat(user_t)
++')
++
++optional_policy(`
++ bluetooth_role(user_r, user_t)
++')
++
++optional_policy(`
++ colord_dbus_chat(user_t)
++')
++
++optional_policy(`
++ chrome_role(user_r, user_t)
++')
++
++optional_policy(`
++ journalctl_role(user_r, user_t)
++')
++
++optional_policy(`
++ irc_role(user_r, user_t)
++')
++
++optional_policy(`
++ oident_manage_user_content(user_t)
++ oident_relabel_user_content(user_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(user_t, user_r)
++')
++
++optional_policy(`
++ mta_role(user_r, user_t)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(user_t, user_r)
++ netutils_run_traceroute_cond(user_t, user_r)
++')
++
++optional_policy(`
++ polipo_role(user_r, user_t)
++ polipo_named_filetrans_cache_home_dirs(user_t)
++ polipo_named_filetrans_config_home_files(user_t)
++')
++
++optional_policy(`
++ rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(user_t)
++')
++
++optional_policy(`
++ sandbox_transition(user_t, user_r)
++')
++
++optional_policy(`
++ sandbox_x_transition(user_t, user_r)
++')
++
++optional_policy(`
++ ssh_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+@@ -25,11 +118,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- vlock_run(user_t, user_r)
++ setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++#optional_policy(`
++# telepathy_dbus_session_role(user_r, user_t)
++#')
++
++optional_policy(`
++ usbmuxd_stream_connect(user_t)
+ ')
+
+ optional_policy(`
+- xserver_role(user_r, user_t)
++ vlock_run(user_t, user_r)
+ ')
+
+ ifndef(`distro_redhat',`
+@@ -102,10 +203,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
+@@ -128,7 +225,6 @@ ifndef(`distro_redhat',`
+ optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+ ')
+-
+ optional_policy(`
+ su_role_template(user, user_r, user_t)
+ ')
+@@ -161,3 +257,19 @@ ifndef(`distro_redhat',`
+ wireshark_role(user_r, user_t)
+ ')
+ ')
++
++optional_policy(`
++ vmtools_run_helper(user_t, user_r)
++')
++
++
++optional_policy(`
++ virt_transition_svirt(user_t, user_r)
++ virt_filetrans_home_content(user_t)
++')
++
++optional_policy(`
++ tunable_policy(`unprivuser_use_svirt',`
++ virt_manage_images(user_t)
++ ')
++')
+diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
+index a26f84f..947af6c 100644
+--- a/policy/modules/services/postgresql.fc
++++ b/policy/modules/services/postgresql.fc
+@@ -10,6 +10,7 @@
+ #
+ /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -28,9 +29,10 @@ ifdef(`distro_redhat', `
+ #
+ /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+
+-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
+@@ -45,4 +47,4 @@ ifdef(`distro_redhat', `
+
+ /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
++#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
+index 9d2f311..9e87525 100644
+--- a/policy/modules/services/postgresql.if
++++ b/policy/modules/services/postgresql.if
+@@ -10,90 +10,21 @@
+ ##
+ ##
+ ##
+-##
++##
+ ## The type of the user domain.
+ ##
+ ##
+ #
+ interface(`postgresql_role',`
+ gen_require(`
+- class db_database all_db_database_perms;
+- class db_schema all_db_schema_perms;
+- class db_table all_db_table_perms;
+- class db_sequence all_db_sequence_perms;
+- class db_view all_db_view_perms;
+- class db_procedure all_db_procedure_perms;
+- class db_language all_db_language_perms;
+- class db_column all_db_column_perms;
+- class db_tuple all_db_tuple_perms;
+- class db_blob all_db_blob_perms;
+-
+- attribute sepgsql_client_type, sepgsql_database_type;
+- attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
+-
+- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t;
+- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+- type user_sepgsql_schema_t, user_sepgsql_seq_t;
+- type user_sepgsql_sysobj_t, user_sepgsql_table_t;
+- type user_sepgsql_view_t;
+- type sepgsql_temp_object_t;
++ attribute sepgsql_client_type;
++ type sepgsql_trusted_proc_t;
++ type sepgsql_ranged_proc_t;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ typeattribute $2 sepgsql_client_type;
+ role $1 types sepgsql_trusted_proc_t;
+ role $1 types sepgsql_ranged_proc_t;
+-
+- ##############################
+- #
+- # Client local policy
+- #
+-
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+-
+- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
+-
+- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock };
+- allow $2 user_sepgsql_table_t:db_column { getattr select update insert };
+- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete };
+- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+-
+- allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
+- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+-
+- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
+- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+-
+- allow $2 user_sepgsql_view_t:db_view { getattr expand };
+- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
+-
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+-
+- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+-
+- allow $2 sepgsql_ranged_proc_t:process transition;
+- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+- allow sepgsql_ranged_proc_t $2:process dyntransition;
+-
+- allow $2 sepgsql_trusted_proc_t:process transition;
+- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+ ')
+
+ ########################################
+@@ -312,7 +243,7 @@ interface(`postgresql_search_db',`
+ type postgresql_db_t;
+ ')
+
+- allow $1 postgresql_db_t:dir search;
++ allow $1 postgresql_db_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -324,14 +255,16 @@ interface(`postgresql_search_db',`
+ ## Domain allowed access.
+ ##
+ ##
++#
+ interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+- allow $1 postgresql_db_t:dir rw_dir_perms;
+- allow $1 postgresql_db_t:file rw_file_perms;
+- allow $1 postgresql_db_t:lnk_file { getattr read };
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
+ ')
+
+ ########################################
+@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',`
+
+ ######################################
+ ##
++## Execute Postgresql in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postgresql_exec',`
++ gen_require(`
++ type postgresql_exec_t;
++ ')
++
++ can_exec($1, postgresql_exec_t)
++')
++
++######################################
++##
+ ## Allow domain to signal postgresql
+ ##
+ ##
+@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`postgresql_stream_connect',`
+ gen_require(`
+@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',`
+
+ files_search_pids($1)
+ files_search_tmp($1)
++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
+ ')
+
+ ########################################
+@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',`
+ #
+ interface(`postgresql_unpriv_client',`
+ gen_require(`
+- class db_database all_db_database_perms;
+- class db_schema all_db_schema_perms;
+- class db_table all_db_table_perms;
+- class db_sequence all_db_sequence_perms;
+- class db_view all_db_view_perms;
+- class db_procedure all_db_procedure_perms;
+- class db_language all_db_language_perms;
+- class db_column all_db_column_perms;
+- class db_tuple all_db_tuple_perms;
+- class db_blob all_db_blob_perms;
+-
+ attribute sepgsql_client_type;
+- attribute sepgsql_database_type, sepgsql_schema_type;
+- attribute sepgsql_sysobj_table_type;
+-
+- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t;
+- type sepgsql_temp_object_t;
+- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
+- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
+- type unpriv_sepgsql_view_t;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ typeattribute $1 sepgsql_client_type;
+-
+- ########################################
+- #
+- # Client local policy
+- #
+-
+- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+- allow $1 sepgsql_ranged_proc_t:process transition;
+- allow sepgsql_ranged_proc_t $1:process dyntransition;
+-
+- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+- allow $1 sepgsql_trusted_proc_t:process transition;
+-
+- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+-
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
+-
+- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
+- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
+-
+- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock };
+- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert };
+- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete };
+- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
+-
+- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
+- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
+-
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+-
+- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
+- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+-
+-
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
+- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+ ')
+
+ ########################################
+@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',`
+
+ ########################################
+ ##
++## Transition to postgresql named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postgresql_filetrans_named_content',`
++ gen_require(`
++ type postgresql_db_t;
++ type postgresql_log_t;
++ ')
++
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
++')
++
++########################################
++##
+ ## All of the rules required to administrate an postgresql environment
+ ##
+ ##
+@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',`
+ #
+ interface(`postgresql_admin',`
+ gen_require(`
+- attribute sepgsql_admin_type;
+- attribute sepgsql_client_type;
+-
+- type postgresql_t, postgresql_var_run_t;
+- type postgresql_tmp_t, postgresql_db_t;
+- type postgresql_etc_t, postgresql_log_t;
+- type postgresql_initrc_exec_t;
++ attribute sepgsql_admin_type, sepgsql_client_type;
++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
++ type postgresql_etc_t;
+ ')
+
+ typeattribute $1 sepgsql_admin_type;
+
+- allow $1 postgresql_t:process { ptrace signal_perms };
++ allow $1 postgresql_t:process signal_perms;
+ ps_process_pattern($1, postgresql_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postgresql_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
+ admin_pattern($1, postgresql_var_run_t)
+
++ files_list_var_lib($1)
+ admin_pattern($1, postgresql_db_t)
+
++ files_list_etc($1)
+ admin_pattern($1, postgresql_etc_t)
+
++ logging_list_logs($1)
+ admin_pattern($1, postgresql_log_t)
+
++ files_list_tmp($1)
+ admin_pattern($1, postgresql_tmp_t)
+
+ postgresql_tcp_connect($1)
+ postgresql_stream_connect($1)
++ postgresql_filetrans_named_content($1)
+ ')
+diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
+index 0306134..ae0d841 100644
+--- a/policy/modules/services/postgresql.te
++++ b/policy/modules/services/postgresql.te
+@@ -19,25 +19,32 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allow unprived users to execute DDL statement
+-##
++##
++## Allow postgresql to use ssh and rsync for point-in-time recovery
++##
++##
++gen_tunable(postgresql_can_rsync, false)
++
++##
++##
++## Allow unprivileged users to execute DDL statement
++##
+ ##
+-gen_tunable(sepgsql_enable_users_ddl, false)
++gen_tunable(postgresql_selinux_users_ddl, true)
+
+ ##
+ ##
+ ## Allow transmit client label to foreign database
+ ##
+ ##
+-gen_tunable(sepgsql_transmit_client_label, false)
++gen_tunable(postgresql_selinux_transmit_client_label, false)
+
+ ##
+ ##
+ ## Allow database admins to execute DML statement
+ ##
+ ##
+-gen_tunable(sepgsql_unconfined_dbadm, false)
++gen_tunable(postgresql_selinux_unconfined_dbadm, true)
+
+ type postgresql_t;
+ type postgresql_exec_t;
+@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+ allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+-tunable_policy(`sepgsql_transmit_client_label',`
++
++tunable_policy(`postgresql_selinux_transmit_client_label',`
+ allow postgresql_t self:process { setsockcreate };
+ ')
+
+@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
++postgresql_filetrans_named_content(postgresql_t)
+
+ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+ read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+ read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
+ can_exec(postgresql_t, postgresql_exec_t )
+
+ allow postgresql_t postgresql_lock_t:file manage_file_perms;
+ files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
+
++manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
+ manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
+ logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
+
+@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+ files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(postgresql_t)
++kernel_read_network_state(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+ kernel_list_proc(postgresql_t)
+ kernel_read_all_sysctls(postgresql_t)
+ kernel_read_proc_symlinks(postgresql_t)
+
+-corenet_all_recvfrom_unlabeled(postgresql_t)
+ corenet_all_recvfrom_netlabel(postgresql_t)
+ corenet_tcp_sendrecv_generic_if(postgresql_t)
+ corenet_udp_sendrecv_generic_if(postgresql_t)
+@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+ domain_use_interactive_fds(postgresql_t)
+
+ files_dontaudit_search_home(postgresql_t)
+-files_manage_etc_files(postgresql_t)
+-files_search_etc(postgresql_t)
++files_read_etc_files(postgresql_t)
+ files_read_etc_runtime_files(postgresql_t)
+ files_read_usr_files(postgresql_t)
+
+@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
+ logging_send_syslog_msg(postgresql_t)
+ logging_send_audit_msgs(postgresql_t)
+
+-miscfiles_read_localization(postgresql_t)
+-
+ seutil_libselinux_linked(postgresql_t)
+ seutil_read_default_contexts(postgresql_t)
+
++sysnet_use_ldap(postgresql_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+ userdom_dontaudit_use_user_terminals(postgresql_t)
+
+ optional_policy(`
++ ccs_read_config(postgresql_t)
++')
++
++optional_policy(`
+ mta_getattr_spool(postgresql_t)
+ ')
+
+-tunable_policy(`allow_execmem',`
++optional_policy(`
++ rhcs_manage_cluster_pid_files(postgresql_t)
++')
++
++tunable_policy(`deny_execmem',`',`
+ allow postgresql_t self:process execmem;
+ ')
+
+@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+ # It is always allowed to operate temporary objects for any database client.
+ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+
+-# Note that permission of creation/deletion are eventually controlled by
+-# create or drop permission of individual objects within shared schemas.
+-# So, it just allows to create/drop user specific types.
+-tunable_policy(`sepgsql_enable_users_ddl',`
++##############################
++#
++# Client local policy
++#
++allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
++type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t;
++type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
++
++allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock };
++allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert };
++allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete };
++type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t;
++
++allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select };
++type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
++
++allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
++type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
++
++allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand };
++type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t;
++
++allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute };
++type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
++
++allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
++type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t;
++
++allow sepgsql_client_type sepgsql_ranged_proc_t:process transition;
++type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
++allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition;
++
++allow sepgsql_client_type sepgsql_trusted_proc_t:process transition;
++type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++
++tunable_policy(`postgresql_selinux_users_ddl',`
++ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ # Note that permission of creation/deletion are eventually controlled by
++ # create or drop permission of individual objects within shared schemas.
++ # So, it just allows to create/drop user specific types.
+ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
+ ')
+
+@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+
+ kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
+
+-tunable_policy(`sepgsql_unconfined_dbadm',`
++tunable_policy(`postgresql_selinux_unconfined_dbadm',`
+ allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
+ allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
+@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+ allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
+
+ kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
++
++optional_policy(`
++ tunable_policy(`postgresql_can_rsync',`
++ rsync_exec(postgresql_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`postgresql_can_rsync',`
++ ssh_exec(postgresql_t)
++ ssh_read_user_home_files(postgresql_t)
++ corenet_tcp_connect_ssh_port(postgresql_t)
++ ')
++')
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 76d9f66..5c271ce 100644
+--- a/policy/modules/services/ssh.fc
++++ b/policy/modules/services/ssh.fc
+@@ -1,16 +1,41 @@
+ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0)
++HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
+-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+-/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
++/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++
++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
++
++/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
+ /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
++/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
++/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0)
+
++/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
+ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
++/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
++/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+
+ /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
++/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
++
++/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index fe0c682..3ad1b1f 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -32,10 +32,11 @@
+ ##
+ #
+ template(`ssh_basic_client_template',`
+-
+ gen_require(`
+ attribute ssh_server;
+ type ssh_exec_t, sshd_key_t, sshd_tmp_t;
++ type ssh_keysign_exec_t, ssh_keysign_t;
++ type ssh_home_t;
+ ')
+
+ ##############################
+@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
+ application_domain($1_ssh_t, ssh_exec_t)
+ role $3 types $1_ssh_t;
+
+- type $1_ssh_home_t;
+- files_type($1_ssh_home_t)
+- typealias $1_ssh_home_t alias $1_home_ssh_t;
+-
+ ##############################
+ #
+ # Client local policy
+@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
+ # or "regular" (not special like sshd_extern_t) servers
+ allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
++ # derived domain can execute ssh-keysign
++ domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
++ role $3 types ssh_keysign_t;
++
+ # allow ps to show ssh
+ ps_process_pattern($2, $1_ssh_t)
+
+ # user can manage the keys and config
+- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
++ manage_files_pattern($2, ssh_home_t, ssh_home_t)
++ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
++ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
+
+ # ssh client can manage the keys and config
+- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
++ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
++ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+
+ # ssh servers can read the user keys and config
+- allow ssh_server $1_ssh_home_t:dir list_dir_perms;
+- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
++ allow ssh_server ssh_home_t:dir list_dir_perms;
++ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
++ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+
+ kernel_read_kernel_sysctls($1_ssh_t)
+ kernel_read_system_state($1_ssh_t)
+
+- corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
+ corenet_tcp_sendrecv_generic_if($1_ssh_t)
+ corenet_tcp_sendrecv_generic_node($1_ssh_t)
+ corenet_tcp_sendrecv_all_ports($1_ssh_t)
+ corenet_tcp_connect_ssh_port($1_ssh_t)
+ corenet_sendrecv_ssh_client_packets($1_ssh_t)
++ corenet_tcp_bind_generic_node($1_ssh_t)
++ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
+
+ dev_read_urand($1_ssh_t)
+
+@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',`
+ logging_send_syslog_msg($1_ssh_t)
+ logging_read_generic_logs($1_ssh_t)
+
+- miscfiles_read_localization($1_ssh_t)
+
+ seutil_read_config($1_ssh_t)
+
+@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',`
+ ')
+ ')
+
++######################################
++##
++## The template to define a domain to which sshd dyntransition.
++##
++##
++##
++## The prefix of the dyntransition domain
++##
++##
++#
++template(`ssh_dyntransition_domain_template',`
++ gen_require(`
++ attribute ssh_dyntransition_domain;
++ ')
++
++ type $1, ssh_dyntransition_domain;
++ domain_type($1)
++ role system_r types $1;
++
++ optional_policy(`
++ ssh_dyntransition_to($1)
++ ')
++')
+ #######################################
+ ##
+ ## The template to define a ssh server.
+@@ -168,7 +192,7 @@ template(`ssh_basic_client_template',`
+ ##
+ ##
+ #
+-template(`ssh_server_template', `
++template(`ssh_server_template',`
+ type $1_t, ssh_server;
+ auth_login_pgm_domain($1_t)
+
+@@ -181,20 +205,23 @@ template(`ssh_server_template', `
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
++ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
++ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
++ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ # ssh agent connections:
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ term_create_pty($1_t, $1_devpts_t)
+
+- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++ #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++ #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++ userdom_manage_tmp_role(system_r, sshd_t)
+
+ allow $1_t $1_var_run_t:file manage_file_perms;
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+@@ -206,6 +233,7 @@ template(`ssh_server_template', `
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_network_state($1_t)
++ kernel_request_load_module($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+@@ -220,10 +248,13 @@ template(`ssh_server_template', `
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_node($1_t)
+ corenet_tcp_bind_ssh_port($1_t)
+- corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
++ corenet_sendrecv_ssh_server_packets($1_t)
++ # tunnel feature and -w (net_admin capability also)
++ corenet_rw_tun_tap_dev($1_t)
+
+- fs_dontaudit_getattr_all_fs($1_t)
++ fs_getattr_all_fs($1_t)
+
+ auth_rw_login_records($1_t)
+ auth_rw_faillog($1_t)
+@@ -234,6 +265,7 @@ template(`ssh_server_template', `
+ corecmd_getattr_bin_files($1_t)
+
+ domain_interactive_fd($1_t)
++ domain_dyntrans_type($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+@@ -241,35 +273,33 @@ template(`ssh_server_template', `
+
+ logging_search_logs($1_t)
+
+- miscfiles_read_localization($1_t)
+-
+- userdom_create_all_users_keys($1_t)
+ userdom_dontaudit_relabelfrom_user_ptys($1_t)
+- userdom_search_user_home_dirs($1_t)
++ userdom_read_user_home_content_files($1_t)
+
+ # Allow checking users mail at login
+ optional_policy(`
+ mta_getattr_spool($1_t)
+ ')
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files($1_t)
+- fs_read_nfs_symlinks($1_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files($1_t)
+- ')
++ userdom_home_manager($1_t)
+
+ optional_policy(`
+ kerberos_use($1_t)
+- kerberos_manage_host_rcache($1_t)
++ #kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
+ files_read_var_lib_symlinks($1_t)
+ nx_spec_domtrans_server($1_t)
+ ')
++
++ optional_policy(`
++ rlogin_read_home_content($1_t)
++ ')
++
++ optional_policy(`
++ shutdown_getattr_exec_files($1_t)
++ ')
+ ')
+
+ ########################################
+@@ -292,14 +322,15 @@ template(`ssh_server_template', `
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ template(`ssh_role_template',`
+ gen_require(`
+ attribute ssh_server, ssh_agent_type;
+-
+ type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
+ type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+ type ssh_agent_tmp_t;
++ type cache_home_t;
+ ')
+
+ ##############################
+@@ -328,103 +359,56 @@ template(`ssh_role_template',`
+
+ # allow ps to show ssh
+ ps_process_pattern($3, ssh_t)
+- allow $3 ssh_t:process signal;
++ allow $3 ssh_t:process signal_perms;
+
+ # for rsync
+ allow ssh_t $3:unix_stream_socket rw_socket_perms;
+ allow ssh_t $3:unix_stream_socket connectto;
++ allow ssh_t $3:key manage_key_perms;
++ allow $3 ssh_t:key { write search read view };
+
+ # user can manage the keys and config
+ manage_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1_t)
++ userdom_manage_tmp_role($2, ssh_t)
+
+ ##############################
+ #
+ # SSH agent local policy
+ #
+
+- allow $1_ssh_agent_t self:process setrlimit;
+- allow $1_ssh_agent_t self:capability setgid;
+-
+ allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
+
+ allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+- manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+- manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+- files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
+-
+ # for ssh-add
+ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
++ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
+
+ # Allow the user shell to signal the ssh program.
+- allow $3 $1_ssh_agent_t:process signal;
++ allow $3 $1_ssh_agent_t:process signal_perms;
+
+ # allow ps to show ssh
+ ps_process_pattern($3, $1_ssh_agent_t)
+
+ domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
+
+- kernel_read_kernel_sysctls($1_ssh_agent_t)
+-
+- dev_read_urand($1_ssh_agent_t)
+- dev_read_rand($1_ssh_agent_t)
+-
+- fs_search_auto_mountpoints($1_ssh_agent_t)
++ kernel_read_system_state($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ corecmd_shell_domtrans($1_ssh_agent_t, $3)
+ corecmd_bin_domtrans($1_ssh_agent_t, $3)
+
+- domain_use_interactive_fds($1_ssh_agent_t)
+-
+- files_read_etc_files($1_ssh_agent_t)
+- files_read_etc_runtime_files($1_ssh_agent_t)
+- files_search_home($1_ssh_agent_t)
+-
+- libs_read_lib_files($1_ssh_agent_t)
++ auth_use_nsswitch($1_ssh_agent_t)
+
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+- miscfiles_read_localization($1_ssh_agent_t)
+- miscfiles_read_generic_certs($1_ssh_agent_t)
+-
+- seutil_dontaudit_read_config($1_ssh_agent_t)
+-
+- # Write to the user domain tty.
+- userdom_use_user_terminals($1_ssh_agent_t)
+-
+- # for the transition back to normal privs upon exec
+- userdom_search_user_home_content($1_ssh_agent_t)
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+- allow $3 $1_ssh_agent_t:fd use;
+- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+- allow $3 $1_ssh_agent_t:process sigchld;
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_ssh_agent_t)
+-
+- # transition back to normal privs upon exec
+- fs_nfs_domtrans($1_ssh_agent_t, $3)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_ssh_agent_t)
+-
+- # transition back to normal privs upon exec
+- fs_cifs_domtrans($1_ssh_agent_t, $3)
+- ')
+-
+- optional_policy(`
+- nis_use_ypbind($1_ssh_agent_t)
+- ')
++ userdom_home_manager($1_ssh_agent_t)
+
+- optional_policy(`
+- xserver_use_xdm_fds($1_ssh_agent_t)
+- xserver_rw_xdm_pipes($1_ssh_agent_t)
+- ')
++ ssh_exec_keygen($3)
+ ')
+
+ ########################################
+@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { getattr read };
++ allow $1 sshd_t:fifo_file read_fifo_file_perms;
+ ')
++
++######################################
++##
++## Read and write ssh server unix dgram sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_rw_dgram_sockets',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
++')
++
+ ########################################
+ ##
+ ## Read and write a ssh server unnamed pipe.
+@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { write read getattr ioctl };
++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
+
+ ########################################
+ ##
++## Execute sshd server in the sshd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_initrc_domtrans',`
++ gen_require(`
++ type sshd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
++')
++
++########################################
++##
+ ## Execute the ssh client in the caller domain.
+ ##
+ ##
+@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
+ type sshd_key_t;
+ ')
+
+- allow $1 sshd_key_t:file setattr;
++ allow $1 sshd_key_t:file setattr_file_perms;
+ files_search_pids($1)
+ ')
+
+@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
+
+ ########################################
+ ##
++## Getattr ssh home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_getattr_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ allow $1 ssh_home_t:dir getattr;
++')
++
++########################################
++##
++## Dontaudit search ssh home directory
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ssh_dontaudit_search_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ dontaudit $1 ssh_home_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Read ssh home directory content
+ ##
+ ##
+@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
+
+ ########################################
+ ##
++## Execute the ssh key generator in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ssh_exec_keygen',`
++ gen_require(`
++ type ssh_keygen_exec_t;
++ ')
++
++ can_exec($1, ssh_keygen_exec_t)
++')
++
++#######################################
++##
++## Execute ssh-keygen in the iptables domain, and
++## allow the specified role the ssh-keygen domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ssh_run_keygen',`
++ gen_require(`
++ type ssh_keygen_t;
++ ')
++
++ role $2 types ssh_keygen_t;
++ ssh_domtrans_keygen($1)
++')
++
++########################################
++##
+ ## Read ssh server keys
+ ##
+ ##
+@@ -714,7 +815,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+ type sshd_key_t;
+ ')
+
+- dontaudit $1 sshd_key_t:file { getattr read };
++ dontaudit $1 sshd_key_t:file read_file_perms;
++')
++
++######################################
++##
++## Append ssh home directory content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_append_home_files',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ append_files_pattern($1, ssh_home_t, ssh_home_t)
++ userdom_search_user_home_dirs($1)
+ ')
+
+ ######################################
+@@ -754,3 +874,151 @@ interface(`ssh_delete_tmp',`
+ files_search_tmp($1)
+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+ ')
++
++#####################################
++##
++## Allow domain dyntransition to chroot_user_t domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_dyntransition_to',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow sshd_t $1:process dyntransition;
++ allow $1 sshd_t:process sigchld;
++ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
++')
++
++########################################
++##
++## Create .ssh directory in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_filetrans_admin_home_content',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
++')
++
++########################################
++##
++## Create .ssh directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_filetrans_home_content',`
++
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
++ files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh")
++')
++
++########################################
++##
++## Create .ssh directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_filetrans_keys',`
++
++ gen_require(`
++ type sshd_key_t;
++ ')
++
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub")
++')
++
++########################################
++##
++## Do not audit attempts to read and
++## write the sshd pty type.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ssh_dontaudit_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
++')
++
++########################################
++##
++## Read and write inherited sshd pty type.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ssh_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Execute sshd server in the sshd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ssh_systemctl',`
++ gen_require(`
++ type sshd_t;
++ type sshd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 sshd_unit_file_t:file manage_file_perms;
++ allow $1 sshd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sshd_t)
++')
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index cc877c7..2ef9dc6 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
+ #
+
+ ##
+-##
+-## allow host key based authentication
+-##
++##
++## allow host key based authentication
++##
++##
++gen_tunable(ssh_keysign, false)
++
++##
++##
++## Allow ssh logins as sysadm_r:sysadm_t
++##
+ ##
+-gen_tunable(allow_ssh_keysign, false)
++gen_tunable(ssh_sysadm_login, false)
+
+ ##
+ ##
+-## Allow ssh logins as sysadm_r:sysadm_t
++## Allow ssh with chroot env to read and write files
++## in the user home directories
+ ##
+ ##
+-gen_tunable(ssh_sysadm_login, false)
++gen_tunable(ssh_chroot_rw_homedirs, false)
+
++attribute ssh_dyntransition_domain;
+ attribute ssh_server;
+ attribute ssh_agent_type;
+
++ssh_dyntransition_domain_template(chroot_user_t)
++ssh_dyntransition_domain_template(sshd_sandbox_t)
++ssh_dyntransition_domain_template(sshd_net_t)
++
+ type ssh_keygen_t;
+ type ssh_keygen_exec_t;
+ init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
+-role system_r types ssh_keygen_t;
++
++type ssh_keygen_tmp_t;
++files_tmp_file(ssh_keygen_tmp_t)
++
++type sshd_keygen_t;
++type sshd_keygen_exec_t;
++init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
++
++type sshd_keygen_unit_file_t;
++systemd_unit_file(sshd_keygen_unit_file_t)
+
+ type sshd_exec_t;
+ corecmd_executable_file(sshd_exec_t)
+
+ ssh_server_template(sshd)
+ init_daemon_domain(sshd_t, sshd_exec_t)
++mls_trusted_object(sshd_t)
++mls_process_write_all_levels(sshd_t)
++
++type sshd_initrc_exec_t;
++init_script_file(sshd_initrc_exec_t)
++
++type sshd_unit_file_t;
++systemd_unit_file(sshd_unit_file_t)
+
+ type sshd_key_t;
+ files_type(sshd_key_t)
+
+-type sshd_tmp_t;
+-files_tmp_file(sshd_tmp_t)
+-files_poly_parent(sshd_tmp_t)
+-
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+-')
++type sshd_keytab_t;
++files_type(sshd_keytab_t)
+
+ type ssh_t;
+ type ssh_exec_t;
+@@ -67,15 +92,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ type ssh_tmpfs_t;
+ typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+ typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+-userdom_user_tmpfs_file(ssh_tmpfs_t)
++userdom_user_tmp_file(ssh_tmpfs_t)
+
+ type ssh_home_t;
+ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+ typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+ userdom_user_home_content(ssh_home_t)
++files_poly_parent(ssh_home_t)
+
+-type sshd_keytab_t;
+-files_type(sshd_keytab_t)
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
++')
+
+ ##############################
+ #
+@@ -86,6 +113,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow ssh_t self:fd use;
+ allow ssh_t self:fifo_file rw_fifo_file_perms;
++allow ssh_t self:key manage_key_perms;
+ allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow ssh_t self:shm create_shm_perms;
+@@ -93,50 +121,55 @@ allow ssh_t self:sem create_sem_perms;
+ allow ssh_t self:msgq create_msgq_perms;
+ allow ssh_t self:msg { send receive };
+ allow ssh_t self:tcp_socket create_stream_socket_perms;
++can_exec(ssh_t, ssh_exec_t)
+
+ # Read the ssh key file.
+ allow ssh_t sshd_key_t:file read_file_perms;
+
+-# Access the ssh temporary files.
+-allow ssh_t sshd_tmp_t:dir manage_dir_perms;
+-allow ssh_t sshd_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
+-
+ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
++userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file)
++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
++userdom_read_all_users_keys(ssh_t)
++userdom_stream_connect(ssh_t)
++userdom_search_admin_dir(sshd_t)
+
+ # Allow the ssh program to communicate with ssh-agent.
+ stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+
+ allow ssh_t sshd_t:unix_stream_socket connectto;
++allow ssh_t sshd_t:peer recv;
+
+ # ssh client can manage the keys and config
+ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+
+ # ssh servers can read the user keys and config
+-allow ssh_server ssh_home_t:dir list_dir_perms;
+-read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
++manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+
+ kernel_read_kernel_sysctls(ssh_t)
+ kernel_read_system_state(ssh_t)
+
+-corenet_all_recvfrom_unlabeled(ssh_t)
+ corenet_all_recvfrom_netlabel(ssh_t)
+ corenet_tcp_sendrecv_generic_if(ssh_t)
+ corenet_tcp_sendrecv_generic_node(ssh_t)
+ corenet_tcp_sendrecv_all_ports(ssh_t)
+ corenet_tcp_connect_ssh_port(ssh_t)
++corenet_tcp_connect_all_unreserved_ports(ssh_t)
+ corenet_sendrecv_ssh_client_packets(ssh_t)
++corenet_tcp_bind_generic_node(ssh_t)
++#corenet_tcp_bind_all_unreserved_ports(ssh_t)
++corenet_rw_tun_tap_dev(ssh_t)
+
++dev_read_rand(ssh_t)
+ dev_read_urand(ssh_t)
+
+ fs_getattr_all_fs(ssh_t)
+@@ -157,40 +190,46 @@ files_read_var_files(ssh_t)
+ logging_send_syslog_msg(ssh_t)
+ logging_read_generic_logs(ssh_t)
+
++term_use_ptmx(ssh_t)
++
+ auth_use_nsswitch(ssh_t)
+
+-miscfiles_read_localization(ssh_t)
++miscfiles_read_generic_certs(ssh_t)
+
+ seutil_read_config(ssh_t)
+
+ userdom_dontaudit_list_user_home_dirs(ssh_t)
+ userdom_search_user_home_dirs(ssh_t)
++userdom_search_admin_dir(ssh_t)
+ # Write to the user domain tty.
+-userdom_use_user_terminals(ssh_t)
+-# needs to read krb tgt
++userdom_use_inherited_user_terminals(ssh_t)
++# needs to read krb/write tgt
+ userdom_read_user_tmp_files(ssh_t)
+-
+-tunable_policy(`allow_ssh_keysign',`
+- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+- allow ssh_keysign_t ssh_t:fd use;
+- allow ssh_keysign_t ssh_t:process sigchld;
+- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
++userdom_write_user_tmp_files(ssh_t)
++userdom_read_user_home_content_symlinks(ssh_t)
++userdom_rw_inherited_user_home_content_files(ssh_t)
++userdom_read_home_certs(ssh_t)
++userdom_home_manager(ssh_t)
++
++tunable_policy(`ssh_keysign',`
++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(ssh_t)
+- fs_manage_nfs_files(ssh_t)
++# for port forwarding
++tunable_policy(`selinuxuser_tcp_server',`
++ corenet_tcp_bind_ssh_port(ssh_t)
++ corenet_tcp_bind_generic_node(ssh_t)
++ corenet_tcp_bind_all_unreserved_ports(ssh_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(ssh_t)
+- fs_manage_cifs_files(ssh_t)
++ifdef(`enable_mcs',`
++ optional_policy(`
++ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh)
++ ')
+ ')
+
+-# for port forwarding
+-tunable_policy(`user_tcp_server',`
+- corenet_tcp_bind_ssh_port(ssh_t)
+- corenet_tcp_bind_generic_node(ssh_t)
++optional_policy(`
++ gnome_stream_connect_gkeyringd(ssh_t)
+ ')
+
+ optional_policy(`
+@@ -198,6 +237,7 @@ optional_policy(`
+ xserver_domtrans_xauth(ssh_t)
+ ')
+
++
+ ##############################
+ #
+ # ssh_keysign_t local policy
+@@ -209,6 +249,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+ allow ssh_keysign_t sshd_key_t:file { getattr read };
+
+ dev_read_urand(ssh_keysign_t)
++dev_read_rand(ssh_keysign_t)
+
+ files_read_etc_files(ssh_keysign_t)
+
+@@ -226,39 +267,58 @@ optional_policy(`
+ # so a tunnel can point to another ssh tunnel
+ allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow sshd_t self:key { search link write };
++allow sshd_t self:process setcurrent;
+
+ allow sshd_t sshd_keytab_t:file read_file_perms;
+
+-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+-
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
++kernel_read_net_sysctls(sshd_t)
++
++files_search_all(sshd_t)
++
++fs_search_cgroup_dirs(sshd_t)
++fs_rw_cgroup_files(sshd_t)
+
+ term_use_all_ptys(sshd_t)
+ term_setattr_all_ptys(sshd_t)
++term_setattr_all_ttys(sshd_t)
+ term_relabelto_all_ptys(sshd_t)
++term_use_ptmx(sshd_t)
+
+ # for X forwarding
+ corenet_tcp_bind_xserver_port(sshd_t)
++corenet_tcp_bind_vnc_port(sshd_t)
+ corenet_sendrecv_xserver_server_packets(sshd_t)
+
+-ifdef(`distro_debian',`
+- allow sshd_t self:process { getcap setcap };
+-')
++auth_exec_login_program(sshd_t)
++auth_signal_chk_passwd(sshd_t)
++
++userdom_read_user_home_content_files(sshd_t)
++userdom_read_user_home_content_symlinks(sshd_t)
++#userdom_manage_tmp_role(system_r, sshd_t)
++userdom_spec_domtrans_unpriv_users(sshd_t)
++userdom_signal_unpriv_users(sshd_t)
++userdom_dyntransition_unpriv_users(sshd_t)
+
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+- userdom_spec_domtrans_all_users(sshd_t)
+ userdom_signal_all_users(sshd_t)
+-',`
+- userdom_spec_domtrans_unpriv_users(sshd_t)
+- userdom_signal_unpriv_users(sshd_t)
++ userdom_spec_domtrans_all_users(sshd_t)
++ userdom_dyntransition_admin_users(sshd_t)
++')
++
++optional_policy(`
++ amanda_search_var_lib(sshd_t)
++')
++
++optional_policy(`
++ condor_rw_lib_files(sshd_t)
++ condor_rw_tcp_sockets_startd(sshd_t)
++ condor_rw_tcp_sockets_schedd(sshd_t)
+ ')
+
+ optional_policy(`
+@@ -266,6 +326,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ftp_dyntrans_sftpd(sshd_t)
++ ftp_dyntrans_anon_sftpd(sshd_t)
++')
++
++optional_policy(`
++ gitosis_manage_lib_files(sshd_t)
++')
++
++optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+ ')
+
+@@ -275,6 +344,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ lvm_domtrans(sshd_t)
++')
++
++optional_policy(`
++ munin_read_var_lib_files(sshd_t)
++')
++
++optional_policy(`
++ nx_read_home_files(sshd_t)
++')
++
++optional_policy(`
+ oddjob_domtrans_mkhomedir(sshd_t)
+ ')
+
+@@ -289,13 +370,93 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rsync_read_data(sshd_t)
++')
++
++optional_policy(`
++ systemd_exec_systemctl(sshd_t)
++')
++
++optional_policy(`
++ usermanage_domtrans_passwd(sshd_t)
++ usermanage_read_crack_db(sshd_t)
++')
++
++optional_policy(`
++ openshift_dyntransition(sshd_t)
++ openshift_transition(sshd_t)
++ openshift_manage_tmp_files(sshd_t)
++ openshift_manage_tmp_sockets(sshd_t)
++ openshift_mounton_tmp(sshd_t)
++ openshift_read_lib_files(sshd_t)
++')
++
++optional_policy(`
++ postgresql_search_db(sshd_t)
++')
++
++optional_policy(`
+ unconfined_shell_domtrans(sshd_t)
+ ')
+
+ optional_policy(`
++ kernel_write_proc_files(sshd_t)
++ virt_transition_svirt_sandbox(sshd_t, system_r)
++ virt_stream_connect_sandbox(sshd_t)
++ virt_stream_connect(sshd_t)
++')
++
++optional_policy(`
+ xserver_domtrans_xauth(sshd_t)
+ ')
+
++ifdef(`TODO',`
++ tunable_policy(`ssh_sysadm_login',`
++ # Relabel and access ptys created by sshd
++ # ioctl is necessary for logout() processing for utmp entry and for w to
++ # display the tty.
++ # some versions of sshd on the new SE Linux require setattr
++ allow sshd_t ptyfile:chr_file relabelto;
++
++ optional_policy(`
++ domain_trans(sshd_t, xauth_exec_t, userdomain)
++ ')
++ ',`
++ optional_policy(`
++ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
++ ')
++ # Relabel and access ptys created by sshd
++ # ioctl is necessary for logout() processing for utmp entry and for w to
++ # display the tty.
++ # some versions of sshd on the new SE Linux require setattr
++ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
++ ')
++') dnl endif TODO
++
++########################################
++#
++# sshd-keygen local policy
++#
++
++allow sshd_keygen_t self:capability { chown fsetid };
++allow sshd_keygen_t self:fifo_file rw_fifo_file_perms;
++allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms;
++
++allow sshd_keygen_t sshd_key_t:file manage_file_perms;
++
++kernel_read_system_state(sshd_keygen_t)
++
++corecmd_exec_bin(sshd_keygen_t)
++
++auth_read_passwd(sshd_keygen_t)
++
++files_rw_etc_dirs(sshd_keygen_t)
++
++#run restorecon
++seutil_domtrans_setfiles(sshd_keygen_t)
++
++ssh_domtrans_keygen(sshd_keygen_t)
++
+ ########################################
+ #
+ # ssh_keygen local policy
+@@ -304,19 +465,33 @@ optional_policy(`
+ # ssh_keygen_t is the type of the ssh-keygen program when run at install time
+ # and by sysadm_t
+
++allow ssh_keygen_t self:capability dac_override;
+ dontaudit ssh_keygen_t self:capability sys_tty_config;
+ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+-
+ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++
++manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
++
++kernel_read_system_state(ssh_keygen_t)
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
++corecmd_exec_shell(ssh_keygen_t)
++corecmd_exec_bin(ssh_keygen_t)
++
+ fs_search_auto_mountpoints(ssh_keygen_t)
+
+ dev_read_sysfs(ssh_keygen_t)
++dev_read_rand(ssh_keygen_t)
+ dev_read_urand(ssh_keygen_t)
+
+ term_dontaudit_use_console(ssh_keygen_t)
+@@ -332,7 +507,9 @@ auth_use_nsswitch(ssh_keygen_t)
+
+ logging_send_syslog_msg(ssh_keygen_t)
+
++userdom_home_manager(ssh_keygen_t)
+ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
++userdom_use_user_terminals(ssh_keygen_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+@@ -341,3 +518,148 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ssh_keygen_t)
+ ')
++
++####################################
++#
++# ssh_dyntransition domain local policy
++#
++
++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
++allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms;
++
++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
++allow ssh_dyntransition_domain sshd_t:fd use;
++
++optional_policy(`
++ ssh_rw_stream_sockets(ssh_dyntransition_domain)
++ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
++')
++
++#####################################
++#
++# ssh_sandbox local policy
++#
++
++allow sshd_t sshd_sandbox_t:process signal;
++
++init_ioctl_stream_sockets(sshd_sandbox_t)
++
++logging_send_audit_msgs(sshd_sandbox_t)
++
++#####################################
++#
++# sshd [net] child local policy
++#
++
++allow sshd_t sshd_net_t:process signal;
++
++allow sshd_net_t self:process setrlimit;
++
++init_ioctl_stream_sockets(sshd_net_t)
++init_rw_tcp_sockets(sshd_net_t)
++
++logging_send_audit_msgs(sshd_net_t)
++
++
++######################################
++#
++# chroot_user_t local policy
++#
++allow chroot_user_t self:fifo_file rw_fifo_file_perms;
++allow chroot_user_t self:unix_dgram_socket create_socket_perms;
++
++corecmd_exec_shell(chroot_user_t)
++
++domain_subj_id_change_exemption(chroot_user_t)
++domain_role_change_exemption(chroot_user_t)
++
++term_search_ptys(chroot_user_t)
++term_use_ptmx(chroot_user_t)
++
++fs_getattr_all_fs(chroot_user_t)
++
++userdom_read_user_home_content_files(chroot_user_t)
++userdom_read_inherited_user_home_content_files(chroot_user_t)
++userdom_read_user_home_content_symlinks(chroot_user_t)
++userdom_exec_user_home_content_files(chroot_user_t)
++userdom_use_inherited_user_ptys(chroot_user_t)
++
++tunable_policy(`ssh_chroot_rw_homedirs',`
++ files_list_home(chroot_user_t)
++ userdom_manage_user_home_content_files(chroot_user_t)
++ userdom_manage_user_home_content_symlinks(chroot_user_t)
++ userdom_manage_user_home_content_pipes(chroot_user_t)
++ userdom_manage_user_home_content_sockets(chroot_user_t)
++ userdom_manage_user_home_content_dirs(chroot_user_t)
++')
++
++tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(chroot_user_t)
++ fs_manage_nfs_files(chroot_user_t)
++ fs_manage_nfs_symlinks(chroot_user_t)
++')
++
++tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
++ fs_manage_cifs_dirs(chroot_user_t)
++ fs_manage_cifs_files(chroot_user_t)
++ fs_manage_cifs_symlinks(chroot_user_t)
++')
++
++tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(chroot_user_t)
++ fs_manage_fusefs_files(chroot_user_t)
++ fs_manage_fusefs_symlinks(chroot_user_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(chroot_user_t)
++ fs_read_cifs_symlinks(chroot_user_t)
++')
++
++userdom_home_manager(chroot_user_t)
++
++optional_policy(`
++ ssh_rw_dgram_sockets(chroot_user_t)
++')
++
++optional_policy(`
++ unconfined_shell_domtrans(chroot_user_t)
++')
++
++######################################
++#
++# ssh_agent_type common policy local policy
++#
++allow ssh_agent_type self:process setrlimit;
++allow ssh_agent_type self:capability setgid;
++
++manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
++manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
++files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file })
++
++kernel_read_kernel_sysctls(ssh_agent_type)
++
++dev_read_urand(ssh_agent_type)
++dev_read_rand(ssh_agent_type)
++
++fs_search_auto_mountpoints(ssh_agent_type)
++
++domain_use_interactive_fds(ssh_agent_type)
++
++files_read_etc_files(ssh_agent_type)
++files_read_etc_runtime_files(ssh_agent_type)
++
++libs_read_lib_files(ssh_agent_type)
++
++miscfiles_read_generic_certs(ssh_agent_type)
++
++# Write to the user domain tty.
++userdom_use_inherited_user_terminals(ssh_agent_type)
++
++# for the transition back to normal privs upon exec
++userdom_search_user_home_content(ssh_agent_type)
++
++optional_policy(`
++ xserver_use_xdm_fds(ssh_agent_type)
++ xserver_rw_xdm_pipes(ssh_agent_type)
++')
+diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
+index 8274418..2873da0 100644
+--- a/policy/modules/services/xserver.fc
++++ b/policy/modules/services/xserver.fc
+@@ -2,13 +2,36 @@
+ # HOME_DIR
+ #
+ HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
++HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
+ HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+ HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+ HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
++HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+ HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++
++/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
++/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
++/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
++/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
++/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
++/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
++/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
++/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
+ #
+ # /dev
+@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
++/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0)
++/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
++/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++
+ /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+-/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+
++/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+@@ -46,26 +77,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ # /tmp
+ #
+
+-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.ICE-unix/.* -s <>
+-/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
+-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.X11-unix/.* -s <>
++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+
+ #
+ # /usr
+ #
+
++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++
++/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
+ /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+ /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+@@ -92,18 +128,32 @@ ifndef(`distro_debian',`
+
+ /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
++
++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
+-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++
++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
+ /var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+@@ -111,7 +161,18 @@ ifndef(`distro_debian',`
+ /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++
++/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ ifdef(`distro_suse',`
+ /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ ')
++
++/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++
+diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
+index 6bf0ecc..b036584 100644
+--- a/policy/modules/services/xserver.if
++++ b/policy/modules/services/xserver.if
+@@ -18,100 +18,36 @@
+ #
+ interface(`xserver_restricted_role',`
+ gen_require(`
+- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+- type iceauth_t, iceauth_exec_t, iceauth_home_t;
+- type xauth_t, xauth_exec_t, xauth_home_t;
++ type xauth_t, iceauth_t;
++ attribute dridomain, x_userdomain;
+ ')
+
+- role $1 types { xserver_t xauth_t iceauth_t };
+-
+- # Xserver read/write client shm
+- allow xserver_t $2:fd use;
+- allow xserver_t $2:shm rw_shm_perms;
+-
+- allow xserver_t $2:process signal;
+-
+- allow xserver_t $2:shm rw_shm_perms;
+-
+- allow $2 user_fonts_t:dir list_dir_perms;
+- allow $2 user_fonts_t:file read_file_perms;
+-
+- allow $2 user_fonts_config_t:dir list_dir_perms;
+- allow $2 user_fonts_config_t:file read_file_perms;
+-
+- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+-
+- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+- files_search_tmp($2)
+-
+- # Communicate via System V shared memory.
+- allow $2 xserver_t:shm r_shm_perms;
+- allow $2 xserver_tmpfs_t:file read_file_perms;
+-
+- # allow ps to show iceauth
+- ps_process_pattern($2, iceauth_t)
+-
+- domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+-
+- allow $2 iceauth_home_t:file read_file_perms;
+-
+- domtrans_pattern($2, xauth_exec_t, xauth_t)
+-
+- allow $2 xauth_t:process signal;
+-
+- # allow ps to show xauth
+- ps_process_pattern($2, xauth_t)
+- allow $2 xserver_t:process signal;
+-
+- allow $2 xauth_home_t:file read_file_perms;
+-
+- # for when /tmp/.X11-unix is created by the system
+- allow $2 xdm_t:fd use;
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search;
+- allow $2 xdm_tmp_t:sock_file { read write };
+- dontaudit $2 xdm_t:tcp_socket { read write };
+-
+- # Client read xserver shm
+- allow $2 xserver_t:fd use;
+- allow $2 xserver_tmpfs_t:file read_file_perms;
+-
+- # Read /tmp/.X0-lock
+- allow $2 xserver_tmp_t:file { getattr read };
+-
+- dev_rw_xserver_misc($2)
+- dev_rw_power_management($2)
+- dev_read_input($2)
+- dev_read_misc($2)
+- dev_write_misc($2)
+- # open office is looking for the following
+- dev_getattr_agp_dev($2)
+- dev_dontaudit_rw_dri($2)
+- # GNOME checks for usb and other devices:
+- dev_rw_usbfs($2)
+-
+- miscfiles_read_fonts($2)
++ role $1 types { xauth_t iceauth_t };
++ typeattribute $2 x_userdomain, dridomain;
+
+- xserver_common_x_domain_template(user, $2)
+- xserver_domtrans($2)
+- xserver_unconfined($2)
+- xserver_xsession_entry_type($2)
+- xserver_dontaudit_write_log($2)
++ xserver_common_x_domain_template(user,$2)
+ xserver_stream_connect_xdm($2)
+- # certain apps want to read xdm.pid file
+- xserver_read_xdm_pid($2)
+- # gnome-session creates socket under /tmp/.ICE-unix/
+- xserver_create_xdm_tmp_sockets($2)
+- # Needed for escd, remove if we get escd policy
+- xserver_manage_xdm_tmp_files($2)
++ xserver_xdm_append_log($2)
+
+- # Client write xserver shm
+- tunable_policy(`allow_write_xshm',`
+- allow $2 xserver_t:shm rw_shm_perms;
+- allow $2 xserver_tmpfs_t:file rw_file_perms;
++ xserver_dri_domain($2)
++')
++
++########################################
++##
++## Domain wants to use direct io devices
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_dri_domain',`
++ gen_require(`
++ attribute dridomain;
+ ')
++
++ typeattribute $1 dridomain;
+ ')
+
+ ########################################
+@@ -143,13 +79,15 @@ interface(`xserver_role',`
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+ allow $2 iceauth_home_t:file manage_file_perms;
+- allow $2 iceauth_home_t:file { relabelfrom relabelto };
++ allow $2 iceauth_home_t:file relabel_file_perms;
+
+ allow $2 xauth_home_t:file manage_file_perms;
+- allow $2 xauth_home_t:file { relabelfrom relabelto };
++ allow $2 xauth_home_t:file relabel_file_perms;
+
++ mls_xwin_read_to_clearance($2)
+ manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ manage_files_pattern($2, user_fonts_t, user_fonts_t)
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+ relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+@@ -162,7 +100,6 @@ interface(`xserver_role',`
+ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+-
+ ')
+
+ #######################################
+@@ -197,7 +134,7 @@ interface(`xserver_ro_session',`
+ allow $1 xserver_t:process signal;
+
+ # Read /tmp/.X0-lock
+- allow $1 xserver_tmp_t:file { getattr read };
++ allow $1 xserver_tmp_t:file read_file_perms;
+
+ # Client read xserver shm
+ allow $1 xserver_t:fd use;
+@@ -227,7 +164,7 @@ interface(`xserver_rw_session',`
+ type xserver_t, xserver_tmpfs_t;
+ ')
+
+- xserver_ro_session($1,$2)
++ xserver_ro_session($1, $2)
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+@@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',`
+
+ allow $1 self:x_gc { create setattr };
+
+- allow $1 xdm_var_run_t:dir search;
++ allow $1 xdm_var_run_t:dir search_dir_perms;
+ allow $1 xserver_t:unix_stream_socket connectto;
+
+ allow $1 xextension_t:x_extension { query use };
+@@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',`
+ interface(`xserver_user_client',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ ')
+
+@@ -291,14 +228,14 @@ interface(`xserver_user_client',`
+ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+- allow $1 xauth_home_t:file { getattr read };
+- allow $1 iceauth_home_t:file { getattr read };
++ allow $1 xauth_home_t:file read_file_perms;
++ allow $1 iceauth_home_t:file read_file_perms;
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $1 xdm_t:fd use;
+- allow $1 xdm_t:fifo_file { getattr read write ioctl };
+- allow $1 xdm_tmp_t:dir search;
+- allow $1 xdm_tmp_t:sock_file { read write };
++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
++ userdom_search_user_tmp_dirs($1)
++ userdom_rw_user_tmp_sock_files($1)
+ dontaudit $1 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -316,7 +253,7 @@ interface(`xserver_user_client',`
+ xserver_read_xdm_tmp_files($1)
+
+ # Client write xserver shm
+- tunable_policy(`allow_write_xshm',`
++ tunable_policy(`xserver_clients_write_xshm',`
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+@@ -342,19 +279,23 @@ interface(`xserver_user_client',`
+ #
+ template(`xserver_common_x_domain_template',`
+ gen_require(`
+- type root_xdrawable_t;
++ type root_xdrawable_t, xdm_t, xserver_t;
+ type xproperty_t, $1_xproperty_t;
+ type xevent_t, client_xevent_t;
+ type input_xevent_t, $1_input_xevent_t;
+
+- attribute x_domain;
++ attribute x_domain, input_xevent_type;
+ attribute xdrawable_type, xcolormap_type;
+- attribute input_xevent_type;
+
+ class x_drawable all_x_drawable_perms;
+ class x_property all_x_property_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_client destroy;
++ class x_server manage;
++ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
++ class x_pointer { get_property set_property manage };
++ class x_keyboard { read manage freeze };
+ ')
+
+ ##############################
+@@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',`
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ # can receive default events
+ allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
++ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
+ # dont audit send failures
+ dontaudit $2 input_xevent_type:x_event send;
++
++ allow $2 xdm_t:x_drawable { hide read add_child manage };
++ allow $2 xdm_t:x_client destroy;
++
++ allow $2 root_xdrawable_t:x_drawable write;
++ allow $2 xserver_t:x_server manage;
++ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
++ allow $2 xserver_t:x_pointer { get_property set_property manage };
++ allow $2 xserver_t:x_keyboard { read manage freeze };
+ ')
+
+ #######################################
+@@ -444,8 +394,9 @@ template(`xserver_object_types_template',`
+ #
+ template(`xserver_user_x_domain_template',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
+- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
++ type xdm_t, xserver_tmpfs_t;
++ type xdm_home_t;
++ type xauth_home_t, iceauth_home_t, xserver_t;
+ ')
+
+ allow $2 self:shm create_shm_perms;
+@@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',`
+ allow $2 xauth_home_t:file read_file_perms;
+ allow $2 iceauth_home_t:file read_file_perms;
+
++ xserver_filetrans_home_content($2)
++
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
++ userdom_search_user_tmp_dirs($2)
++ userdom_rw_user_tmp_sock_files($2)
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',`
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($2)
+
+- xserver_ro_session($2,$3)
++ xserver_ro_session($2, $3)
+ xserver_use_user_fonts($2)
+
+- xserver_read_xdm_tmp_files($2)
++ userdom_read_user_tmp_files($2)
++ xserver_read_xdm_pid($2)
++ xserver_xdm_append_log($2)
+
+ # X object manager
+ xserver_object_types_template($1)
+- xserver_common_x_domain_template($1,$2)
++ xserver_common_x_domain_template($1, $2)
+
+ # Client write xserver shm
+- tunable_policy(`allow_write_xshm',`
++ tunable_policy(`xserver_clients_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++ tunable_policy(`selinuxuser_direct_dri_enabled',`
++ dev_rw_dri($2)
++ ')
+ ')
+
+ ########################################
+@@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',`
+ # Read per user fonts
+ allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:file read_file_perms;
++ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ # Manipulate the global font cache
+ manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+@@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',`
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
+ ')
+
++######################################
++##
++## Allow exec of Xauthority program..
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`xserver_exec_xauth',`
++ gen_require(`
++ type xauth_t, xauth_exec_t;
++ ')
++
++ can_exec($1, xauth_exec_t)
++')
++
++########################################
++##
++## Dontaudit exec of Xauthority program.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_exec_xauth',`
++ gen_require(`
++ type xauth_exec_t;
++ ')
++
++ dontaudit $1 xauth_exec_t:file execute;
++')
++
+ ########################################
+ ##
+ ## Create a Xauthority file in the user home directory.
+@@ -567,6 +563,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
+
+ ########################################
+ ##
++## Create a Xauthority file in the admin home directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_admin_home_dir_filetrans_xauth',`
++ gen_require(`
++ type xauth_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
++')
++
++########################################
++##
+ ## Read all users fonts, user font configurations,
+ ## and manage all users font caches.
+ ##
+@@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',`
+
+ allow $1 xauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
++ xserver_read_xdm_pid($1)
++')
++
++########################################
++##
++## Manage all users .Xauthority.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_manage_user_xauth',`
++ gen_require(`
++ type xauth_home_t;
++ ')
++
++ allow $1 xauth_home_t:file manage_file_perms;
+ ')
+
+ ########################################
+@@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',`
+ type xconsole_device_t;
+ ')
+
+- allow $1 xconsole_device_t:fifo_file setattr;
++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -638,6 +671,25 @@ interface(`xserver_rw_console',`
+
+ ########################################
+ ##
++## Read XDM state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_state_xdm',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, xdm_t)
++')
++
++########################################
++##
+ ## Use file descriptors for xdm.
+ ##
+ ##
+@@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',`
+ type xdm_t;
+ ')
+
+- allow $1 xdm_t:fd use;
++ allow $1 xdm_t:fd use;
+ ')
+
+ ########################################
+@@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+ type xdm_t;
+ ')
+
+- dontaudit $1 xdm_t:fd use;
++ dontaudit $1 xdm_t:fd use;
+ ')
+
+ ########################################
+@@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',`
+ type xdm_t;
+ ')
+
+- allow $1 xdm_t:fifo_file { getattr read write };
++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',`
+ ##
+ #
+ interface(`xserver_dontaudit_rw_xdm_pipes',`
+-
+ gen_require(`
+ type xdm_t;
+ ')
+
+- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -765,11 +816,92 @@ interface(`xserver_manage_xdm_spool_files',`
+ #
+ interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xdm_var_run_t;
+ ')
+
+ files_search_tmp($1)
+- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
++ userdom_stream_connect($1)
++')
++
++########################################
++##
++## Allow domain to append XDM unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++
++interface(`xserver_append_xdm_stream_socket',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:unix_stream_socket append;
++')
++
++########################################
++##
++## Read XDM files in user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 xdm_home_t:file read_file_perms;
++')
++
++########################################
++##
++## Read xserver configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_config',`
++ gen_require(`
++ type xserver_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, xserver_etc_t, xserver_etc_t)
++ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
++')
++
++########################################
++##
++## Manage xserver configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_manage_config',`
++ gen_require(`
++ type xserver_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
++ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
+ ')
+
+ ########################################
+@@ -793,6 +925,21 @@ interface(`xserver_read_xdm_rw_config',`
+
+ ########################################
+ ##
++## Search XDM temporary directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_search_xdm_tmp_dirs',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
++ userdom_search_user_tmp_dirs($1)
++')
++
++########################################
++##
+ ## Set the attributes of XDM temporary directories.
+ ##
+ ##
+@@ -802,11 +949,23 @@ interface(`xserver_read_xdm_rw_config',`
+ ##
+ #
+ interface(`xserver_setattr_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
++')
+
+- allow $1 xdm_tmp_t:dir setattr;
++########################################
++##
++## Dont audit attempts to set the attributes of XDM temporary directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_xdm_tmp_dirs',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
+ ')
+
+ ########################################
+@@ -821,13 +980,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ ##
+ #
+ interface(`xserver_create_xdm_tmp_sockets',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir list_dir_perms;
+- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
++ userdom_create_user_tmp_sockets($1)
+ ')
+
+ ########################################
+@@ -846,7 +1000,26 @@ interface(`xserver_read_xdm_pid',`
+ ')
+
+ files_search_pids($1)
+- allow $1 xdm_var_run_t:file read_file_perms;
++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++######################################
++##
++## Dontaudit Read XDM pid files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++ gen_require(`
++ type xdm_var_run_t;
++ ')
++
++ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
++ dontaudit $1 xdm_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -864,7 +1037,26 @@ interface(`xserver_read_xdm_lib_files',`
+ type xdm_var_lib_t;
+ ')
+
+- allow $1 xdm_var_lib_t:file read_file_perms;
++ read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
++ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
++')
++
++########################################
++##
++## Read inherited XDM var lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_inherited_xdm_lib_files',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -938,17 +1130,36 @@ interface(`xserver_getattr_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 xserver_log_t:file getattr;
++ allow $1 xserver_log_t:file getattr_file_perms;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Do not audit attempts to write the X server
+-## log files.
++## Allow domain to read X server logs.
+ ##
+ ##
+-##
+-## Domain to not audit.
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xserver_log_t:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to write the X server
++## log files.
++##
++##
++##
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -957,7 +1168,7 @@ interface(`xserver_dontaudit_write_log',`
+ type xserver_log_t;
+ ')
+
+- dontaudit $1 xserver_log_t:file { append write };
++ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -1004,7 +1215,7 @@ interface(`xserver_read_xkb_libs',`
+
+ ########################################
+ ##
+-## Read xdm temporary files.
++## Manage X keyboard extension libraries.
+ ##
+ ##
+ ##
+@@ -1012,51 +1223,117 @@ interface(`xserver_read_xkb_libs',`
+ ##
+ ##
+ #
+-interface(`xserver_read_xdm_tmp_files',`
++interface(`xserver_manage_xkb_libs',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xkb_var_lib_t;
+ ')
+
+- files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ files_search_var_lib($1)
++ allow $1 xkb_var_lib_t:dir list_dir_perms;
++ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read xdm temporary files.
++## dontaudit access checks X keyboard extension libraries.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`xserver_dontaudit_read_xdm_tmp_files',`
++interface(`xserver_dontaudit_xkb_libs_access',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xkb_var_lib_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
++ dontaudit $1 xkb_var_lib_t:dir audit_access;
++ dontaudit $1 xkb_var_lib_t:file audit_access;
+ ')
+
+ ########################################
+ ##
+-## Read write xdm temporary files.
++## Read xdm config files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit
+ ##
+ ##
+ #
+-interface(`xserver_rw_xdm_tmp_files',`
++interface(`xserver_read_xdm_etc_files',`
++ gen_require(`
++ type xdm_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
++')
++
++########################################
++##
++## Manage xdm config files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_manage_xdm_etc_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xdm_etc_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
++ files_search_etc($1)
++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
++')
++
++########################################
++##
++## Read xdm temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
++ userdom_read_user_tmpfs_files($1)
++')
++
++########################################
++##
++## Do not audit attempts to read xdm temporary files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_read_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
++ userdom_dontaudit_read_user_tmp_files($1)
++')
++
++########################################
++##
++## Read write xdm temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_rw_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
++ userdom_rw_user_tmpfs_files($1)
+ ')
+
+ ########################################
+@@ -1070,11 +1347,38 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ##
+ #
+ interface(`xserver_manage_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
++ userdom_manage_user_tmp_files($1)
++')
++
++########################################
++##
++## Create, read, write, and delete xdm temporary dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_relabel_xdm_tmp_dirs',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
++ userdom_relabel_user_tmp_dirs($1)
++')
+
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++########################################
++##
++## Create, read, write, and delete xdm temporary dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_manage_xdm_tmp_dirs',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
++ userdom_manage_user_tmp_dirs($1)
+ ')
+
+ ########################################
+@@ -1089,11 +1393,8 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ##
+ #
+ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
++ usedom_dontaudit_user_getattr_tmp_sockets($1)
+ ')
+
+ ########################################
+@@ -1111,8 +1412,10 @@ interface(`xserver_domtrans',`
+ type xserver_t, xserver_exec_t;
+ ')
+
+- allow $1 xserver_t:process siginh;
++ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+ ')
+
+ ########################################
+@@ -1210,6 +1513,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+
+ ########################################
+ ##
++## Do not audit attempts to read and write xdm
++## unix domain stream sockets.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write };
++')
++
++########################################
++##
+ ## Connect to the X server over a unix domain
+ ## stream socket.
+ ##
+@@ -1226,6 +1548,26 @@ interface(`xserver_stream_connect',`
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ allow xserver_t $1:shm rw_shm_perms;
++')
++
++######################################
++##
++## Dontaudit attempts to connect to xserver
++## over a unix stream socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_stream_connect',`
++ gen_require(`
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ ')
+
+ ########################################
+@@ -1251,7 +1593,7 @@ interface(`xserver_read_tmp_files',`
+ ##
+ ## Interface to provide X object permissions on a given X server to
+ ## an X client domain. Gives the domain permission to read the
+-## virtual core keyboard and virtual core pointer devices.
++## virtual core keyboard and virtual core pointer devices.
+ ##
+ ##
+ ##
+@@ -1261,13 +1603,27 @@ interface(`xserver_read_tmp_files',`
+ #
+ interface(`xserver_manage_core_devices',`
+ gen_require(`
+- type xserver_t;
++ type xserver_t, root_xdrawable_t, xevent_t;
+ class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
++ class x_screen all_x_screen_perms;
++ class x_drawable { manage };
++ attribute x_domain;
++ class x_drawable all_x_drawable_perms;
++ class x_resource all_x_resource_perms;
++ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_cursor all_x_cursor_perms;
+ ')
+
+ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
++ allow $1 xserver_t:{ x_screen } setattr;
++
++ allow $1 x_domain:x_cursor all_x_cursor_perms;
++ allow $1 x_domain:x_drawable all_x_drawable_perms;
++ allow $1 x_domain:x_resource all_x_resource_perms;
++ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
++ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
+ ')
+
+ ########################################
+@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',`
+ #
+ interface(`xserver_unconfined',`
+ gen_require(`
+- attribute x_domain;
+- attribute xserver_unconfined_type;
++ attribute x_domain, xserver_unconfined_type;
+ ')
+
+ typeattribute $1 x_domain;
+ typeattribute $1 xserver_unconfined_type;
+ ')
++
++########################################
++##
++## Dontaudit append to .xsession-errors file
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_dontaudit_append_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t;
++ ')
++
++ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_rw_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_rw_cifs_files($1)
++ ')
++')
++
++########################################
++##
++## append to .xsession-errors file
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_append_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t, xserver_tmp_t;
++ ')
++
++ allow $1 xdm_home_t:file append_file_perms;
++ allow $1 xserver_tmp_t:file append_file_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_append_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_append_cifs_files($1)
++ ')
++')
++
++#######################################
++##
++## Allow search the xdm_spool files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_search_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++######################################
++##
++## Allow read the xdm_spool files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_read_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++########################################
++##
++## Manage the xdm_spool files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_manage_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## xdm over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_dbus_chat_xdm',`
++ gen_require(`
++ type xdm_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 xdm_t:dbus send_msg;
++ allow xdm_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
++## xdm over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_dbus_chat',`
++ gen_require(`
++ type xserver_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 xserver_t:dbus send_msg;
++ allow xserver_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Read xserver files created in /var/run
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_pid',`
++ gen_require(`
++ type xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++##
++## Execute xserver files created in /var/run
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_exec_pid',`
++ gen_require(`
++ type xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++##
++## Write xserver files created in /var/run
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_write_pid',`
++ gen_require(`
++ type xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++##
++## Allow append the xdm
++## log files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_xdm_append_log',`
++ gen_require(`
++ type xdm_log_t;
++ attribute xdmhomewriter;
++ ')
++
++ typeattribute $1 xdmhomewriter;
++ allow $1 xdm_log_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Allow ioctl the xdm log files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_xdm_ioctl_log',`
++ gen_require(`
++ type xdm_log_t;
++ ')
++
++ allow $1 xdm_log_t:file ioctl;
++')
++
++########################################
++##
++## Allow append the xdm
++## tmp files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_append_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
++ userdom_append_user_tmp_files($1)
++')
++
++########################################
++##
++## Read a user Iceauthority domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_user_iceauth',`
++ gen_require(`
++ type iceauth_home_t;
++ ')
++
++ # Read .Iceauthority file
++ allow $1 iceauth_home_t:file read_file_perms;
++')
++
++########################################
++##
++## Read/write inherited user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_rw_inherited_user_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t;
++ ')
++
++ allow $1 user_fonts_t:file rw_inherited_file_perms;
++ allow $1 user_fonts_t:file read_lnk_file_perms;
++
++ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Search XDM var lib dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_search_xdm_lib',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Make an X executable an entrypoint for the specified domain.
++##
++##
++##
++## The domain for which the shell is an entrypoint.
++##
++##
++#
++interface(`xserver_entry_type',`
++ gen_require(`
++ type xserver_exec_t;
++ ')
++
++ domain_entry_file($1, xserver_exec_t)
++')
++
++########################################
++##
++## Execute xsever in the xserver domain, and
++## allow the specified role the xserver domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the xserver domain.
++##
++##
++##
++#
++interface(`xserver_run',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ xserver_domtrans($1)
++ role $2 types xserver_t;
++')
++
++########################################
++##
++## Execute xsever in the xserver domain, and
++## allow the specified role the xserver domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the xserver domain.
++##
++##
++##
++#
++interface(`xserver_run_xauth',`
++ gen_require(`
++ type xauth_t;
++ ')
++
++ xserver_domtrans_xauth($1)
++ role $2 types xauth_t;
++')
++
++########################################
++##
++## Read user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_read_home_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t;
++ ')
++
++ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ read_files_pattern($1, user_fonts_t, user_fonts_t)
++ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++')
++
++########################################
++##
++## Manage user fonts dir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_manage_user_fonts_dir',`
++ gen_require(`
++ type user_fonts_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
++')
++
++########################################
++##
++## Manage user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_manage_home_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ manage_files_pattern($1, user_fonts_t, user_fonts_t)
++ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++
++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++')
++
++#######################################
++##
++## Transition to xserver .fontconfig named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_filetrans_fonts_cache_home_content',`
++ gen_require(`
++ type user_fonts_cache_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++')
++
++########################################
++##
++## Transition to xserver named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_filetrans_home_content',`
++ gen_require(`
++ type xdm_home_t, xauth_home_t, iceauth_home_t;
++ type user_home_t, user_fonts_t, user_fonts_cache_t;
++ type user_fonts_config_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++ optional_policy(`
++ gnome_data_filetrans($1, user_fonts_t, dir, "fonts")
++ ')
++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
++')
++
++########################################
++##
++## Create xserver content in admin home
++## directory with a named file transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_filetrans_admin_home_content',`
++ gen_require(`
++ type xdm_home_t, xauth_home_t, iceauth_home_t;
++ type user_home_t, user_fonts_t, user_fonts_cache_t;
++ type user_fonts_config_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
++ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
++ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
++ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
++ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
++ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++
++ optional_policy(`
++ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
++ ')
++')
++
++########################################
++##
++## Create objects in a xdm temporary directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`xserver_xdm_tmp_filetrans',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
++ userdom_user_tmp_filetrans($1,$2, $3, $4)
++')
++
++########################################
++##
++## Dontaudit search ssh home directory
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_search_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ dontaudit $1 xserver_log_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Manage keys for xdm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_rw_xdm_keys',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:key { read write setattr };
++')
++
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 8b40377..635442b 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -26,28 +26,59 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allows clients to write to the X server shared
+-## memory segments.
+-##
++##
++## Allows clients to write to the X server shared
++## memory segments.
++##
++##
++gen_tunable(xserver_clients_write_xshm, false)
++
++##
++##
++## Allows XServer to execute writable memory
++##
+ ##
+-gen_tunable(allow_write_xshm, false)
++gen_tunable(xserver_execmem, false)
+
+ ##
+ ##
+-## Allow xdm logins as sysadm
++## Allow the graphical login program to execute bootloader
+ ##
+ ##
++gen_tunable(xdm_exec_bootloader, false)
++
++##
++##
++## Allow the graphical login program to login directly as sysadm_r:sysadm_t
++##
++##
+ gen_tunable(xdm_sysadm_login, false)
+
+ ##
+-##
+-## Support X userspace object manager
+-##
++##
++## Allow the graphical login program to create files in HOME dirs as xdm_home_t.
++##
++##
++gen_tunable(xdm_write_home, false)
++
++##
++##
++## Support X userspace object manager
++##
+ ##
+ gen_tunable(xserver_object_manager, false)
+
++##
++##
++## Allow regular users direct dri device access
++##
++##
++gen_tunable(selinuxuser_direct_dri_enabled, false)
++
++attribute xdmhomewriter;
++attribute x_userdomain;
+ attribute x_domain;
++attribute dridomain;
+
+ # X Events
+ attribute xevent_type;
+@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
+ xserver_common_x_domain_template(remote, remote_t)
+
+ type user_fonts_t;
+-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t };
+ typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
++typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
++typealias user_fonts_t alias xfs_tmp_t;
+ userdom_user_home_content(user_fonts_t)
++files_tmp_file(user_fonts_t)
+
+ type user_fonts_cache_t;
+ typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+ typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
++typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
+ userdom_user_home_content(user_fonts_cache_t)
+
+ type user_fonts_config_t;
+ typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+ typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
++typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
+ userdom_user_home_content(user_fonts_config_t)
+
+ type iceauth_t;
+ type iceauth_exec_t;
+ typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
++typealias iceauth_t alias { xguest_iceauth_t };
+ typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
+
+ type iceauth_home_t;
+ typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+ typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
++typealias iceauth_home_t alias { xguest_iceauth_home_t };
+ userdom_user_home_content(iceauth_home_t)
+
+ type xauth_t;
+ type xauth_exec_t;
+ typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+ typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
++typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
+ userdom_user_application_domain(xauth_t, xauth_exec_t)
+
+ type xauth_home_t;
+ typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+ typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
++typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
+ userdom_user_home_content(xauth_home_t)
+
+ type xauth_tmp_t;
+ typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
++typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
+ typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+ userdom_user_tmp_file(xauth_tmp_t)
+
+@@ -155,19 +196,28 @@ dev_associate(xconsole_device_t)
+ fs_associate_tmpfs(xconsole_device_t)
+ files_associate_tmp(xconsole_device_t)
+
+-type xdm_t;
++type xdm_unconfined_exec_t;
++application_executable_file(xdm_unconfined_exec_t)
++
++type xdm_t alias xdm_dbusd_t;
+ type xdm_exec_t;
+ auth_login_pgm_domain(xdm_t)
+ init_domain(xdm_t, xdm_exec_t)
+-init_daemon_domain(xdm_t, xdm_exec_t)
++init_system_domain(xdm_t, xdm_exec_t)
+ xserver_object_types_template(xdm)
+ xserver_common_x_domain_template(xdm, xdm_t)
+
+ type xdm_lock_t;
+ files_lock_file(xdm_lock_t)
+
++type xdm_etc_t;
++files_config_file(xdm_etc_t)
++
+ type xdm_rw_etc_t;
+-files_type(xdm_rw_etc_t)
++files_config_file(xdm_rw_etc_t)
++
++type xdm_spool_t;
++files_spool_file(xdm_spool_t)
+
+ type xdm_var_lib_t;
+ files_type(xdm_var_lib_t)
+@@ -175,13 +225,21 @@ files_type(xdm_var_lib_t)
+ type xdm_var_run_t;
+ files_pid_file(xdm_var_run_t)
+
+-type xdm_tmp_t;
+-files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias ice_tmp_t;
++type xserver_var_lib_t;
++files_type(xserver_var_lib_t)
++
++type xserver_var_run_t;
++files_pid_file(xserver_var_run_t)
+
+ type xdm_tmpfs_t;
+ files_tmpfs_file(xdm_tmpfs_t)
+
++type xdm_home_t;
++userdom_user_home_content(xdm_home_t)
++
++type xdm_log_t;
++logging_log_file(xdm_log_t)
++
+ # type for /var/lib/xkb
+ type xkb_var_lib_t;
+ files_type(xkb_var_lib_t)
+@@ -194,15 +252,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+ init_system_domain(xserver_t, xserver_exec_t)
+ ubac_constrained(xserver_t)
+
+-type xserver_tmp_t;
+-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
+-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+-userdom_user_tmp_file(xserver_tmp_t)
++type xserver_etc_t;
++files_config_file(xserver_etc_t)
+
+ type xserver_tmpfs_t;
+-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
+-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+-userdom_user_tmpfs_file(xserver_tmpfs_t)
++typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
++typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
++userdom_user_tmp_file(xserver_tmpfs_t)
+
+ type xsession_exec_t;
+ corecmd_executable_file(xsession_exec_t)
+@@ -226,21 +282,35 @@ optional_policy(`
+ #
+
+ allow iceauth_t iceauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+
+ allow xdm_t iceauth_home_t:file read_file_perms;
+
++dev_read_rand(iceauth_t)
++
+ fs_search_auto_mountpoints(iceauth_t)
+
+-userdom_use_user_terminals(iceauth_t)
++userdom_use_inherited_user_terminals(iceauth_t)
+ userdom_read_user_tmp_files(iceauth_t)
++userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(iceauth_t)
+-')
++xserver_filetrans_home_content(iceauth_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(iceauth_t)
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_read_urand(iceauth_t)
++ dev_dontaudit_rw_dri(iceauth_t)
++ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
++ fs_dontaudit_list_inotifyfs(iceauth_t)
++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
++ term_dontaudit_use_unallocated_ttys(iceauth_t)
++
++ userdom_dontaudit_read_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_tmp_files(iceauth_t)
++
++ optional_policy(`
++ mozilla_dontaudit_rw_user_home_files(iceauth_t)
++ ')
+ ')
+
+ ########################################
+@@ -248,48 +318,91 @@ tunable_policy(`use_samba_home_dirs',`
+ # Xauth local policy
+ #
+
++allow xauth_t self:capability dac_override;
+ allow xauth_t self:process signal;
++allow xauth_t self:shm create_shm_perms;
+ allow xauth_t self:unix_stream_socket create_stream_socket_perms;
++allow xauth_t self:unix_dgram_socket create_socket_perms;
++
++allow xauth_t xdm_t:process sigchld;
++allow xauth_t xserver_t:unix_stream_socket connectto;
++
++corenet_tcp_connect_xserver_port(xauth_t)
+
+ allow xauth_t xauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
++
++manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
++manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+
+ manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
+-allow xdm_t xauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
++kernel_read_network_state(xauth_t)
++kernel_read_system_state(xauth_t)
+ kernel_request_load_module(xauth_t)
+
++dev_read_rand(xauth_t)
++dev_read_urand(xauth_t)
++
+ domain_use_interactive_fds(xauth_t)
++domain_dontaudit_leaks(xauth_t)
+
+ files_read_etc_files(xauth_t)
++files_read_usr_files(xauth_t)
+ files_search_pids(xauth_t)
++files_dontaudit_getattr_all_dirs(xauth_t)
++files_dontaudit_leaks(xauth_t)
++files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+
+-fs_getattr_xattr_fs(xauth_t)
++fs_dontaudit_leaks(xauth_t)
++fs_getattr_all_fs(xauth_t)
+ fs_search_auto_mountpoints(xauth_t)
+
+-# cjp: why?
+-term_use_ptmx(xauth_t)
++# Probably a leak
++term_dontaudit_use_ptmx(xauth_t)
++term_dontaudit_use_console(xauth_t)
+
+ auth_use_nsswitch(xauth_t)
+
+-userdom_use_user_terminals(xauth_t)
++userdom_use_inherited_user_terminals(xauth_t)
+ userdom_read_user_tmp_files(xauth_t)
++userdom_read_all_users_state(xauth_t)
++userdom_search_user_home_dirs(xauth_t)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
+
+ xserver_rw_xdm_tmp_files(xauth_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(xauth_t)
++ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
++ fs_dontaudit_list_inotifyfs(xauth_t)
++ userdom_manage_user_home_content_files(xauth_t)
++ userdom_manage_user_tmp_files(xauth_t)
++ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
++ miscfiles_read_fonts(xauth_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(xauth_t)
++userdom_home_manager(xauth_t)
++
++ifdef(`hide_broken_symptoms',`
++ term_dontaudit_use_unallocated_ttys(xauth_t)
++ dev_dontaudit_rw_dri(xauth_t)
++')
++
++optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+ ')
+
+ optional_policy(`
++ ssh_use_ptys(xauth_t)
+ ssh_sigchld(xauth_t)
+ ssh_read_pipes(xauth_t)
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
+@@ -300,64 +413,103 @@ optional_policy(`
+ # XDM Local policy
+ #
+
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
++allow xdm_t self:capability2 { block_suspend };
++dontaudit xdm_t self:capability sys_admin;
++tunable_policy(`deny_ptrace',`',`
++ allow xdm_t self:process ptrace;
++')
++
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition };
+ allow xdm_t self:fifo_file rw_fifo_file_perms;
+ allow xdm_t self:shm create_shm_perms;
+ allow xdm_t self:sem create_sem_perms;
+ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+-allow xdm_t self:unix_dgram_socket create_socket_perms;
++allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow xdm_t self:tcp_socket create_stream_socket_perms;
+ allow xdm_t self:udp_socket create_socket_perms;
++allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow xdm_t self:netlink_selinux_socket create_socket_perms;
+ allow xdm_t self:socket create_socket_perms;
+ allow xdm_t self:appletalk_socket create_socket_perms;
+ allow xdm_t self:key { search link write };
++allow xdm_t self:dbus { send_msg acquire_svc };
++
++allow xdm_t xauth_home_t:file manage_file_perms;
++
++allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
++manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
++manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
++manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
++xserver_filetrans_home_content(xdm_t)
++xserver_filetrans_admin_home_content(xdm_t)
++
++#Handle mislabeled files in homedir
++userdom_delete_user_home_content_files(xdm_t)
++userdom_signull_unpriv_users(xdm_t)
++userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
+
+ # Allow gdm to run gdm-binary
+ can_exec(xdm_t, xdm_exec_t)
++can_exec(xdm_t, xsession_exec_t)
+
+ allow xdm_t xdm_lock_t:file manage_file_perms;
+ files_lock_filetrans(xdm_t, xdm_lock_t, file)
+
++read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
++read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+ # wdm has its own config dir /etc/X11/wdm
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++userdom_manage_all_user_tmp_content(xdm_t)
++userdom_exec_user_tmp_files(xdm_t)
+
+ manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++
++manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
++
++files_search_spool(xdm_t)
++manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
++manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
++files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
+
+ manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+ manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
++manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
++manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
++files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
++# Read machine-id
++files_read_var_lib_files(xdm_t)
+
+ manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+ manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
++manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+ manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
++manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
++files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
+
+-allow xdm_t xserver_t:process signal;
++allow xdm_t xserver_t:process { signal signull };
+ allow xdm_t xserver_t:unix_stream_socket connectto;
+
+ allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
+-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
++allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
+
+ # transition to the xdm xserver
+ domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
++
++ps_process_pattern(xserver_t, xdm_t)
+ allow xserver_t xdm_t:process signal;
+ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+ allow xdm_t xserver_t:shm rw_shm_perms;
++read_files_pattern(xdm_t, xserver_t, xserver_t)
+
+ # connect to xdm xserver over stream socket
+ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +518,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+ delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+
++manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
++
+ manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
+ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
++manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+ manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+-logging_log_filetrans(xdm_t, xserver_log_t, file)
++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
+
+ kernel_read_system_state(xdm_t)
++kernel_read_device_sysctls(xdm_t)
+ kernel_read_kernel_sysctls(xdm_t)
+ kernel_read_net_sysctls(xdm_t)
+ kernel_read_network_state(xdm_t)
++kernel_request_load_module(xdm_t)
++kernel_stream_connect(xdm_t)
+
+ corecmd_exec_shell(xdm_t)
+ corecmd_exec_bin(xdm_t)
++corecmd_dontaudit_access_all_executables(xdm_t)
+
+-corenet_all_recvfrom_unlabeled(xdm_t)
+ corenet_all_recvfrom_netlabel(xdm_t)
+ corenet_tcp_sendrecv_generic_if(xdm_t)
+ corenet_udp_sendrecv_generic_if(xdm_t)
+@@ -389,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+ corenet_udp_sendrecv_all_ports(xdm_t)
+ corenet_tcp_bind_generic_node(xdm_t)
+ corenet_udp_bind_generic_node(xdm_t)
++corenet_udp_bind_ipp_port(xdm_t)
++corenet_udp_bind_xdmcp_port(xdm_t)
+ corenet_tcp_connect_all_ports(xdm_t)
+ corenet_sendrecv_all_client_packets(xdm_t)
+ # xdm tries to bind to biff_port_t
+ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
++dev_rwx_zero(xdm_t)
+ dev_read_rand(xdm_t)
+-dev_read_sysfs(xdm_t)
++dev_rw_sysfs(xdm_t)
+ dev_getattr_framebuffer_dev(xdm_t)
+ dev_setattr_framebuffer_dev(xdm_t)
+ dev_getattr_mouse_dev(xdm_t)
+ dev_setattr_mouse_dev(xdm_t)
+ dev_rw_apm_bios(xdm_t)
++dev_rw_input_dev(xdm_t)
+ dev_setattr_apm_bios_dev(xdm_t)
+ dev_rw_dri(xdm_t)
+ dev_rw_agp(xdm_t)
++dev_rw_wireless(xdm_t)
+ dev_getattr_xserver_misc_dev(xdm_t)
+ dev_setattr_xserver_misc_dev(xdm_t)
++dev_rw_xserver_misc(xdm_t)
+ dev_getattr_misc_dev(xdm_t)
+ dev_setattr_misc_dev(xdm_t)
+ dev_dontaudit_rw_misc(xdm_t)
+-dev_getattr_video_dev(xdm_t)
++dev_read_video_dev(xdm_t)
++dev_write_video_dev(xdm_t)
+ dev_setattr_video_dev(xdm_t)
+ dev_getattr_scanner_dev(xdm_t)
+ dev_setattr_scanner_dev(xdm_t)
+-dev_getattr_sound_dev(xdm_t)
+-dev_setattr_sound_dev(xdm_t)
++dev_read_sound(xdm_t)
++dev_write_sound(xdm_t)
+ dev_getattr_power_mgmt_dev(xdm_t)
+ dev_setattr_power_mgmt_dev(xdm_t)
++dev_getattr_null_dev(xdm_t)
++dev_setattr_null_dev(xdm_t)
+
+ domain_use_interactive_fds(xdm_t)
+ # Do not audit denied probes of /proc.
+ domain_dontaudit_read_all_domains_state(xdm_t)
++domain_dontaudit_signal_all_domains(xdm_t)
++domain_dontaudit_getattr_all_entry_files(xdm_t)
+
+ files_read_etc_files(xdm_t)
+ files_read_var_files(xdm_t)
+@@ -431,9 +604,28 @@ files_list_mnt(xdm_t)
+ files_read_usr_files(xdm_t)
+ # Poweroff wants to create the /poweroff file when run from xdm
+ files_create_boot_flag(xdm_t)
++files_dontaudit_getattr_boot_dirs(xdm_t)
++files_dontaudit_write_usr_files(xdm_t)
++files_dontaudit_access_check_etc(xdm_t)
++files_dontaudit_getattr_all_dirs(xdm_t)
++files_dontaudit_getattr_all_symlinks(xdm_t)
++files_dontaudit_getattr_all_tmp_sockets(xdm_t)
++files_dontaudit_all_access_check(xdm_t)
++files_dontaudit_list_non_security(xdm_t)
+
+ fs_getattr_all_fs(xdm_t)
+ fs_search_auto_mountpoints(xdm_t)
++fs_search_all(xdm_t)
++fs_rw_anon_inodefs_files(xdm_t)
++fs_mount_tmpfs(xdm_t)
++fs_list_inotifyfs(xdm_t)
++fs_dontaudit_list_noxattr_fs(xdm_t)
++fs_dontaudit_read_noxattr_fs_files(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_manage_cgroup_files(xdm_t)
++
++mls_socket_write_to_clearance(xdm_t)
++mls_trusted_object(xdm_t)
+
+ storage_dontaudit_read_fixed_disk(xdm_t)
+ storage_dontaudit_write_fixed_disk(xdm_t)
+@@ -442,28 +634,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+ storage_dontaudit_raw_write_removable_device(xdm_t)
+ storage_dontaudit_setattr_removable_dev(xdm_t)
+ storage_dontaudit_rw_scsi_generic(xdm_t)
++storage_dontaudit_rw_fuse(xdm_t)
+
+ term_setattr_console(xdm_t)
++term_use_console(xdm_t)
++term_use_virtio_console(xdm_t)
+ term_use_unallocated_ttys(xdm_t)
+ term_setattr_unallocated_ttys(xdm_t)
++term_relabel_all_ttys(xdm_t)
++term_relabel_unallocated_ttys(xdm_t)
+
+ auth_domtrans_pam_console(xdm_t)
+-auth_manage_pam_pid(xdm_t)
++#auth_manage_pam_pid(xdm_t)
+ auth_manage_pam_console_data(xdm_t)
++auth_signal_pam(xdm_t)
+ auth_rw_faillog(xdm_t)
+ auth_write_login_records(xdm_t)
+
+ # Run telinit->init to shutdown.
+ init_telinit(xdm_t)
++init_dbus_chat(xdm_t)
++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
++init_status(xdm_t)
++
++application_exec(xdm_t)
+
+ libs_exec_lib_files(xdm_t)
++libs_exec_ldconfig(xdm_t)
+
+ logging_read_generic_logs(xdm_t)
+
+-miscfiles_read_localization(xdm_t)
++miscfiles_search_man_pages(xdm_t)
+ miscfiles_read_fonts(xdm_t)
++miscfiles_manage_fonts_cache(xdm_t)
++miscfiles_manage_localization(xdm_t)
++miscfiles_read_hwdata(xdm_t)
+
+-sysnet_read_config(xdm_t)
++systemd_write_inhibit_pipes(xdm_t)
++systemd_dbus_chat_localed(xdm_t)
++systemd_start_power_services(xdm_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+ userdom_create_all_users_keys(xdm_t)
+@@ -472,24 +681,155 @@ userdom_read_user_home_content_files(xdm_t)
+ # Search /proc for any user domain processes.
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
++userdom_stream_connect(xdm_t)
++userdom_manage_user_tmp_dirs(xdm_t)
++userdom_manage_user_tmp_files(xdm_t)
++userdom_manage_user_tmp_sockets(xdm_t)
++userdom_manage_tmp_role(system_r, xdm_t)
++
++#userdom_home_manager(xdm_t)
++tunable_policy(`xdm_write_home',`
++ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
++ userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
++',`
++ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(xdm_t)
++ fs_manage_nfs_dirs(xdm_t)
++ fs_manage_nfs_files(xdm_t)
++ fs_manage_nfs_symlinks(xdm_t)
++ fs_append_nfs_files(xdm_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(xdm_t)
++ fs_manage_cifs_files(xdm_t)
++ fs_manage_cifs_symlinks(xdm_t)
++ fs_append_cifs_files(xdm_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(xdm_t)
++ fs_manage_fusefs_files(xdm_t)
++ fs_manage_fusefs_symlinks(xdm_t)
++')
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_manage_ecryptfs_dirs(xdm_t)
++ fs_manage_ecryptfs_files(xdm_t)
++')
++
++### filename transitions ###
++userdom_filetrans_generic_home_content(xdm_t)
++
++optional_policy(`
++ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
++')
++
++optional_policy(`
++ apache_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ auth_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ geoclue_dbus_chat(xdm_t)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ gpg_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ irc_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ mozilla_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ mta_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ remotelogin_signull(xdm_t)
++')
++
++optional_policy(`
++ spamassassin_filetrans_home_content(xdm_t)
++ spamassassin_filetrans_admin_home_content(xdm_t)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(xdm_t)
++ ssh_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ telepathy_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ thumb_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ tvtime_filetrans_home_content(xdm_t)
++')
++
++optional_policy(`
++ virt_filetrans_home_content(xdm_t)
++')
++
++### end of filename transitions ###
++
++application_signal(xdm_t)
+
+ xserver_rw_session(xdm_t, xdm_tmpfs_t)
+ xserver_unconfined(xdm_t)
++xserver_domtrans_xauth(xdm_t)
++
++ifndef(`distro_redhat',`
++ allow xdm_t self:process { execheap execmem };
++')
++
++ifdef(`distro_rhel4',`
++ allow xdm_t self:process { execheap execmem };
++')
+
+ tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(xdm_t)
+- fs_manage_nfs_files(xdm_t)
+- fs_manage_nfs_symlinks(xdm_t)
+ fs_exec_nfs_files(xdm_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(xdm_t)
+- fs_manage_cifs_files(xdm_t)
+- fs_manage_cifs_symlinks(xdm_t)
+ fs_exec_cifs_files(xdm_t)
+ ')
+
++optional_policy(`
++ tunable_policy(`xdm_exec_bootloader',`
++ bootloader_exec(xdm_t)
++ files_read_boot_files(xdm_t)
++ files_read_boot_symlinks(xdm_t)
++ ')
++')
++
+ tunable_policy(`xdm_sysadm_login',`
+ userdom_xsession_spec_domtrans_all_users(xdm_t)
+ # FIXME:
+@@ -503,11 +843,26 @@ tunable_policy(`xdm_sysadm_login',`
+ ')
+
+ optional_policy(`
++ accountsd_read_lib_files(xdm_t)
++ accountsd_dbus_chat(xdm_t)
++')
++
++optional_policy(`
++ acct_dontaudit_list_data(xdm_t)
++')
++
++optional_policy(`
++ boinc_dontaudit_getattr_lib(xdm_t)
++')
++
++optional_policy(`
+ alsa_domtrans(xdm_t)
++ alsa_read_rw_config(xdm_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(xdm_t)
++ consolekit_read_log(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -517,9 +872,34 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(xdm_t)
+ dbus_connect_system_bus(xdm_t)
++
++ optional_policy(`
++ accountsd_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ cpufreqselector_dbus_chat(xdm_t)
++ ')
+
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
++ devicekit_dbus_chat_disk(xdm_t)
++ devicekit_dbus_chat_power(xdm_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ gnomeclock_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(xdm_t)
+ ')
+ ')
+
+@@ -530,6 +910,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_stream_connect_gkeyringd(xdm_t)
++ gnome_exec_gstreamer_home_files(xdm_t)
++ gnome_exec_keyringd(xdm_t)
++ gnome_delete_gkeyringd_tmp_content(xdm_t)
++ gnome_manage_config(xdm_t)
++ gnome_manage_gconf_home_files(xdm_t)
++ gnome_read_config(xdm_t)
++ gnome_read_usr_config(xdm_t)
++ gnome_read_gconf_config(xdm_t)
++ gnome_transition_gkeyringd(xdm_t)
++ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
++')
++
++optional_policy(`
+ hostname_exec(xdm_t)
+ ')
+
+@@ -547,28 +941,78 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(xdm_t)
++ policykit_domtrans_auth(xdm_t)
++ policykit_read_lib(xdm_t)
++ policykit_read_reload(xdm_t)
++ policykit_signal_auth(xdm_t)
++')
++
++optional_policy(`
++ pcscd_stream_connect(xdm_t)
++')
++
++optional_policy(`
++ plymouthd_search_spool(xdm_t)
++ plymouthd_exec_plymouth(xdm_t)
++ plymouthd_stream_connect(xdm_t)
++ plymouthd_read_log(xdm_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(xdm_t)
++ pulseaudio_dbus_chat(xdm_t)
++ pulseaudio_stream_connect(xdm_t)
++ pulseaudio_read_state(xserver_t)
++')
++
++optional_policy(`
+ resmgr_stream_connect(xdm_t)
+ ')
+
+ optional_policy(`
++ rhev_stream_connect_agentd(xdm_t)
++ rhev_read_pid_files_agentd(xdm_t)
++')
++
++# On crash gdm execs gdb to dump stack
++optional_policy(`
++ rpm_exec(xdm_t)
++ rpm_read_db(xdm_t)
++ rpm_dontaudit_manage_db(xdm_t)
++ rpm_dontaudit_dbus_chat(xdm_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(xdm_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(xdm_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(xdm_t)
++ ssh_signull(xdm_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(xdm_t)
+- unconfined_domtrans(xdm_t)
++ shutdown_domtrans(xdm_t)
++')
+
+- ifndef(`distro_redhat',`
+- allow xdm_t self:process { execheap execmem };
+- ')
++optional_policy(`
++ telepathy_exec(xdm_t)
++')
+
+- ifdef(`distro_rhel4',`
+- allow xdm_t self:process { execheap execmem };
+- ')
++optional_policy(`
++ udev_read_db(xdm_t)
++')
++
++optional_policy(`
++ unconfined_signal(xdm_t)
++')
++
++optional_policy(`
++ usbmuxd_stream_connect(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -580,6 +1024,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ vdagent_stream_connect(xdm_t)
++')
++
++optional_policy(`
++ wm_exec(xdm_t)
++')
++
++optional_policy(`
+ xfs_stream_connect(xdm_t)
+ ')
+
+@@ -594,7 +1046,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+ type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+
+ allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+-allow xserver_t input_xevent_t:x_event send;
++allow xserver_t xevent_type:x_event send;
+
+ # setuid/setgid for the wrapper program to change UID
+ # sys_rawio is for iopl access - should not be needed for frame-buffer
+@@ -604,8 +1056,11 @@ allow xserver_t input_xevent_t:x_event send;
+ # execheap needed until the X module loader is fixed.
+ # NVIDIA Needs execstack
+
+-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++
+ dontaudit xserver_t self:capability chown;
++allow xserver_t self:capability2 compromise_kernel;
++
+ allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow xserver_t self:fd use;
+ allow xserver_t self:fifo_file rw_fifo_file_perms;
+@@ -618,8 +1073,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow xserver_t self:tcp_socket create_stream_socket_perms;
+ allow xserver_t self:udp_socket create_socket_perms;
++allow xserver_t self:netlink_selinux_socket create_socket_perms;
+ allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
++
++domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
++
++allow xserver_t xauth_home_t:file read_file_perms;
++
+ manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+@@ -627,6 +1089,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+ filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
+
++allow xserver_t xserver_etc_t:dir list_dir_perms;
++read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++
+ manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+@@ -638,25 +1104,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+ files_search_var_lib(xserver_t)
+
+-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+-allow xserver_t xauth_home_t:file read_file_perms;
++manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
++manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
++files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
++
++manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
++manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
++manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
++files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
+
+ # Create files in /var/log with the xserver_log_t type.
+ manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
+ logging_log_filetrans(xserver_t, xserver_log_t, file)
++manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
+
+ kernel_read_system_state(xserver_t)
+ kernel_read_device_sysctls(xserver_t)
+-kernel_read_modprobe_sysctls(xserver_t)
++kernel_read_usermodehelper_state(xserver_t)
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls(xserver_t)
+ kernel_write_proc_files(xserver_t)
++kernel_request_load_module(xserver_t)
+
+ # Run helper programs in xserver_t.
+ corecmd_exec_bin(xserver_t)
+ corecmd_exec_shell(xserver_t)
+
+-corenet_all_recvfrom_unlabeled(xserver_t)
+ corenet_all_recvfrom_netlabel(xserver_t)
+ corenet_tcp_sendrecv_generic_if(xserver_t)
+ corenet_udp_sendrecv_generic_if(xserver_t)
+@@ -677,23 +1150,28 @@ dev_rw_apm_bios(xserver_t)
+ dev_rw_agp(xserver_t)
+ dev_rw_framebuffer(xserver_t)
+ dev_manage_dri_dev(xserver_t)
+-dev_filetrans_dri(xserver_t)
+ dev_create_generic_dirs(xserver_t)
+ dev_setattr_generic_dirs(xserver_t)
+ # raw memory access is needed if not using the frame buffer
+ dev_read_raw_memory(xserver_t)
+ dev_wx_raw_memory(xserver_t)
++dev_read_urand(xserver_t)
+ # for other device nodes such as the NVidia binary-only driver
+-dev_rw_xserver_misc(xserver_t)
++dev_manage_xserver_misc(xserver_t)
++dev_filetrans_xserver_misc(xserver_t)
++
+ # read events - the synaptics touchpad driver reads raw events
+ dev_rw_input_dev(xserver_t)
++dev_write_raw_memory(xserver_t)
+ dev_rwx_zero(xserver_t)
+
+-domain_dontaudit_search_all_domains_state(xserver_t)
++domain_dontaudit_read_all_domains_state(xserver_t)
++domain_signal_all_domains(xserver_t)
+
+ files_read_etc_files(xserver_t)
+ files_read_etc_runtime_files(xserver_t)
+ files_read_usr_files(xserver_t)
++files_rw_tmpfs_files(xserver_t)
+
+ # brought on by rhgb
+ files_search_mnt(xserver_t)
+@@ -705,6 +1183,14 @@ fs_search_nfs(xserver_t)
+ fs_search_auto_mountpoints(xserver_t)
+ fs_search_ramfs(xserver_t)
+
++mls_file_read_to_clearance(xserver_t)
++mls_file_write_all_levels(xserver_t)
++mls_file_upgrade(xserver_t)
++mls_process_write_to_clearance(xserver_t)
++mls_socket_read_to_clearance(xserver_t)
++mls_sysvipc_read_to_clearance(xserver_t)
++mls_sysvipc_write_to_clearance(xserver_t)
++mls_trusted_object(xserver_t)
+ mls_xwin_read_to_clearance(xserver_t)
+
+ selinux_validate_context(xserver_t)
+@@ -718,20 +1204,18 @@ init_getpgid(xserver_t)
+ term_setattr_unallocated_ttys(xserver_t)
+ term_use_unallocated_ttys(xserver_t)
+
+-getty_use_fds(xserver_t)
+-
+ locallogin_use_fds(xserver_t)
+
+ logging_send_syslog_msg(xserver_t)
+ logging_send_audit_msgs(xserver_t)
+
+-miscfiles_read_localization(xserver_t)
+ miscfiles_read_fonts(xserver_t)
+-
+-modutils_domtrans_insmod(xserver_t)
++miscfiles_read_hwdata(xserver_t)
+
+ # read x_contexts
+ seutil_read_default_contexts(xserver_t)
++seutil_read_config(xserver_t)
++seutil_read_file_contexts(xserver_t)
+
+ userdom_search_user_home_dirs(xserver_t)
+ userdom_use_user_ttys(xserver_t)
+@@ -739,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t)
+ userdom_read_user_tmp_files(xserver_t)
+ userdom_rw_user_tmpfs_files(xserver_t)
+
+-xserver_use_user_fonts(xserver_t)
+-
+ ifndef(`distro_redhat',`
+ allow xserver_t self:process { execmem execheap execstack };
+ domain_mmap_low_uncond(xserver_t)
+@@ -785,17 +1267,50 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consolekit_read_state(xserver_t)
++')
++
++optional_policy(`
++ devicekit_signal_power(xserver_t)
++')
++
++optional_policy(`
++ getty_use_fds(xserver_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(xserver_t)
++')
++
++optional_policy(`
+ rhgb_getpgid(xserver_t)
+ rhgb_signal(xserver_t)
+ ')
+
+ optional_policy(`
++ setrans_translate_context(xserver_t)
++')
++
++optional_policy(`
++ sandbox_rw_xserver_tmpfs_files(xserver_t)
++')
++
++optional_policy(`
++ tcpd_wrapped_domain(xserver_t, xserver_exec_t)
++')
++
++optional_policy(`
++ mozilla_plugin_read_state(xserver_t)
++ mozilla_plugin_rw_tmp_files(xserver_t)
++ mozilla_plugin_rw_tmpfs_files(xserver_t)
++')
++
++optional_policy(`
+ udev_read_db(xserver_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain_noaudit(xserver_t)
+- unconfined_domtrans(xserver_t)
++ unconfined_domain(xserver_t)
+ ')
+
+ optional_policy(`
+@@ -803,6 +1318,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ wine_rw_shm(xserver_t)
++')
++
++optional_policy(`
+ xfs_stream_connect(xserver_t)
+ ')
+
+@@ -818,18 +1337,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+
+ # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
+ # handle of a file inside the dir!!!
+-allow xserver_t xdm_var_lib_t:file { getattr read };
+-dontaudit xserver_t xdm_var_lib_t:dir search;
++allow xserver_t xdm_var_lib_t:file read_file_perms;
++dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
+
+-allow xserver_t xdm_var_run_t:file read_file_perms;
++read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+
+ # Label pid and temporary files with derived types.
+-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
++userdom_manage_user_tmp_files(xserver_t)
++userdom_manage_user_tmp_sockets(xserver_t)
+
+ # Run xkbcomp.
+-allow xserver_t xkb_var_lib_t:lnk_file read;
++allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
+ can_exec(xserver_t, xkb_var_lib_t)
+
+ # VNC v4 module in X server
+@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
+ # to read ROLE_home_t - examine this in more detail
+ # (xauth?)
+ userdom_read_user_home_content_files(xserver_t)
++userdom_read_all_users_state(xserver_t)
++userdom_home_manager(xserver_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(xserver_t)
+- fs_manage_nfs_files(xserver_t)
+- fs_manage_nfs_symlinks(xserver_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(xserver_t)
+- fs_manage_cifs_files(xserver_t)
+- fs_manage_cifs_symlinks(xserver_t)
+-')
++xserver_use_user_fonts(xserver_t)
+
+ optional_policy(`
+ dbus_system_bus_client(xserver_t)
+- hal_dbus_chat(xserver_t)
++
++ optional_policy(`
++ hal_dbus_chat(xserver_t)
++ ')
+ ')
+
+ optional_policy(`
+- resmgr_stream_connect(xdm_t)
++ mono_rw_shm(xserver_t)
+ ')
+
+ optional_policy(`
+@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+ allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
+ # operations allowed on my windows
+ allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+-allow x_domain self:x_drawable { blend };
++allow x_domain self:x_drawable blend;
+ # operations allowed on all windows
+ allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
+
+@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
+ # can mess with the screensaver
+ allow x_domain xserver_t:x_screen { getattr saver_getattr };
+
++# Device rules
++allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
++allow x_domain xserver_t:x_screen getattr;
++
+ ########################################
+ #
+ # Rules for unconfined access to this module
+ #
+
++allow xserver_unconfined_type xserver_t:x_server *;
++allow xserver_unconfined_type xdrawable_type:x_drawable *;
++allow xserver_unconfined_type xserver_t:x_screen *;
++allow xserver_unconfined_type x_domain:x_gc *;
++allow xserver_unconfined_type xcolormap_type:x_colormap *;
++allow xserver_unconfined_type xproperty_type:x_property *;
++allow xserver_unconfined_type xselection_type:x_selection *;
++allow xserver_unconfined_type x_domain:x_cursor *;
++allow xserver_unconfined_type x_domain:x_client *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
++allow xserver_unconfined_type xextension_type:x_extension *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
++allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++
+ tunable_policy(`! xserver_object_manager',`
+ # should be xserver_unconfined(x_domain),
+ # but typeattribute doesnt work in conditionals
+@@ -992,18 +1525,148 @@ tunable_policy(`! xserver_object_manager',`
+ allow x_domain xevent_type:{ x_event x_synthetic_event } *;
+ ')
+
+-allow xserver_unconfined_type xserver_t:x_server *;
+-allow xserver_unconfined_type xdrawable_type:x_drawable *;
+-allow xserver_unconfined_type xserver_t:x_screen *;
+-allow xserver_unconfined_type x_domain:x_gc *;
+-allow xserver_unconfined_type xcolormap_type:x_colormap *;
+-allow xserver_unconfined_type xproperty_type:x_property *;
+-allow xserver_unconfined_type xselection_type:x_selection *;
+-allow xserver_unconfined_type x_domain:x_cursor *;
+-allow xserver_unconfined_type x_domain:x_client *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+-allow xserver_unconfined_type xextension_type:x_extension *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++tunable_policy(`xserver_execmem',`
++ allow xserver_t self:process { execheap execmem execstack };
++')
++
++# Hack to handle the problem of using the nvidia blobs
++tunable_policy(`deny_execmem',`',`
++ allow xdm_t self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ allow xdm_t self:process { execstack execmem };
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_append_nfs_files(xdmhomewriter)
++')
++
++optional_policy(`
++ unconfined_rw_shm(xserver_t)
++
++ # xserver signals unconfined user on startx
++ unconfined_signal(xserver_t)
++ unconfined_getpgid(xserver_t)
++')
++
++allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms;
++can_exec(xdm_t, xdm_unconfined_exec_t)
++
++optional_policy(`
++ type xdm_unconfined_t;
++ domain_type(xdm_unconfined_t)
++ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t)
++ role system_r types xdm_unconfined_t;
++
++ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
++ unconfined_domain(xdm_unconfined_t)
++')
++
++# X Userdomain
++# Xserver read/write client shm
++allow xserver_t x_userdomain:fd use;
++allow xserver_t x_userdomain:shm rw_shm_perms;
++
++allow xserver_t x_userdomain:process { getpgid signal };
++
++allow xserver_t x_userdomain:shm rw_shm_perms;
++
++allow x_userdomain user_fonts_t:dir list_dir_perms;
++allow x_userdomain user_fonts_t:file read_file_perms;
++allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms;
++
++allow x_userdomain user_fonts_config_t:dir list_dir_perms;
++allow x_userdomain user_fonts_config_t:file read_file_perms;
++
++manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
++manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
++
++stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
++allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
++files_search_tmp(x_userdomain)
++
++# Communicate via System V shared memory.
++allow x_userdomain xserver_t:shm r_shm_perms;
++allow x_userdomain xserver_tmpfs_t:file read_file_perms;
++
++# allow ps to show iceauth
++ps_process_pattern(x_userdomain, iceauth_t)
++
++domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t)
++
++allow x_userdomain iceauth_home_t:file read_file_perms;
++
++domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t)
++
++allow x_userdomain xauth_t:process signal;
++
++# allow ps to show xauth
++ps_process_pattern(x_userdomain, xauth_t)
++allow x_userdomain xserver_t:process signal;
++
++allow x_userdomain xauth_home_t:file read_file_perms;
++
++# for when /tmp/.X11-unix is created by the system
++allow x_userdomain xdm_t:fd use;
++allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
++userdom_search_user_tmp_dirs(x_userdomain)
++userdom_rw_user_tmp_sock_files(x_userdomain)
++dontaudit x_userdomain xdm_t:tcp_socket { read write };
++
++allow x_userdomain xdm_t:dbus send_msg;
++allow xdm_t x_userdomain:dbus send_msg;
++
++# Client read xserver shm
++allow x_userdomain xserver_t:fd use;
++allow x_userdomain xserver_tmpfs_t:file read_file_perms;
++
++# Read /tmp/.X0-lock
++allow x_userdomain xserver_tmp_t:file read_inherited_file_perms;
++
++dev_rw_xserver_misc(x_userdomain)
++dev_rw_power_management(x_userdomain)
++dev_read_input(x_userdomain)
++dev_read_misc(x_userdomain)
++dev_write_misc(x_userdomain)
++# open office is looking for the following
++dev_getattr_agp_dev(x_userdomain)
++
++# GNOME checks for usb and other devices:
++dev_rw_usbfs(x_userdomain)
++
++miscfiles_read_fonts(x_userdomain)
++miscfiles_setattr_fonts_cache_dirs(x_userdomain)
++miscfiles_read_hwdata(x_userdomain)
++
++#xserver_common_x_domain_template(user, x_userdomain)
++#xserver_domtrans(x_userdomain)
++#xserver_unconfined(x_userdomain)
++#xserver_xsession_entry_type(x_userdomain)
++xserver_dontaudit_write_log(x_userdomain)
++#xserver_stream_connect_xdm(x_userdomain)
++# certain apps want to read xdm.pid file
++xserver_read_xdm_pid(x_userdomain)
++# gnome-session creates socket under /tmp/.ICE-unix/
++xserver_create_xdm_tmp_sockets(x_userdomain)
++# Needed for escd, remove if we get escd policy
++xserver_manage_xdm_tmp_files(x_userdomain)
++xserver_read_xdm_etc_files(x_userdomain)
++#xserver_xdm_append_log(x_userdomain)
++
++term_use_virtio_console(x_userdomain)
++# Client write xserver shm
++tunable_policy(`xserver_clients_write_xshm',`
++ allow x_userdomain xserver_t:shm rw_shm_perms;
++ allow x_userdomain xserver_tmpfs_t:file rw_file_perms;
++')
++
++optional_policy(`
++ gnome_read_gconf_config(x_userdomain)
++')
++
++tunable_policy(`selinuxuser_direct_dri_enabled',`
++ dev_rw_dri(dridomain)
++',`
++ dev_dontaudit_rw_dri(dridomain)
++')
+diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
+index 1b6619e..be02b96 100644
+--- a/policy/modules/system/application.if
++++ b/policy/modules/system/application.if
+@@ -43,6 +43,27 @@ interface(`application_executable_file',`
+ corecmd_executable_file($1)
+ ')
+
++#######################################
++##
++## Make the specified type usable for files
++## that are exectuables, such as binary programs.
++## This does not include shared libraries.
++##
++##
++##
++## Type to be used for files.
++##
++##
++#
++interface(`application_executable_ioctl',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ allow $1 application_exec_type:file ioctl;
++
++')
++
+ ########################################
+ ##
+ ## Execute application executables in the caller domain.
+@@ -76,13 +97,30 @@ interface(`application_exec_all',`
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+- corecmd_exec_chroot($1)
+
+ application_exec($1)
+ ')
+
+ ########################################
+ ##
++## Dontaudit execute all executable files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`application_dontaudit_exec',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ dontaudit $1 application_exec_type:file execute;
++')
++
++########################################
++##
+ ## Create a domain for applications.
+ ##
+ ##
+@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',`
+
+ ########################################
+ ##
++## Send kill signals to all application domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`application_sigkill',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process sigkill;
++')
++
++########################################
++##
+ ## Do not audit attempts to send kill signals
+ ## to all application domains.
+ ##
+@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',`
+
+ dontaudit $1 application_domain_type:process sigkill;
+ ')
++
++#######################################
++##
++## Getattr all application sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`application_getattr_socket',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:socket_class_set getattr;
++')
+diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
+index c6fdab7..af71c62 100644
+--- a/policy/modules/system/application.te
++++ b/policy/modules/system/application.te
+@@ -6,15 +6,40 @@ attribute application_domain_type;
+ # Executables to be run by user
+ attribute application_exec_type;
+
++domain_use_interactive_fds(application_domain_type)
++
++userdom_inherit_append_user_home_content_files(application_domain_type)
++userdom_inherit_append_admin_home_files(application_domain_type)
++userdom_inherit_append_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_pipes(application_domain_type)
++logging_inherit_append_all_logs(application_domain_type)
++
++files_dontaudit_search_non_security_dirs(application_domain_type)
++
++auth_login_pgm_sigchld(application_domain_type)
++
++optional_policy(`
++ afs_rw_udp_sockets(application_domain_type)
++')
++
+ optional_policy(`
++ cfengine_append_inherited_log(application_domain_type)
++')
++
++optional_policy(`
++ cron_rw_inherited_user_spool_files(application_domain_type)
+ cron_sigchld(application_domain_type)
+ ')
+
+ optional_policy(`
+- ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
+ ')
+
+ optional_policy(`
++ screen_sigchld(application_domain_type)
++')
++
++optional_policy(`
+ sudo_sigchld(application_domain_type)
+ ')
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 2479587..890e1e2 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -1,14 +1,28 @@
++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
+
+ /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+
+-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
+ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/nshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
+
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+-/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
++/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
+ /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+ /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+@@ -16,13 +30,25 @@ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+
++/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++
+ /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+
+-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
+-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
++/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
++/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0)
++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_gentoo', `
+ /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
++/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++
++/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++
++/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+ /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
+
+@@ -30,21 +56,25 @@ ifdef(`distro_gentoo', `
+
+ /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+ /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
+-/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
++/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0)
++/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
++/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
++/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+ /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index 3efd5b6..9e85ea0 100644
+--- a/policy/modules/system/authlogin.if
++++ b/policy/modules/system/authlogin.if
+@@ -23,11 +23,17 @@ interface(`auth_role',`
+ role $1 types chkpwd_t;
+
+ # Transition from the user domain to this domain.
+- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
++ auth_domtrans_chkpwd($2)
+
+ ps_process_pattern($2, chkpwd_t)
+
+ dontaudit $2 shadow_t:file read_file_perms;
++
++ logging_send_syslog_msg($2)
++ logging_send_audit_msgs($2)
++
++ usermanage_read_crack_db($2)
++
+ ')
+
+ ########################################
+@@ -53,13 +59,18 @@ interface(`auth_use_pam',`
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+- auth_rw_faillog($1)
++ auth_create_lastlog($1)
++ auth_manage_faillog($1)
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
++ init_rw_stream_sockets($1)
++
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
++ userdom_search_user_tmp_dirs($1)
++
+ optional_policy(`
+ dbus_system_bus_client($1)
+
+@@ -78,8 +89,19 @@ interface(`auth_use_pam',`
+ ')
+
+ optional_policy(`
++ locallogin_getattr_home_content($1)
++ ')
++
++ optional_policy(`
+ nis_authenticate($1)
+ ')
++
++ optional_policy(`
++ systemd_dbus_chat_logind($1)
++ systemd_use_fds_logind($1)
++ systemd_write_inherited_logind_sessions_pipes($1)
++ systemd_read_logind_sessions_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
+ interface(`auth_login_pgm_domain',`
+ gen_require(`
+ type var_auth_t, auth_cache_t;
++ attribute polydomain;
++ attribute login_pgm;
+ ')
+
+ domain_type($1)
++ typeattribute $1 polydomain;
++ typeattribute $1 login_pgm;
++
+ domain_subj_id_change_exemption($1)
+ domain_role_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role system_r types $1;
+
+- # Needed for pam_selinux_permit to cleanup properly
+- domain_read_all_domains_state($1)
+- domain_kill_all_domains($1)
+-
+- # pam_keyring
+- allow $1 self:capability ipc_lock;
+- allow $1 self:process setkeycreate;
+- allow $1 self:key manage_key_perms;
+-
+- files_list_var_lib($1)
+- manage_files_pattern($1, var_auth_t, var_auth_t)
+-
+- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+- manage_files_pattern($1, auth_cache_t, auth_cache_t)
+- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+- files_var_filetrans($1, auth_cache_t, dir)
+-
+- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+- kernel_rw_afs_state($1)
+-
+- # for fingerprint readers
+- dev_rw_input_dev($1)
+- dev_rw_generic_usb_dev($1)
+-
+- files_read_etc_files($1)
+-
+- fs_list_auto_mountpoints($1)
+-
+ selinux_get_fs_mount($1)
+- selinux_validate_context($1)
+- selinux_compute_access_vector($1)
+- selinux_compute_create_context($1)
+- selinux_compute_relabel_context($1)
+- selinux_compute_user_contexts($1)
+
+ mls_file_read_all_levels($1)
+ mls_file_write_all_levels($1)
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+ mls_process_set_level($1)
++ mls_process_write_to_clearance($1)
+ mls_fd_share_all_levels($1)
+
+ auth_use_pam($1)
++')
+
+- init_rw_utmp($1)
+-
+- logging_set_loginuid($1)
+- logging_set_tty_audit($1)
++########################################
++##
++## Read authlogin state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authlogin_read_state',`
++ gen_require(`
++ attribute polydomain;
++ ')
+
+- seutil_read_config($1)
+- seutil_read_default_contexts($1)
++ kernel_search_proc($1)
++ ps_process_pattern($1, polydomain)
++')
+
+- tunable_policy(`allow_polyinstantiation',`
+- files_polyinstantiate_all($1)
++########################################
++##
++## Read and write a authlogin unnamed pipe.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authlogin_rw_pipes',`
++ gen_require(`
++ attribute polydomain;
+ ')
++
++ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
+
+ ########################################
+ ##
++## Execute a login_program in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`auth_exec_login_program',`
++ gen_require(`
++ type login_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, login_exec_t)
++')
++
++########################################
++##
+ ## Execute a login_program in the target domain,
+ ## with a range transition.
+ ##
+@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
+
+ ########################################
+ ##
++## Create authentication cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_create_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ create_files_pattern($1, auth_cache_t, auth_cache_t)
++')
++
++########################################
++##
+ ## Manage authentication cache
+ ##
+ ##
+@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
+ optional_policy(`
+ samba_stream_connect_winbind($1)
+ ')
++
++ auth_domtrans_upd_passwd($1)
+ ')
+
+ ########################################
+@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
+
+ ########################################
+ ##
++## Execute chkpwd in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`auth_exec_chkpwd',`
++ gen_require(`
++ type chkpwd_exec_t;
++ ')
++
++ allow $1 chkpwd_exec_t:file execute;
++')
++
++########################################
++##
+ ## Execute chkpwd programs in the chkpwd domain.
+ ##
+ ##
+@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
+
+ auth_domtrans_chk_passwd($1)
+ role $2 types chkpwd_t;
++ auth_run_upd_passwd($1, $2)
++')
++
++########################################
++##
++## Send generic signals to chkpwd processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_signal_chk_passwd',`
++ gen_require(`
++ type chkpwd_t;
++ ')
++
++ allow $1 chkpwd_t:process signal;
+ ')
+
+ ########################################
+@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
+
+ domtrans_pattern($1, updpwd_exec_t, updpwd_t)
+ auth_dontaudit_read_shadow($1)
+-
+ ')
+
+ ########################################
+@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
+
+ allow $1 shadow_t:file manage_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
++ files_var_filetrans($1, shadow_t, file, "shadow")
++ files_var_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ files_etc_filetrans($1, shadow_t, file, "nshadow")
+ ')
+
+ #######################################
+@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 faillog_t:file rw_file_perms;
++ rw_files_pattern($1, faillog_t, faillog_t)
++')
++
++########################################
++##
++## Relabel the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ allow $1 faillog_t:dir relabel_dir_perms;
++ allow $1 faillog_t:file relabel_file_perms;
++')
++
++########################################
++##
++## Manage the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ logging_search_logs($1)
++ files_search_pids($1)
++ allow $1 faillog_t:dir manage_dir_perms;
++ allow $1 faillog_t:file manage_file_perms;
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
+ ')
+
+ #######################################
+@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
+ allow $1 lastlog_t:file { rw_file_perms lock setattr };
+ ')
+
++#######################################
++##
++## Manage create logins log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_create_lastlog',`
++ gen_require(`
++ type lastlog_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 lastlog_t:file create;
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
++')
++
+ ########################################
+ ##
+-## Execute pam programs in the pam domain.
++## Execute pam timestamp programs in the pam timestamp domain.
+ ##
+ ##
+ ##
+@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
+ ##
+ ##
+ #
+-interface(`auth_domtrans_pam',`
++interface(`auth_domtrans_pam_timestamp',`
+ gen_require(`
+- type pam_t, pam_exec_t;
++ type pam_timestamp_t, pam_timestamp_exec_t;
+ ')
+
+- domtrans_pattern($1, pam_exec_t, pam_t)
++ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t)
++')
++
++########################################
++##
++## Execute pam timestamp programs in the pam timestamp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`auth_domtrans_pam',`
++ auth_domtrans_pam_timestamp($1)
++ refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.')
+ ')
+
+ ########################################
+@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
+ #
+ interface(`auth_signal_pam',`
+ gen_require(`
+- type pam_t;
++ type pam_timestamp_t;
+ ')
+
+- allow $1 pam_t:process signal;
++ allow $1 pam_timestamp_t:process signal;
+ ')
+
+ ########################################
+ ##
+-## Execute pam programs in the PAM domain.
++## Execute pam_timestamp programs in the PAM timestamp domain.
+ ##
+ ##
+ ##
+@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
+ ##
+ ##
+ #
+-interface(`auth_run_pam',`
++interface(`auth_run_pam_timestamp',`
+ gen_require(`
+- type pam_t;
++ type pam_timestamp_t;
+ ')
+
+- auth_domtrans_pam($1)
+- role $2 types pam_t;
++ auth_domtrans_pam_timestamp($1)
++ role $2 types pam_timestamp_t;
++')
++
++########################################
++##
++## Execute pam_timestamp programs in the PAM timestamp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to allow the PAM domain.
++##
++##
++#
++interface(`auth_run_pam',`
++ auth_run_pam_timestamp($1, $2)
++ refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.')
+ ')
+
+ ########################################
+@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
+ ')
+
+ files_search_var($1)
+- allow $1 var_auth_t:dir manage_dir_perms;
+- allow $1 var_auth_t:file rw_file_perms;
+- allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
++
++ manage_dirs_pattern($1, var_auth_t, var_auth_t)
++ manage_files_pattern($1, var_auth_t, var_auth_t)
++ manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
++')
++
++########################################
++##
++## Relabel all var auth files. Used by various other applications
++## and pam applets etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_var_auth_dirs',`
++ gen_require(`
++ type var_auth_t;
++ ')
++
++ files_search_var($1)
++ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
+ ')
+
+ ########################################
+@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir manage_dir_perms;
+ allow $1 pam_var_run_t:file manage_file_perms;
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
+ ')
+
+ ########################################
+@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
+ files_search_pids($1)
+ manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
+ manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
++ files_pid_filetrans($1, pam_var_console_t, dir, "console")
+ ')
+
+ #######################################
+@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
+
+ ########################################
+ ##
++## Relabel login record files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_login_records',`
++ gen_require(`
++ type wtmp_t;
++ ')
++
++ allow $1 wtmp_t:file relabel_file_perms;
++')
++
++
++########################################
++##
+ ## Read login records files (/var/log/wtmp).
+ ##
+ ##
+@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 wtmp_t:file manage_file_perms;
+-')
+-
+-########################################
+-##
+-## Relabel login record files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`auth_relabel_login_records',`
+- gen_require(`
+- type wtmp_t;
+- ')
+-
+- allow $1 wtmp_t:file relabel_file_perms;
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+ ')
+
+ ########################################
+@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
+ ##
+ #
+ interface(`auth_use_nsswitch',`
+- gen_require(`
+- attribute nsswitch_domain;
+- ')
++ gen_require(`
++ attribute nsswitch_domain;
++ ')
+
+ typeattribute $1 nsswitch_domain;
++
++ corenet_all_recvfrom_netlabel($1)
+ ')
+
+ ########################################
+@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
++########################################
++##
++## Transition to authlogin named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_named_content',`
++ gen_require(`
++ type shadow_t;
++ type passwd_file_t;
++ type faillog_t;
++ type lastlog_t;
++ type wtmp_t;
++ type pam_var_console_t;
++ type pam_var_run_t;
++ type auth_cache_t;
++ ')
++
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ #files_etc_filetrans($1, passwd_file_t, file, "group+")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct")
++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
++ files_etc_filetrans($1, shadow_t, file, "shadow")
++ files_etc_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ files_etc_filetrans($1, shadow_t, file, "opasswd")
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
++ files_pid_filetrans($1, faillog_t, file, "faillog")
++ files_pid_filetrans($1, faillog_t, dir, "faillock")
++ files_pid_filetrans($1, pam_var_console_t, dir, "console")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++ files_var_filetrans($1, auth_cache_t, dir, "coolkey")
++')
++
++########################################
++##
++## Get the attributes of the passwd passwords file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_getattr_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 passwd_file_t:file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of the passwd passwords file.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`auth_dontaudit_getattr_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ dontaudit $1 passwd_file_t:file getattr;
++')
++
++########################################
++##
++## Read the passwd passwords file (/etc/passwd)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_read_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ allow $1 passwd_file_t:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read the passwd
++## password file (/etc/passwd).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`auth_dontaudit_read_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ dontaudit $1 passwd_file_t:file read_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete the passwd
++## password file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ files_rw_etc_dirs($1)
++ allow $1 passwd_file_t:file manage_file_perms;
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
++')
++
++########################################
++##
++## Create auth directory in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_admin_home_content',`
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
++ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
++')
++
++
++########################################
++##
++## Read the authorization data in the user home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_read_home_content',`
++
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, auth_home_t, auth_home_t)
++')
++
++########################################
++##
++## Read the authorization data in the user home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_home_content',`
++
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, auth_home_t, auth_home_t)
++ manage_dirs_pattern($1, auth_home_t, auth_home_t)
++')
++
++########################################
++##
++## Create auth directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_home_content',`
++
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
++ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
++')
++
++########################################
++##
++## Send a SIGCHLD signal to login programs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_login_pgm_sigchld',`
++ gen_require(`
++ attribute login_pgm;
++ ')
++
++ allow $1 login_pgm:process sigchld;
++')
++
++########################################
++##
++## Manage the keyrings of all login programs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_login_manage_key',`
++ gen_require(`
++ attribute login_pgm;
++ ')
++
++ allow $1 login_pgm:key manage_key_perms;
++')
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 09b791d..03657db 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
+ # Declarations
+ #
+
++##
++##
++## Allow users to login using a radius server
++##
++##
++gen_tunable(authlogin_radius, false)
++
++##
++##
++## Allow users to login using a yubikey OTP server or challenge response mode
++##
++##
++gen_tunable(authlogin_yubikey, false)
+
+ ##
+ ##
+@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
+ attribute can_read_shadow_passwords;
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
++attribute polydomain;
+ attribute nsswitch_domain;
++attribute login_pgm;
+
+ type auth_cache_t;
+ logging_log_file(auth_cache_t)
+
++type auth_home_t;
++userdom_user_home_content(auth_home_t)
++
+ type chkpwd_t, can_read_shadow_passwords;
+ type chkpwd_exec_t;
+ typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+-typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
++typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
+ application_domain(chkpwd_t, chkpwd_exec_t)
+ role system_r types chkpwd_t;
+
+ type faillog_t;
+ logging_log_file(faillog_t)
++mls_trusted_object(faillog_t)
+
+ type lastlog_t;
+ logging_log_file(lastlog_t)
+@@ -42,15 +61,15 @@ type pam_console_exec_t;
+ init_system_domain(pam_console_t, pam_console_exec_t)
+ role system_r types pam_console_t;
+
+-type pam_t;
+-domain_type(pam_t)
+-role system_r types pam_t;
++type pam_timestamp_t alias pam_t;
++domain_type(pam_timestamp_t)
++role system_r types pam_timestamp_t;
+
+-type pam_exec_t;
+-domain_entry_file(pam_t, pam_exec_t)
++type pam_timestamp_exec_t alias pam_exec_t;
++domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t)
+
+-type pam_tmp_t;
+-files_tmp_file(pam_tmp_t)
++type pam_timestamp_tmp_t;
++files_tmp_file(pam_timestamp_tmp_t)
+
+ type pam_var_console_t;
+ files_pid_file(pam_var_console_t)
+@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
+ neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+ neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+
++type passwd_file_t;
++files_type(passwd_file_t)
++
+ type updpwd_t;
+ type updpwd_exec_t;
+ domain_type(updpwd_t)
+@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++files_read_usr_symlinks(chkpwd_t)
++files_list_tmp(chkpwd_t)
+
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t)
+ logging_send_audit_msgs(chkpwd_t)
+ logging_send_syslog_msg(chkpwd_t)
+
+-miscfiles_read_localization(chkpwd_t)
+
+ seutil_read_config(chkpwd_t)
+ seutil_dontaudit_use_newrole_fds(chkpwd_t)
+
+-userdom_use_user_terminals(chkpwd_t)
++userdom_dontaudit_use_user_ttys(chkpwd_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -153,53 +176,52 @@ optional_policy(`
+ # PAM local policy
+ #
+
+-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-dontaudit pam_t self:capability sys_tty_config;
++allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++dontaudit pam_timestamp_t self:capability sys_tty_config;
+
+-allow pam_t self:fd use;
+-allow pam_t self:fifo_file rw_file_perms;
+-allow pam_t self:unix_dgram_socket create_socket_perms;
+-allow pam_t self:unix_stream_socket rw_stream_socket_perms;
+-allow pam_t self:unix_dgram_socket sendto;
+-allow pam_t self:unix_stream_socket connectto;
+-allow pam_t self:shm create_shm_perms;
+-allow pam_t self:sem create_sem_perms;
+-allow pam_t self:msgq create_msgq_perms;
+-allow pam_t self:msg { send receive };
++allow pam_timestamp_t self:fd use;
++allow pam_timestamp_t self:fifo_file rw_file_perms;
++allow pam_timestamp_t self:unix_dgram_socket create_socket_perms;
++allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms;
++allow pam_timestamp_t self:unix_dgram_socket sendto;
++allow pam_timestamp_t self:unix_stream_socket connectto;
++allow pam_timestamp_t self:shm create_shm_perms;
++allow pam_timestamp_t self:sem create_sem_perms;
++allow pam_timestamp_t self:msgq create_msgq_perms;
++allow pam_timestamp_t self:msg { send receive };
+
+-delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+-read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+-files_list_pids(pam_t)
++delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
++read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
++files_list_pids(pam_timestamp_t)
+
+-allow pam_t pam_tmp_t:dir manage_dir_perms;
+-allow pam_t pam_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
++allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms;
++allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms;
++files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir })
+
+-auth_use_nsswitch(pam_t)
++auth_use_nsswitch(pam_timestamp_t)
+
+-kernel_read_system_state(pam_t)
++kernel_read_system_state(pam_timestamp_t)
+
+-files_read_etc_files(pam_t)
++files_read_etc_files(pam_timestamp_t)
+
+-fs_search_auto_mountpoints(pam_t)
++fs_search_auto_mountpoints(pam_timestamp_t)
+
+-miscfiles_read_localization(pam_t)
+
+-term_use_all_ttys(pam_t)
+-term_use_all_ptys(pam_t)
++term_use_all_ttys(pam_timestamp_t)
++term_use_all_ptys(pam_timestamp_t)
+
+-init_dontaudit_rw_utmp(pam_t)
++init_dontaudit_rw_utmp(pam_timestamp_t)
+
+-logging_send_syslog_msg(pam_t)
++logging_send_syslog_msg(pam_timestamp_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+- unconfined_domain(pam_t)
++ unconfined_domain(pam_timestamp_t)
+ ')
+ ')
+
+ optional_policy(`
+- locallogin_use_fds(pam_t)
++ locallogin_use_fds(pam_timestamp_t)
+ ')
+
+ ########################################
+@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t)
+
+ logging_send_syslog_msg(pam_console_t)
+
+-miscfiles_read_localization(pam_console_t)
+ miscfiles_read_generic_certs(pam_console_t)
+
+ seutil_read_file_contexts(pam_console_t)
+@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
+ dev_read_urand(updpwd_t)
+
+ files_manage_etc_files(updpwd_t)
++auth_manage_passwd(updpwd_t)
++
++mls_file_read_all_levels(updpwd_t)
++mls_file_write_all_levels(updpwd_t)
++mls_file_downgrade(updpwd_t)
+
+ term_dontaudit_use_console(updpwd_t)
+ term_dontaudit_use_unallocated_ttys(updpwd_t)
+@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
+
+ logging_send_syslog_msg(updpwd_t)
+
+-miscfiles_read_localization(updpwd_t)
+-
+-userdom_use_user_terminals(updpwd_t)
++userdom_use_inherited_user_terminals(updpwd_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+ term_dontaudit_use_all_ptys(utempter_t)
+ term_dontaudit_use_ptmx(utempter_t)
+
++auth_use_nsswitch(utempter_t)
++
+ init_rw_utmp(utempter_t)
+
+ domain_use_interactive_fds(utempter_t)
+
+ logging_search_logs(utempter_t)
+
+-userdom_use_user_terminals(utempter_t)
++userdom_use_inherited_user_terminals(utempter_t)
+ # Allow utemper to write to /tmp/.xses-*
+ userdom_write_user_tmp_files(utempter_t)
+
+@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
+ ')
+
+ optional_policy(`
+- nscd_use(utempter_t)
++ xserver_use_xdm_fds(utempter_t)
++ xserver_rw_xdm_pipes(utempter_t)
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++ files_polyinstantiate_all(polydomain)
+ ')
+
+ optional_policy(`
+- xserver_use_xdm_fds(utempter_t)
+- xserver_rw_xdm_pipes(utempter_t)
++ tunable_policy(`polyinstantiation_enabled',`
++ namespace_init_domtrans(polydomain)
++ ')
+ ')
+
+-#######################################
++######################################
+ #
+ # nsswitch_domain local policy
+ #
+
++allow nsswitch_domain self:key manage_key_perms;
++
++auth_read_passwd(nsswitch_domain)
++
+ files_list_var_lib(nsswitch_domain)
+
+ # read /etc/nsswitch.conf
+@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
+
+ sysnet_dns_name_resolve(nsswitch_domain)
+
++systemd_hostnamed_read_config(nsswitch_domain)
++
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++ allow nsswitch_domain self:tcp_socket create_socket_perms;
++')
++
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+- files_list_var_lib(nsswitch_domain)
++ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
++ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
++ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
++ corenet_tcp_connect_ldap_port(nsswitch_domain)
++ corenet_sendrecv_ldap_client_packets(nsswitch_domain)
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++ # Support for LDAPS
++ dev_read_rand(nsswitch_domain)
++ # LDAP Configuration using encrypted requires
++ dev_read_urand(nsswitch_domain)
++ sysnet_read_config(nsswitch_domain)
++')
+
++tunable_policy(`authlogin_nsswitch_use_ldap',`
+ miscfiles_read_generic_certs(nsswitch_domain)
+- sysnet_use_ldap(nsswitch_domain)
+ ')
+
+ optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ dirsrv_stream_connect(nsswitch_domain)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ ldap_read_certs(nsswitch_domain)
+ ldap_stream_connect(nsswitch_domain)
+ ')
+ ')
+@@ -438,6 +501,7 @@ optional_policy(`
+ likewise_stream_connect_lsassd(nsswitch_domain)
+ ')
+
++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
+ optional_policy(`
+ kerberos_use(nsswitch_domain)
+ ')
+@@ -456,10 +520,155 @@ optional_policy(`
+
+ optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
++ sssd_read_public_files(nsswitch_domain)
++ sssd_read_lib_files(nsswitch_domain)
++')
++
++#1134389
++userdom_manage_all_users_keys(nsswitch_domain)
++optional_policy(`
++ sssd_manage_keys(nsswitch_domain)
++')
++
++optional_policy(`
++ rolekit_manage_keys(nsswitch_domain)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind(nsswitch_domain)
++ samba_stream_connect_nmbd(nsswitch_domain)
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++#######################################
++#
++# Login Program local policy
++#
++
++domain_read_all_domains_state(login_pgm)
++corecmd_getattr_all_executables(login_pgm)
++domain_kill_all_domains(login_pgm)
++
++allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
++allow login_pgm self:capability ipc_lock;
++dontaudit login_pgm self:capability net_admin;
++allow login_pgm self:process setkeycreate;
++allow login_pgm self:key manage_key_perms;
++userdom_manage_all_users_keys(login_pgm)
++
++files_list_var_lib(login_pgm)
++manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
++manage_files_pattern(login_pgm, var_auth_t, var_auth_t)
++manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t)
++
++manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
++manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
++manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
++files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
++
++manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
++manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
++auth_filetrans_admin_home_content(login_pgm)
++auth_filetrans_home_content(login_pgm)
++
++# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
++kernel_search_network_sysctl(login_pgm)
++kernel_rw_afs_state(login_pgm)
++
++tunable_policy(`authlogin_radius',`
++ corenet_udp_bind_all_unreserved_ports(login_pgm)
++')
++
++tunable_policy(`authlogin_yubikey',`
++ corenet_tcp_connect_http_port(login_pgm)
++')
++
++corenet_tcp_connect_pki_ca_port(login_pgm)
++
++# for fingerprint readers
++dev_rw_input_dev(login_pgm)
++dev_rw_generic_usb_dev(login_pgm)
++
++files_read_config_files(login_pgm)
++
++fs_list_auto_mountpoints(login_pgm)
++fs_manage_cgroup_dirs(login_pgm)
++fs_manage_cgroup_files(login_pgm)
++fs_read_ecryptfs_symlinks(login_pgm)
++fs_read_ecryptfs_files(login_pgm)
++
++selinux_validate_context(login_pgm)
++selinux_compute_access_vector(login_pgm)
++selinux_compute_create_context(login_pgm)
++selinux_compute_relabel_context(login_pgm)
++selinux_compute_user_contexts(login_pgm)
++
++auth_manage_faillog(login_pgm)
++auth_manage_pam_pid(login_pgm)
++
++init_rw_utmp(login_pgm)
++
++logging_set_loginuid(login_pgm)
++logging_set_tty_audit(login_pgm)
++
++miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++miscfiles_filetrans_named_content(login_pgm)
++
++seutil_read_config(login_pgm)
++seutil_read_login_config(login_pgm)
++seutil_read_default_contexts(login_pgm)
++systemd_login_read_pid_files(login_pgm)
++
++userdom_set_rlimitnh(login_pgm)
++userdom_read_user_home_content_symlinks(login_pgm)
++userdom_delete_user_tmp_files(login_pgm)
++userdom_search_admin_dir(login_pgm)
++userdom_stream_connect(login_pgm)
++userdom_manage_user_tmp_dirs(login_pgm)
++userdom_manage_user_tmp_files(login_pgm)
++
++optional_policy(`
++ afs_read_config(login_pgm)
++ afs_rw_udp_sockets(login_pgm)
++')
++
++optional_policy(`
++ kerberos_read_config(login_pgm)
++')
++
++optional_policy(`
++ oddjob_dbus_chat(login_pgm)
++ oddjob_domtrans_mkhomedir(login_pgm)
++')
++
++optional_policy(`
++ openct_stream_connect(login_pgm)
++ openct_signull(login_pgm)
++ openct_read_pid_files(login_pgm)
++')
++
++optional_policy(`
++ corecmd_exec_bin(login_pgm)
++ storage_getattr_fixed_disk_dev(login_pgm)
++ mount_domtrans(login_pgm)
++ mount_domtrans_ecryptmount(login_pgm)
++')
++
++optional_policy(`
++ fprintd_dbus_chat(login_pgm)
++')
++
++optional_policy(`
++ realmd_dbus_chat(login_pgm)
++')
++
++optional_policy(`
++ # allow execute tmux
++ screen_exec(login_pgm)
++')
++
++optional_policy(`
++ ssh_agent_exec(login_pgm)
++ ssh_read_user_home_files(login_pgm)
++')
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index c5e05ca..c9ddbee 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -3,3 +3,5 @@
+
+ /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++
+diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
+index d475c2d..55305d5 100644
+--- a/policy/modules/system/clock.if
++++ b/policy/modules/system/clock.if
+@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',`
+ allow $1 adjtime_t:file rw_file_perms;
+ files_list_etc($1)
+ ')
++
++########################################
++##
++## Manage clock drift adjustments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_manage_adjtime',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ allow $1 adjtime_t:file manage_file_perms;
++ files_list_etc($1)
++')
++
++########################################
++##
++## Transition to systemd clock content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_filetrans_named_content',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
++')
+diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
+index edece47..cb014fd 100644
+--- a/policy/modules/system/clock.te
++++ b/policy/modules/system/clock.te
+@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
+
+ term_dontaudit_use_console(hwclock_t)
+ term_use_unallocated_ttys(hwclock_t)
+-term_use_all_ttys(hwclock_t)
+-term_use_all_ptys(hwclock_t)
++term_use_all_inherited_ttys(hwclock_t)
++term_use_all_inherited_ptys(hwclock_t)
+
+ domain_use_interactive_fds(hwclock_t)
+
++auth_use_nsswitch(hwclock_t)
++
+ init_use_fds(hwclock_t)
+ init_use_script_ptys(hwclock_t)
+
+ logging_send_audit_msgs(hwclock_t)
+ logging_send_syslog_msg(hwclock_t)
+
+-miscfiles_read_localization(hwclock_t)
+
+ optional_policy(`
+ apm_append_log(hwclock_t)
+@@ -65,10 +66,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(hwclock_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(hwclock_t)
+ ')
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 948ce2a..8cab8ae 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -1,4 +1,3 @@
+-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -23,7 +22,6 @@
+ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -36,14 +34,55 @@
+ /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+ /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
++/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
++
++/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0)
+diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
+index 016a770..1effeb4 100644
+--- a/policy/modules/system/fstools.if
++++ b/policy/modules/system/fstools.if
+@@ -154,3 +154,24 @@ interface(`fstools_getattr_swap_files',`
+
+ allow $1 swapfile_t:file getattr;
+ ')
++
++########################################
++##
++## Create, read, write, and delete the FSADM pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fsadm_manage_pid',`
++ gen_require(`
++ type fsadm_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
++ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
++ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
++')
+diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
+index 3f48d30..1fb0cde 100644
+--- a/policy/modules/system/fstools.te
++++ b/policy/modules/system/fstools.te
+@@ -13,9 +13,15 @@ role system_r types fsadm_t;
+ type fsadm_log_t;
+ logging_log_file(fsadm_log_t)
+
++type fsadm_var_run_t;
++files_pid_file(fsadm_var_run_t)
++
+ type fsadm_tmp_t;
+ files_tmp_file(fsadm_tmp_t)
+
++type fsadm_tmpfs_t;
++files_tmpfs_file(fsadm_tmpfs_t)
++
+ type swapfile_t; # customizable
+ files_type(swapfile_t)
+
+@@ -26,6 +32,7 @@ files_type(swapfile_t)
+
+ # ipc_lock is for losetup
+ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
++dontaudit fsadm_t self:capability net_admin;
+ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+ allow fsadm_t self:fd use;
+ allow fsadm_t self:fifo_file rw_fifo_file_perms;
+@@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive };
+
+ can_exec(fsadm_t, fsadm_exec_t)
+
+-allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+-allow fsadm_t fsadm_tmp_t:file manage_file_perms;
++manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
++manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
++files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
++
++manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
++manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
+ files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+
++manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
++manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
++fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir })
++
++files_create_boot_flag(fsadm_t)
++files_setattr_root_dirs(fsadm_t)
++
+ # log files
+ allow fsadm_t fsadm_log_t:dir setattr;
+ manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+@@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+ # Enable swapping to files
+ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+
++kernel_get_sysvipc_info(fsadm_t)
+ kernel_read_system_state(fsadm_t)
+ kernel_read_kernel_sysctls(fsadm_t)
+ kernel_request_load_module(fsadm_t)
+@@ -101,6 +120,8 @@ files_read_usr_files(fsadm_t)
+ files_read_etc_files(fsadm_t)
+ files_manage_lost_found(fsadm_t)
+ files_manage_isid_type_dirs(fsadm_t)
++# /etc/mtab is a link
++files_read_etc_runtime_files(fsadm_t)
+ # Write to /etc/mtab.
+ files_manage_etc_runtime_files(fsadm_t)
+ files_etc_filetrans_etc_runtime(fsadm_t, file)
+@@ -112,7 +133,6 @@ files_read_isid_type_files(fsadm_t)
+ fs_search_auto_mountpoints(fsadm_t)
+ fs_getattr_xattr_fs(fsadm_t)
+ fs_rw_ramfs_pipes(fsadm_t)
+-fs_rw_tmpfs_files(fsadm_t)
+ # remount file system to apply changes
+ fs_remount_xattr_fs(fsadm_t)
+ # for /dev/shm
+@@ -120,6 +140,9 @@ fs_list_auto_mountpoints(fsadm_t)
+ fs_search_tmpfs(fsadm_t)
+ fs_getattr_tmpfs_dirs(fsadm_t)
+ fs_read_tmpfs_symlinks(fsadm_t)
++fs_manage_nfs_files(fsadm_t)
++fs_manage_cifs_files(fsadm_t)
++fs_rw_hugetlbfs_files(fsadm_t)
+ # Recreate /mnt/cdrom.
+ files_manage_mnt_dirs(fsadm_t)
+ # for tune2fs
+@@ -133,21 +156,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+ storage_raw_read_removable_device(fsadm_t)
+ storage_raw_write_removable_device(fsadm_t)
+ storage_read_scsi_generic(fsadm_t)
++storage_rw_fuse(fsadm_t)
+ storage_swapon_fixed_disk(fsadm_t)
+
+ term_use_console(fsadm_t)
+
++auth_read_passwd(fsadm_t)
++
++init_read_state(fsadm_t)
+ init_use_fds(fsadm_t)
+ init_use_script_ptys(fsadm_t)
+ init_dontaudit_getattr_initctl(fsadm_t)
++init_stream_connect(fsadm_t)
+
+ logging_send_syslog_msg(fsadm_t)
++logging_send_audit_msgs(fsadm_t)
++logging_stream_connect_syslog(fsadm_t)
+
+-miscfiles_read_localization(fsadm_t)
+
+ seutil_read_config(fsadm_t)
+
+-userdom_use_user_terminals(fsadm_t)
++term_use_all_inherited_terms(fsadm_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+@@ -166,6 +195,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(fsadm_t)
++ devicekit_dontaudit_rw_log(fsadm_t)
++')
++
++optional_policy(`
+ hal_dontaudit_write_log(fsadm_t)
+ ')
+
+@@ -179,6 +213,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_read_pid_files(fsadm_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(fsadm_t)
+ ')
+
+@@ -192,6 +230,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_read_blk_images(fsadm_t)
++')
++
++optional_policy(`
+ xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+ ')
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index e1a1848..4927638 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -3,8 +3,12 @@
+
+ /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
+-/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+-/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
++/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
++
++/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
++
++/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
++/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+
+diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
+index e4376aa..2c98c56 100644
+--- a/policy/modules/system/getty.if
++++ b/policy/modules/system/getty.if
+@@ -96,3 +96,45 @@ interface(`getty_rw_config',`
+ files_search_etc($1)
+ allow $1 getty_etc_t:file rw_file_perms;
+ ')
++
++########################################
++##
++## Execute getty server in the getty domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`getty_systemctl',`
++ gen_require(`
++ type getty_unit_file_t;
++ type getty_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 getty_unit_file_t:file read_file_perms;
++ allow $1 getty_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, getty_t)
++')
++
++########################################
++##
++## Start getty unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`getty_start_services',`
++ gen_require(`
++ type getty_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 getty_unit_file_t:service start;
++')
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index f6743ea..09fbb87 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
+ type getty_var_run_t;
+ files_pid_file(getty_var_run_t)
+
++type getty_unit_file_t;
++systemd_unit_file(getty_unit_file_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mls_systemhigh)
++')
++
+ ########################################
+ #
+ # Getty local policy
+@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t)
+ term_setattr_all_ttys(getty_t)
+ term_setattr_unallocated_ttys(getty_t)
+ term_setattr_console(getty_t)
++term_setattr_usb_ttys(getty_t)
++term_use_console(getty_t)
+
+ auth_rw_login_records(getty_t)
++auth_use_nsswitch(getty_t)
+
+ init_rw_utmp(getty_t)
+ init_use_script_ptys(getty_t)
+@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t)
+
+ logging_send_syslog_msg(getty_t)
+
+-miscfiles_read_localization(getty_t)
+
+ ifdef(`distro_gentoo',`
+ # Gentoo default /etc/issue makes agetty
+@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`console_login',`
++tunable_policy(`login_console_enabled',`
+ # Support logging in from /dev/console
+ term_use_console(getty_t)
+ ',`
+@@ -121,11 +134,19 @@ tunable_policy(`console_login',`
+ ')
+
+ optional_policy(`
++ hostname_exec(getty_t)
++')
++
++optional_policy(`
++ lockdev_manage_files(getty_t)
++')
++
++optional_policy(`
+ mta_send_mail(getty_t)
+ ')
+
+ optional_policy(`
+- nscd_use(getty_t)
++ plymouthd_exec_plymouth(getty_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..6d00f5c 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,4 @@
+
+ /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
++/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
+index 187f04f..cf0af09 100644
+--- a/policy/modules/system/hostname.if
++++ b/policy/modules/system/hostname.if
+@@ -53,7 +53,6 @@ interface(`hostname_run',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`hostname_exec',`
+ gen_require(`
+diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
+index 24a7889..d97f6d5 100644
+--- a/policy/modules/system/hostname.te
++++ b/policy/modules/system/hostname.te
+@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
+
+ kernel_list_proc(hostname_t)
+ kernel_read_proc_symlinks(hostname_t)
++kernel_read_network_state(hostname_t)
+
+ dev_read_sysfs(hostname_t)
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(hostname_t)
+
++domain_dontaudit_leaks(hostname_t)
+ domain_use_interactive_fds(hostname_t)
+
+ files_read_etc_files(hostname_t)
++files_dontaudit_leaks(hostname_t)
+ files_dontaudit_search_var(hostname_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(hostname_t)
+
+ fs_getattr_xattr_fs(hostname_t)
+ fs_search_auto_mountpoints(hostname_t)
++fs_dontaudit_leaks(hostname_t)
+ fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+ term_dontaudit_use_console(hostname_t)
+-term_use_all_ttys(hostname_t)
+-term_use_all_ptys(hostname_t)
++term_use_all_inherited_terms(hostname_t)
+
+ init_use_fds(hostname_t)
+ init_use_script_fds(hostname_t)
+ init_use_script_ptys(hostname_t)
++init_rw_inherited_script_tmp_files(hostname_t)
+
+ logging_send_syslog_msg(hostname_t)
+
+-miscfiles_read_localization(hostname_t)
+
+ sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
+ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
+@@ -57,6 +60,10 @@ sysnet_read_config(hostname_t)
+ sysnet_dns_name_resolve(hostname_t)
+
+ optional_policy(`
++ mock_dontaudit_write_lib_chr_files(hostname_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(hostname_t)
+ ')
+
+diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
+index caf736b..91c4c6f 100644
+--- a/policy/modules/system/hotplug.fc
++++ b/policy/modules/system/hotplug.fc
+@@ -7,5 +7,8 @@
+ /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+ /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
++/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
++/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
++
+ /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+ /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
+index 40eb10c..2a0a32c 100644
+--- a/policy/modules/system/hotplug.if
++++ b/policy/modules/system/hotplug.if
+@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',`
+ #
+ interface(`hotplug_exec',`
+ gen_require(`
+- type hotplug_t;
++ type hotplug_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
+index b2097e7..0a49e14 100644
+--- a/policy/modules/system/hotplug.te
++++ b/policy/modules/system/hotplug.te
+@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
+ #
+
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit hotplug_t self:capability { dac_override dac_read_search };
+ allow hotplug_t self:process { setpgid getsession getattr signal_perms };
+@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
+
+ files_read_kernel_modules(hotplug_t)
+
+-corenet_all_recvfrom_unlabeled(hotplug_t)
+ corenet_all_recvfrom_netlabel(hotplug_t)
+ corenet_tcp_sendrecv_generic_if(hotplug_t)
+ corenet_udp_sendrecv_generic_if(hotplug_t)
+@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t)
+ # kernel threads inherit from shared descriptor table used by init
+ init_dontaudit_rw_initctl(hotplug_t)
+
++auth_use_nsswitch(hotplug_t)
++
+ logging_send_syslog_msg(hotplug_t)
+ logging_search_logs(hotplug_t)
+
+@@ -103,9 +104,6 @@ logging_search_logs(hotplug_t)
+ libs_read_lib_files(hotplug_t)
+
+ miscfiles_read_hwdata(hotplug_t)
+-miscfiles_read_localization(hotplug_t)
+-
+-seutil_dontaudit_search_config(hotplug_t)
+
+ sysnet_read_config(hotplug_t)
+
+@@ -164,14 +162,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(hotplug_t)
+-')
+-
+-optional_policy(`
+- nscd_use(hotplug_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(hotplug_t)
+ ')
+
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index bc0ffc8..7198bd9 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -1,6 +1,9 @@
+ #
+ # /etc
+ #
++/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
++
+ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+@@ -29,6 +32,11 @@ ifdef(`distro_gentoo', `
+ #
+ # /sbin
+ #
++/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
++
++#
++# /sbin
++#
+ /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+@@ -42,20 +50,35 @@ ifdef(`distro_gentoo', `
+ #
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
++/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++# because nowadays, /sbin/init is often a symlink to /sbin/upstart
++/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
++
++/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++
+ /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
++
++/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ #
+ # /var
+ #
++/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
+ /var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
++/var/run/systemd/initctl/fifo -p gen_context(system_u:object_r:initctl_t,s0)
+ /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
++/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
+
+ ifdef(`distro_debian',`
+ /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+@@ -74,3 +97,4 @@ ifdef(`distro_suse', `
+ /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
++/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index 79a45f6..b88e8a2 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -1,5 +1,21 @@
+ ## System initialization programs (init and init scripts).
+
++######################################
++##
++## initrc stub interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`init_stub_initrc',`
++ gen_require(`
++ type initrc_t;
++ ')
++')
++
+ ########################################
+ ##
+ ## Create a file type used for init scripts.
+@@ -106,6 +122,8 @@ interface(`init_domain',`
+ role system_r types $1;
+
+ domtrans_pattern(init_t, $2, $1)
++ allow init_t $1:unix_stream_socket create_stream_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+@@ -192,50 +210,43 @@ interface(`init_ranged_domain',`
+ interface(`init_daemon_domain',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+- type initrc_t;
++ type init_t;
+ role system_r;
+ attribute daemon;
++ attribute initrc_transition_domain;
++ attribute initrc_domain;
+ ')
+
+ typeattribute $1 daemon;
++ typeattribute $2 direct_init_entry;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+- role system_r types $1;
+-
+- domtrans_pattern(initrc_t, $2, $1)
+-
+- # daemons started from init will
+- # inherit fds from init for the console
+- init_dontaudit_use_fds($1)
+- term_dontaudit_use_console($1)
+-
+- # init script ptys are the stdin/out/err
+- # when using run_init
+- init_use_script_ptys($1)
++ type_transition initrc_domain $2:process $1;
+
+ ifdef(`direct_sysadm_daemon',`
+- domtrans_pattern(direct_run_init, $2, $1)
+- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+-
++ type_transition direct_run_init $2:process $1;
+ typeattribute $1 direct_init;
+- typeattribute $2 direct_init_entry;
+-
+- userdom_dontaudit_use_user_terminals($1)
+ ')
++')
+
+- ifdef(`hide_broken_symptoms',`
+- # RHEL4 systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_rhel4',`
+- kernel_dontaudit_use_fds($1)
+- ')
+- ')
++#######################################
++##
++## Create initrc domain.
++##
++##
++##
++## Type to be used as a initrc daemon domain.
++##
++##
++#
++interface(`init_initrc_domain',`
++ gen_require(`
++ attribute initrc_domain;
++ ')
+
+- optional_policy(`
+- nscd_use($1)
+- ')
++ typeattribute $1 initrc_domain;
+ ')
+
+ ########################################
+@@ -283,17 +294,20 @@ interface(`init_daemon_domain',`
+ interface(`init_ranged_daemon_domain',`
+ gen_require(`
+ type initrc_t;
++ type init_t;
+ ')
+
+- init_daemon_domain($1, $2)
++# init_daemon_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
++ range_transition init_t $2:process $3;
+ ')
+ ')
+
+@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',`
+ #
+ interface(`init_system_domain',`
+ gen_require(`
+- type initrc_t;
++ type init_t;
+ role system_r;
++ attribute initrc_transition_domain;
++ attribute systemprocess, systemprocess_entry;
++ attribute initrc_domain;
+ ')
+
++ typeattribute $1 systemprocess;
+ application_domain($1, $2)
+-
+ role system_r types $1;
++ typeattribute $2 systemprocess_entry;
+
+- domtrans_pattern(initrc_t, $2, $1)
+-
+- ifdef(`hide_broken_symptoms',`
+- # RHEL4 systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_rhel4',`
+- kernel_dontaudit_use_fds($1)
+- ')
+- ')
++ type_transition initrc_domain $2:process $1;
+ ')
+
+ ########################################
+@@ -401,20 +411,41 @@ interface(`init_system_domain',`
+ interface(`init_ranged_system_domain',`
+ gen_require(`
+ type initrc_t;
++ type init_t;
+ ')
+
+ init_system_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+ ')
+
++######################################
++##
++## Allow domain dyntransition to init_t domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`init_dyntrans',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dyntrans_pattern($1, init_t)
++')
++
+ ########################################
+ ##
+ ## Mark the file type as a daemon run dir, allowing initrc_t
+@@ -469,7 +500,6 @@ interface(`init_domtrans',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`init_exec',`
+ gen_require(`
+@@ -478,6 +508,48 @@ interface(`init_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
++
++ optional_policy(`
++ systemd_exec_systemctl($1)
++ ')
++')
++
++#######################################
++##
++## Check access to the init/systemd executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_access_check',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 init_exec_t:file { getattr_file_perms execute };
++')
++
++#######################################
++##
++## Dontaudit getattr on the init program.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`init_dontaudit_getattr_exec',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ dontaudit $1 init_exec_t:file getattr;
+ ')
+
+ ########################################
+@@ -566,6 +638,58 @@ interface(`init_sigchld',`
+
+ ########################################
+ ##
++## Send generic signals to init.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_signal',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:process signal;
++')
++
++########################################
++##
++## Create objects in the init_var_lib_t directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created
++##
++##
++##
++##
++## The object class.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`init_var_lib_filetrans',`
++ gen_require(`
++ type init_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
++')
++
++########################################
++##
+ ## Connect to init with a unix socket.
+ ##
+ ##
+@@ -576,10 +700,66 @@ interface(`init_sigchld',`
+ #
+ interface(`init_stream_connect',`
+ gen_require(`
+- type init_t;
++ type init_t, init_var_run_t;
+ ')
+
+- allow $1 init_t:unix_stream_socket connectto;
++ files_search_pids($1)
++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
++ allow $1 init_t:unix_stream_socket getattr;
++')
++
++#######################################
++##
++## Dontaudit Connect to init with a unix socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_stream_connect',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket connectto;
++')
++
++######################################
++##
++## Dontaudit getattr to init with a unix socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_getattr_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket getattr;
++')
++
++######################################
++##
++## Dontaudit read and write to init with a unix socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_rw_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
+ ')
+
+ ########################################
+@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
+ interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
++ type init_t;
+ ')
+
++ corecmd_exec_bin($1)
++
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+ init_exec($1)
+
+- tunable_policy(`init_upstart',`
+- gen_require(`
+- type init_t;
+- ')
+-
+- # upstart uses a datagram socket instead of initctl pipe
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 init_t:unix_dgram_socket sendto;
+- ')
++ ps_process_pattern($1, init_t)
++ allow $1 init_t:process signal;
++ dontaudit $1 self:capability net_admin;
++ # upstart uses a datagram socket instead of initctl pipe
++ allow $1 self:unix_dgram_socket create_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
++ #576913
++ allow $1 init_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
+ #
+ interface(`init_spec_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
++ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`distro_gentoo',`
+ gen_require(`
+@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
+ ')
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+ ')
+
+@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
+ #
+ interface(`init_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute init_script_file_type;
++ attribute initrc_transition_domain;
+ ')
++ typeattribute $1 initrc_transition_domain;
+
+ files_list_etc($1)
+- domtrans_pattern($1, initrc_exec_t, initrc_t)
++ domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
++ ')
++')
++
++########################################
++##
++## Execute a file in a bin directory
++## in the initrc_t domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_bin_domtrans_spec',`
++ gen_require(`
++ type initrc_t;
+ ')
++
++ corecmd_bin_domtrans($1, initrc_t)
+ ')
+
+ ########################################
+@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
+ interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
++ attribute initrc_transition_domain;
+ ')
+
++ typeattribute $1 initrc_transition_domain;
++ # service script searches all filesystems via mountpoint
++ fs_search_all($1)
+ domtrans_pattern($1, $2, initrc_t)
++ allow $1 $2:file ioctl;
+ files_search_etc($1)
+ ')
+
+@@ -1012,6 +1222,62 @@ interface(`init_read_state',`
+
+ ########################################
+ ##
++## Dontaudit read the process state (/proc/pid) of init.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dontaudit_read_state',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:dir search_dir_perms;
++ dontaudit $1 init_t:file read_file_perms;
++ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Read the process keyring of init.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_read_key',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:key read;
++')
++
++########################################
++##
++## Write the process keyring of init.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_write_key',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:key read;
++')
++
++########################################
++##
+ ## Ptrace init
+ ##
+ ##
+@@ -1026,7 +1292,9 @@ interface(`init_ptrace',`
+ type init_t;
+ ')
+
+- allow $1 init_t:process ptrace;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 init_t:process ptrace;
++ ')
+ ')
+
+ ########################################
+@@ -1125,7 +1393,8 @@ interface(`init_getattr_all_script_files',`
+
+ ########################################
+ ##
+-## Read all init script files.
++## Allow the specified domain to modify the systemd configuration of
++## all init scripts.
+ ##
+ ##
+ ##
+@@ -1133,59 +1402,95 @@ interface(`init_getattr_all_script_files',`
+ ##
+ ##
+ #
+-interface(`init_read_all_script_files',`
++interface(`init_config_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+- files_search_etc($1)
+- allow $1 init_script_file_type:file read_file_perms;
++ allow $1 init_script_file_type:service all_service_perms;
+ ')
+
+-#######################################
++########################################
+ ##
+-## Dontaudit read all init script files.
++## Read all init script files.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`init_dontaudit_read_all_script_files',`
++interface(`init_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+- dontaudit $1 init_script_file_type:file read_file_perms;
++ files_search_etc($1)
++ allow $1 init_script_file_type:file read_file_perms;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Execute all init scripts in the caller domain.
++## Dontaudit getattr all init script files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`init_exec_all_script_files',`
++interface(`init_dontaudit_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+- files_list_etc($1)
+- can_exec($1, init_script_file_type)
++ dontaudit $1 init_script_file_type:file getattr;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Read the process state (/proc/pid) of the init scripts.
++## Dontaudit read all init script files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_read_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ dontaudit $1 init_script_file_type:file read_file_perms;
++')
++
++########################################
++##
++## Execute all init scripts in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_exec_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ files_list_etc($1)
++ can_exec($1, init_script_file_type)
++')
++
++########################################
++##
++## Read the process state (/proc/pid) of the init scripts.
++##
++##
++##
++## Domain allowed access.
+ ##
+ ##
+ #
+@@ -1195,12 +1500,7 @@ interface(`init_read_script_state',`
+ ')
+
+ kernel_search_proc($1)
+- read_files_pattern($1, initrc_t, initrc_t)
+- read_lnk_files_pattern($1, initrc_t, initrc_t)
+- list_dirs_pattern($1, initrc_t, initrc_t)
+-
+- # should move this to separate interface
+- allow $1 initrc_t:process getattr;
++ ps_process_pattern($1, initrc_t)
+ ')
+
+ ########################################
+@@ -1314,6 +1614,24 @@ interface(`init_signal_script',`
+
+ ########################################
+ ##
++## Send kill signals to init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_sigkill_script',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ allow $1 initrc_t:process sigkill;
++')
++
++########################################
++##
+ ## Send null signals to init scripts.
+ ##
+ ##
+@@ -1440,6 +1758,27 @@ interface(`init_dbus_send_script',`
+ ########################################
+ ##
+ ## Send and receive messages from
++## init over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dbus_chat',`
++ gen_require(`
++ type init_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
+ ## init scripts over dbus.
+ ##
+ ##
+@@ -1547,6 +1886,25 @@ interface(`init_getattr_script_status_files',`
+
+ ########################################
+ ##
++## Manage init script
++## status files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_manage_script_status_files',`
++ gen_require(`
++ type initrc_state_t;
++ ')
++
++ manage_files_pattern($1, initrc_state_t, initrc_state_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read init script
+ ## status files.
+ ##
+@@ -1605,6 +1963,24 @@ interface(`init_rw_script_tmp_files',`
+
+ ########################################
+ ##
++## Read and write init script inherited temporary data.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_inherited_script_tmp_files',`
++ gen_require(`
++ type initrc_tmp_t;
++ ')
++
++ allow $1 initrc_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create files in a init script
+ ## temporary data directory.
+ ##
+@@ -1677,6 +2053,43 @@ interface(`init_read_utmp',`
+
+ ########################################
+ ##
++## Read utmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_read_machineid',`
++ gen_require(`
++ type machineid_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 machineid_t:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read utmp.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_read_utmp',`
++ gen_require(`
++ type initrc_var_run_t;
++ ')
++
++ dontaudit $1 initrc_var_run_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to write utmp.
+ ##
+ ##
+@@ -1765,7 +2178,7 @@ interface(`init_dontaudit_rw_utmp',`
+ type initrc_var_run_t;
+ ')
+
+- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
++ dontaudit $1 initrc_var_run_t:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -1806,6 +2219,133 @@ interface(`init_pid_filetrans_utmp',`
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+ ')
+
++######################################
++##
++## Allow search directory in the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_search_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir search_dir_perms;
++')
++
++######################################
++##
++## Allow listing of the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_list_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir list_dir_perms;
++')
++
++#######################################
++##
++## Create a directory in the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_create_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir list_dir_perms;
++ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++#######################################
++##
++## Create objects in /run/systemd directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`init_pid_filetrans',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
++')
++
++#######################################
++##
++## Create objects in /run/systemd directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`init_named_pid_filetrans',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
++')
++
+ ########################################
+ ##
+ ## Allow the specified domain to connect to daemon with a tcp socket
+@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+ ')
++
++########################################
++##
++## Transition to system_r when execute an init script
++##
++##
++##
++## Execute a init script in a specified role
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Role to transition from.
++##
++##
++#
++interface(`init_script_role_transition',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ role_transition $1 init_script_file_type system_r;
++')
++
++########################################
++##
++## dontaudit read and write an leaked init scrip file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_script_leaks',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ dontaudit $1 initrc_t:socket_class_set { read write };
++ dontaudit $1 initrc_t:shm rw_shm_perms;
++ init_dontaudit_use_script_ptys($1)
++ init_dontaudit_use_script_fds($1)
++')
++
++#######################################
++##
++## Allow the specified domain to ioctl an
++## init with a unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_ioctl_stream_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket ioctl;
++')
++
++########################################
++##
++## Allow the specified domain to read/write to
++## init with a unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_stream_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
++')
++
++#######################################
++##
++## Allow the specified domain to write to
++## init sock file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_write_pid_socket',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:sock_file write;
++')
++
++########################################
++##
++## Send a message to init over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dgram_send',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_dgram_socket sendto;
++')
++
++########################################
++##
++## Send a message to init over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_stream_send',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket sendto;
++')
++
++########################################
++##
++## Create a file type used for init socket files.
++##
++##
++##
++## This defines a type that init can create sock_file within for
++## impersonation purposes
++##
++##
++##
++##
++## Type to be used for a sock file.
++##
++##
++##
++#
++interface(`init_sock_file',`
++ gen_require(`
++ attribute init_sock_file_type;
++ ')
++
++ typeattribute $1 init_sock_file_type;
++
++')
++
++########################################
++##
++## Read init unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_read_pipes',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++########################################
++##
++## Read/Write init unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_pipes',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++#######################################
++##
++## Read and write init TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_tcp_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:tcp_socket { read write };
++')
++
++########################################
++##
++## Get the system status information from init
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_status',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system status;
++ allow $1 init_t:service status;
++')
++
++########################################
++##
++## Tell init to reboot the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_reboot',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reboot;
++ systemd_config_power_services($1)
++')
++
++########################################
++##
++## Tell init to enable the services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_enable_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system enable;
++')
++
++########################################
++##
++## Tell init to disable the services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_disable_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system disable;
++')
++
++########################################
++##
++## Tell init to reload the services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_reload_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reload;
++')
++
++########################################
++##
++## Tell init to halt the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_halt',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system halt;
++ systemd_config_power_services($1)
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_undefined',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system undefined;
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_start_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service start;
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_stop_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service stop;
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_reload_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service reload;
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_status_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service status;
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_manage_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service manage_service_perms;
++')
++
++########################################
++##
++## Transition to init named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_filetrans_named_content',`
++ gen_require(`
++ type init_var_run_t;
++ type initrc_var_run_t;
++ type machineid_t;
++ type initctl_t;
++ type systemd_unit_file_t;
++ ')
++
++ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
++ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
++ files_etc_filetrans($1, machineid_t, file, "machine-id" )
++ files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
++ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 17eda24..7db5938 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -11,10 +11,31 @@ gen_require(`
+
+ ##
+ ##
+-## Enable support for upstart as the init program.
++## Allow all daemons to use tcp wrappers.
+ ##
+ ##
+-gen_tunable(init_upstart, false)
++gen_tunable(daemons_use_tcp_wrapper, false)
++
++##
++##
++## Allow all daemons the ability to read/write terminals
++##
++##
++gen_tunable(daemons_use_tty, false)
++
++##
++##
++## Allow all daemons to write corefiles to /
++##
++##
++gen_tunable(daemons_dump_core, false)
++
++##
++##
++## Enable cluster mode for daemons.
++##
++##
++gen_tunable(daemons_enable_cluster_mode, false)
+
+ # used for direct running of init scripts
+ # by admin domains
+@@ -25,9 +46,17 @@ attribute direct_init_entry;
+ attribute init_script_domain_type;
+ attribute init_script_file_type;
+ attribute init_run_all_scripts_domain;
++attribute initrc_transition_domain;
++# Attribute used for systemd so domains can allow systemd to create sock_files
++attribute init_sock_file_type;
+
+ # Mark process types as daemons
+ attribute daemon;
++attribute systemprocess;
++attribute systemprocess_entry;
++
++# Mark process types as initrc domain
++attribute initrc_domain;
+
+ # Mark file type as a daemon run directory
+ attribute daemonrundir;
+@@ -35,12 +64,20 @@ attribute daemonrundir;
+ #
+ # init_t is the domain of the init process.
+ #
+-type init_t;
++type init_t, initrc_transition_domain;
+ type init_exec_t;
+ domain_type(init_t)
+ domain_entry_file(init_t, init_exec_t)
++domain_role_change_exemption(init_t)
+ kernel_domtrans_to(init_t, init_exec_t)
+ role system_r types init_t;
++init_initrc_domain(init_t)
++
++#
++# init_tmp_t is the type for content in /tmp directory
++#
++type init_tmp_t;
++files_tmp_file(init_tmp_t)
+
+ #
+ # init_var_run_t is the type for /var/run/shutdown.pid.
+@@ -49,6 +86,15 @@ type init_var_run_t;
+ files_pid_file(init_var_run_t)
+
+ #
++# init_var_lib_t is the type for /var/lib/systemd
++#
++type init_var_lib_t;
++files_type(init_var_lib_t)
++
++type machineid_t;
++files_config_file(machineid_t)
++
++#
+ # initctl_t is the type of the named pipe created
+ # by init during initialization. This pipe is used
+ # to communicate with init.
+@@ -57,7 +103,7 @@ type initctl_t;
+ files_type(initctl_t)
+ mls_trusted_object(initctl_t)
+
+-type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
++type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain;
+ type initrc_exec_t, init_script_file_type;
+ domain_type(initrc_t)
+ domain_entry_file(initrc_t, initrc_exec_t)
+@@ -66,6 +112,7 @@ role system_r types initrc_t;
+ # of the below init_upstart tunable
+ # but this has a typeattribute in it
+ corecmd_shell_entry_type(initrc_t)
++corecmd_bin_entry_type(initrc_t)
+
+ type initrc_devpts_t;
+ term_pty(initrc_devpts_t)
+@@ -98,7 +145,10 @@ ifdef(`enable_mls',`
+ #
+
+ # Use capabilities. old rule:
+-allow init_t self:capability ~sys_module;
++allow init_t self:capability ~{ audit_control audit_write sys_module };
++allow init_t self:capability2 ~{ mac_admin mac_override };
++allow init_t self:tcp_socket { listen accept };
++allow init_t self:key manage_key_perms;
+ # is ~sys_module really needed? observed:
+ # sys_boot
+ # sys_tty_config
+@@ -108,14 +158,43 @@ allow init_t self:capability ~sys_module;
+
+ allow init_t self:fifo_file rw_fifo_file_perms;
+
++allow init_t self:service manage_service_perms;
++
+ # Re-exec itself
+ can_exec(init_t, init_exec_t)
+-
+-allow init_t initrc_t:unix_stream_socket connectto;
+-
+-# For /var/run/shutdown.pid.
+-allow init_t init_var_run_t:file manage_file_perms;
+-files_pid_filetrans(init_t, init_var_run_t, file)
++# executing content in /run/initramfs
++manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
++can_exec(init_t, initrc_state_t)
++
++allow daemon initrc_t:unix_dgram_socket sendto;
++allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
++allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
++allow initrc_t init_t:fifo_file rw_fifo_file_perms;
++
++manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
++files_tmp_filetrans(init_t, init_tmp_t, { file })
++
++manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
++manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
++manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
++manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
++files_var_lib_filetrans(init_t, init_var_lib_t, { dir file })
++
++manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
++files_pid_filetrans(init_t, init_var_run_t, { dir file })
++allow init_t init_var_run_t:dir mounton;
++allow init_t init_var_run_t:sock_file relabelto;
++
++allow init_t machineid_t:file manage_file_perms;
++files_pid_filetrans(init_t, machineid_t, file, "machine-id")
++files_etc_filetrans(init_t, machineid_t, file, "machine-id")
++allow init_t machineid_t:file mounton;
+
+ allow init_t initctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(init_t, initctl_t, fifo_file)
+@@ -125,13 +204,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+
+ kernel_read_system_state(init_t)
+ kernel_share_state(init_t)
++kernel_stream_connect(init_t)
+
+ corecmd_exec_chroot(init_t)
+ corecmd_exec_bin(init_t)
+
+-dev_read_sysfs(init_t)
++corenet_all_recvfrom_netlabel(init_t)
++corenet_tcp_bind_all_ports(init_t)
++corenet_udp_bind_all_ports(init_t)
++
++dev_create_all_chr_files(init_t)
++dev_rw_sysfs(init_t)
++dev_read_urand(init_t)
++dev_read_raw_memory(init_t)
+ # Early devtmpfs
+ dev_rw_generic_chr_files(init_t)
++dev_filetrans_all_named_dev(init_t)
++dev_write_watchdog(init_t)
+
+ domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
+@@ -139,14 +228,23 @@ domain_signal_all_domains(init_t)
+ domain_signull_all_domains(init_t)
+ domain_sigstop_all_domains(init_t)
+ domain_sigchld_all_domains(init_t)
++domain_read_all_domains_state(init_t)
++domain_getattr_all_domains(init_t)
+
+-files_read_etc_files(init_t)
++files_read_config_files(init_t)
++files_read_all_pids(init_t)
++files_read_system_conf_files(init_t)
+ files_rw_generic_pids(init_t)
+ files_dontaudit_search_isid_type_dirs(init_t)
++files_read_etc_runtime_files(init_t)
++files_manage_all_locks(init_t)
+ files_manage_etc_runtime_files(init_t)
++files_manage_etc_symlinks(init_t)
+ files_etc_filetrans_etc_runtime(init_t, file)
+ # Run /etc/X11/prefdm:
+ files_exec_etc_files(init_t)
++files_read_usr_files(init_t)
++files_write_root_dirs(init_t)
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
+@@ -156,28 +254,53 @@ fs_list_inotifyfs(init_t)
+ fs_write_ramfs_sockets(init_t)
+
+ mcs_process_set_categories(init_t)
+-mcs_killall(init_t)
+
+ mls_file_read_all_levels(init_t)
+ mls_file_write_all_levels(init_t)
+-mls_process_write_down(init_t)
++mls_file_downgrade(init_t)
++mls_file_upgrade(init_t)
+ mls_fd_use_all_levels(init_t)
++mls_fd_share_all_levels(init_t)
++mls_process_set_level(init_t)
++mls_process_write_down(init_t)
++mls_socket_read_all_levels(init_t)
++mls_socket_write_all_levels(init_t)
++mls_rangetrans_source(init_t)
+
+ selinux_set_all_booleans(init_t)
++selinux_load_policy(init_t)
++selinux_mounton_fs(init_t)
++allow init_t security_t:security load_policy;
+
+-term_use_all_terms(init_t)
++term_create_pty_dir(init_t)
++term_use_unallocated_ttys(init_t)
++term_use_console(init_t)
++term_use_all_inherited_terms(init_t)
++term_use_generic_ptys(init_t)
+
+ # Run init scripts.
+ init_domtrans_script(init_t)
+
+ libs_rw_ld_so_cache(init_t)
+
++logging_create_devlog_dev(init_t)
+ logging_send_syslog_msg(init_t)
++logging_send_audit_msgs(init_t)
+ logging_rw_generic_logs(init_t)
++logging_relabel_devlog_dev(init_t)
++logging_manage_audit_config(init_t)
+
+ seutil_read_config(init_t)
++seutil_read_module_store(init_t)
++
++miscfiles_manage_localization(init_t)
++miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
++userdom_manage_tmp_dirs(init_t)
++userdom_manage_tmp_sockets(init_t)
+
+-miscfiles_read_localization(init_t)
++allow init_t self:process setsched;
+
+ ifdef(`distro_gentoo',`
+ allow init_t self:process { getcap setcap };
+@@ -186,29 +309,241 @@ ifdef(`distro_gentoo',`
+ ')
+
+ ifdef(`distro_redhat',`
++ fs_manage_tmpfs_files(init_t)
++ fs_manage_tmpfs_symlinks(init_t)
++ fs_manage_tmpfs_sockets(init_t)
++ fs_manage_tmpfs_chr_files(init_t)
++ fs_exec_tmpfs_files(init_t)
+ fs_read_tmpfs_symlinks(init_t)
+- fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
++ fs_tmpfs_filetrans_named_content(init_t)
++
++ logging_stream_connect_syslog(init_t)
++ logging_relabel_syslog_pid_socket(init_t)
+ ')
+
+-tunable_policy(`init_upstart',`
+- corecmd_shell_domtrans(init_t, initrc_t)
+-',`
+- # Run the shell in the sysadm role for single-user mode.
+- # causes problems with upstart
+- sysadm_shell_domtrans(init_t)
++corecmd_shell_domtrans(init_t, initrc_t)
++
++storage_raw_rw_fixed_disk(init_t)
++
++sysnet_read_dhcpc_state(init_t)
++
++optional_policy(`
++ chronyd_read_keys(init_t)
++')
++
++optional_policy(`
++ journalctl_exec(init_t)
++')
++
++optional_policy(`
++ kdump_read_crash(init_t)
++ kdump_read_config(init_t)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(init_t)
++ gnome_manage_data(init_t)
++')
++
++optional_policy(`
++ iscsi_read_lib_files(init_t)
++ iscsi_manage_lock(init_t)
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ modutils_domtrans_insmod(init_t)
++ modutils_list_module_config(init_t)
+ ')
+
+ optional_policy(`
++ postfix_exec(init_t)
++ postfix_list_spool(init_t)
++ mta_read_config(init_t)
++ mta_manage_aliases(init_t)
++')
++
++allow init_t self:system all_system_perms;
++allow init_t self:unix_dgram_socket { create_socket_perms sendto };
++allow init_t self:process { setsockcreate setfscreate setrlimit setexec };
++allow init_t self:process { getcap setcap };
++allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow init_t self:netlink_selinux_socket create_socket_perms;
++# Until systemd is fixed
++allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++allow init_t self:udp_socket create_socket_perms;
++allow init_t self:netlink_route_socket create_netlink_socket_perms;
++
++allow init_t initrc_t:unix_dgram_socket create_socket_perms;
++
++kernel_list_unlabeled(init_t)
++kernel_read_network_state(init_t)
++kernel_rw_all_sysctls(init_t)
++kernel_rw_security_state(init_t)
++kernel_rw_usermodehelper_state(init_t)
++kernel_read_software_raid_state(init_t)
++kernel_unmount_debugfs(init_t)
++kernel_setsched(init_t)
++
++dev_write_kmsg(init_t)
++dev_write_urand(init_t)
++dev_rw_lvm_control(init_t)
++dev_rw_autofs(init_t)
++dev_manage_generic_symlinks(init_t)
++dev_manage_generic_dirs(init_t)
++dev_manage_generic_files(init_t)
++dev_read_generic_chr_files(init_t)
++dev_relabel_generic_dev_dirs(init_t)
++dev_relabel_all_dev_nodes(init_t)
++dev_relabel_all_dev_files(init_t)
++dev_manage_sysfs_dirs(init_t)
++dev_relabel_sysfs_dirs(init_t)
++
++files_search_all(init_t)
++files_mounton_all_mountpoints(init_t)
++files_unmount_all_file_type_fs(init_t)
++files_manage_all_pid_dirs(init_t)
++files_manage_etc_dirs(init_t)
++files_manage_generic_tmp_dirs(init_t)
++files_relabel_all_pid_dirs(init_t)
++files_relabel_all_pid_files(init_t)
++files_create_all_pid_sockets(init_t)
++files_delete_all_pids(init_t)
++files_exec_generic_pid_files(init_t)
++files_create_all_pid_pipes(init_t)
++files_create_all_spool_sockets(init_t)
++files_delete_all_spool_sockets(init_t)
++files_manage_urandom_seed(init_t)
++files_list_locks(init_t)
++files_list_spool(init_t)
++files_list_var(init_t)
++files_list_boot(init_t)
++files_list_home(init_t)
++files_create_lock_dirs(init_t)
++files_relabel_all_lock_dirs(init_t)
++files_read_kernel_modules(init_t)
++fs_getattr_all_fs(init_t)
++fs_manage_cgroup_dirs(init_t)
++fs_manage_cgroup_files(init_t)
++fs_manage_hugetlbfs_dirs(init_t)
++fs_manage_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_files(init_t)
++fs_relabel_tmpfs_fifo_files(init_t)
++fs_mount_all_fs(init_t)
++fs_unmount_all_fs(init_t)
++fs_remount_all_fs(init_t)
++fs_list_all(init_t)
++fs_list_auto_mountpoints(init_t)
++fs_register_binary_executable_type(init_t)
++fs_relabel_tmpfs_sock_file(init_t)
++fs_rw_tmpfs_files(init_t)
++fs_relabel_cgroup_dirs(init_t)
++fs_search_cgroup_dirs(init_t)
++selinux_compute_access_vector(init_t)
++selinux_compute_create_context(init_t)
++selinux_validate_context(init_t)
++selinux_unmount_fs(init_t)
++
++storage_getattr_removable_dev(init_t)
++
++term_relabel_ptys_dirs(init_t)
++
++auth_relabel_login_records(init_t)
++auth_relabel_pam_console_data_dirs(init_t)
++
++clock_read_adjtime(init_t)
++
++init_read_script_state(init_t)
++
++modutils_read_module_config(init_t)
++
++seutil_read_file_contexts(init_t)
++
++systemd_exec_systemctl(init_t)
++systemd_manage_home_content(init_t)
++systemd_manage_unit_dirs(init_t)
++systemd_manage_random_seed(init_t)
++systemd_manage_all_unit_files(init_t)
++systemd_logger_stream_connect(init_t)
++systemd_config_all_services(init_t)
++systemd_relabelto_fifo_file_passwd_run(init_t)
++systemd_relabel_unit_dirs(init_t)
++systemd_relabel_unit_files(init_t)
++systemd_manage_unit_dirs(initrc_t)
++systemd_manage_unit_symlinks(initrc_t)
++systemd_config_all_services(initrc_t)
++systemd_read_unit_files(initrc_t)
++
++create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
++
++auth_use_nsswitch(init_t)
++auth_rw_login_records(init_t)
++auth_domtrans_chk_passwd(init_t)
++
++ifdef(`distro_redhat',`
++ # it comes from setupr scripts used in systemd unit files
++ # has been covered by initrc_t
++ optional_policy(`
++ bind_manage_config_dirs(init_t)
++ bind_manage_config(init_t)
++ bind_write_config(init_t)
++ bind_setattr_zone_dirs(init_t)
++ ')
++
++ optional_policy(`
++ ipsec_read_config(init_t)
++ ipsec_manage_pid(init_t)
++ ipsec_stream_connect(init_t)
++ ')
++
++ optional_policy(`
++ rpc_manage_nfs_state_data(init_t)
++ ')
++
++ optional_policy(`
++ sysnet_relabelfrom_dhcpc_state(init_t)
++ sysnet_setattr_dhcp_state(init_t)
++ ')
++')
++
++optional_policy(`
++ lvm_rw_pipes(init_t)
++ lvm_read_config(init_t)
++')
++
++optional_policy(`
++ consolekit_manage_log(init_t)
++')
++
++optional_policy(`
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
++ dbus_delete_pid_files(init_t)
++
++ optional_policy(`
++ devicekit_dbus_chat_power(init_t)
++ ')
++')
++
++optional_policy(`
++ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
++ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
++ # the directory. But we do not want to allow this.
++ # The master process of dovecot will manage this file.
++ dovecot_dontaudit_unlink_lib_files(initrc_t)
++')
++
++optional_policy(`
++ networkmanager_stream_connect(init_t)
++ networkmanager_stream_connect(initrc_t)
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
++ plymouthd_stream_connect(init_t)
++ plymouthd_exec_plymouth(init_t)
++ plymouthd_filetrans_named_content(init_t)
+ ')
+
+ optional_policy(`
+@@ -216,7 +551,31 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_filetrans_named_content(init_t)
++ rpcbind_relabel_sock_file(init_t)
++')
++
++optional_policy(`
++ systemd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
++ udev_read_db(init_t)
++ udev_relabelto_db(init_t)
++ udev_create_kobject_uevent_socket(init_t)
++ udev_relabel_pid_sockfile(init_t)
++')
++
++optional_policy(`
++ xserver_relabel_xdm_tmp_dirs(init_t)
++ xserver_manage_xdm_tmp_dirs(init_t)
++ xserver_read_xdm_lib_files(init_t)
++')
++
++optional_policy(`
+ unconfined_domain(init_t)
++ domain_named_filetrans(init_t)
++ unconfined_server_domtrans(init_t)
+ ')
+
+ ########################################
+@@ -225,9 +584,9 @@ optional_policy(`
+ #
+
+ allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+-allow initrc_t self:capability ~{ sys_admin sys_module };
++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
+ allow initrc_t self:capability2 block_suspend;
+-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
++dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
+ allow initrc_t self:passwd rootok;
+ allow initrc_t self:key manage_key_perms;
+
+@@ -258,12 +617,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+
+ allow initrc_t initrc_var_run_t:file manage_file_perms;
+ files_pid_filetrans(initrc_t, initrc_var_run_t, file)
++files_manage_generic_pids_symlinks(initrc_t)
++files_create_var_run_dirs(initrc_t)
++files_relabelfrom_isid_type(initrc_t)
+
+ can_exec(initrc_t, initrc_tmp_t)
+ manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
++allow initrc_t initrc_tmp_t:dir relabelfrom;
+
+ manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+ manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+@@ -279,23 +642,36 @@ kernel_change_ring_buffer_level(initrc_t)
+ kernel_clear_ring_buffer(initrc_t)
+ kernel_get_sysvipc_info(initrc_t)
+ kernel_read_all_sysctls(initrc_t)
++kernel_request_load_module(initrc_t)
+ kernel_rw_all_sysctls(initrc_t)
+ # for lsof which is used by alsa shutdown:
+ kernel_dontaudit_getattr_message_if(initrc_t)
++kernel_stream_connect(initrc_t)
++files_read_kernel_modules(initrc_t)
++files_read_config_files(initrc_t)
++files_read_var_lib_symlinks(initrc_t)
++files_setattr_pid_dirs(initrc_t)
+
+ files_create_lock_dirs(initrc_t)
+ files_pid_filetrans_lock_dir(initrc_t, "lock")
+ files_read_kernel_symbol_table(initrc_t)
+-files_setattr_lock_dirs(initrc_t)
++files_exec_etc_files(initrc_t)
++files_manage_etc_symlinks(initrc_t)
++files_manage_system_conf_files(initrc_t)
++
++fs_manage_tmpfs_dirs(initrc_t)
++fs_manage_tmpfs_symlinks(initrc_t)
++fs_delete_tmpfs_files(initrc_t)
++fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
++fs_read_nfsd_files(initrc_t)
+
+ corecmd_exec_all_executables(initrc_t)
+
+-corenet_all_recvfrom_unlabeled(initrc_t)
+ corenet_all_recvfrom_netlabel(initrc_t)
+-corenet_tcp_sendrecv_all_if(initrc_t)
+-corenet_udp_sendrecv_all_if(initrc_t)
+-corenet_tcp_sendrecv_all_nodes(initrc_t)
+-corenet_udp_sendrecv_all_nodes(initrc_t)
++corenet_tcp_sendrecv_generic_if(initrc_t)
++corenet_udp_sendrecv_generic_if(initrc_t)
++corenet_tcp_sendrecv_generic_node(initrc_t)
++corenet_udp_sendrecv_generic_node(initrc_t)
+ corenet_tcp_sendrecv_all_ports(initrc_t)
+ corenet_udp_sendrecv_all_ports(initrc_t)
+ corenet_tcp_connect_all_ports(initrc_t)
+@@ -303,9 +679,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_dontaudit_read_kmsg(initrc_t)
+ dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
++dev_write_watchdog(initrc_t)
+ dev_rw_sysfs(initrc_t)
+ dev_list_usbfs(initrc_t)
+ dev_read_framebuffer(initrc_t)
+@@ -313,8 +691,10 @@ dev_write_framebuffer(initrc_t)
+ dev_read_realtime_clock(initrc_t)
+ dev_read_sound_mixer(initrc_t)
+ dev_write_sound_mixer(initrc_t)
++dev_setattr_generic_dirs(initrc_t)
+ dev_setattr_all_chr_files(initrc_t)
+ dev_rw_lvm_control(initrc_t)
++dev_rw_generic_chr_files(initrc_t)
+ dev_delete_lvm_control_dev(initrc_t)
+ dev_manage_generic_symlinks(initrc_t)
+ dev_manage_generic_files(initrc_t)
+@@ -322,8 +702,7 @@ dev_manage_generic_files(initrc_t)
+ dev_delete_generic_symlinks(initrc_t)
+ dev_getattr_all_blk_files(initrc_t)
+ dev_getattr_all_chr_files(initrc_t)
+-# Early devtmpfs
+-dev_rw_generic_chr_files(initrc_t)
++dev_rw_xserver_misc(initrc_t)
+
+ domain_kill_all_domains(initrc_t)
+ domain_signal_all_domains(initrc_t)
+@@ -332,7 +711,6 @@ domain_sigstop_all_domains(initrc_t)
+ domain_sigchld_all_domains(initrc_t)
+ domain_read_all_domains_state(initrc_t)
+ domain_getattr_all_domains(initrc_t)
+-domain_dontaudit_ptrace_all_domains(initrc_t)
+ domain_getsession_all_domains(initrc_t)
+ domain_use_interactive_fds(initrc_t)
+ # for lsof which is used by alsa shutdown:
+@@ -340,6 +718,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+ domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
+ domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
+ domain_dontaudit_getattr_all_pipes(initrc_t)
++domain_obj_id_change_exemption(initrc_t)
+
+ files_getattr_all_dirs(initrc_t)
+ files_getattr_all_files(initrc_t)
+@@ -347,14 +726,15 @@ files_getattr_all_symlinks(initrc_t)
+ files_getattr_all_pipes(initrc_t)
+ files_getattr_all_sockets(initrc_t)
+ files_purge_tmp(initrc_t)
+-files_delete_all_locks(initrc_t)
++files_manage_all_locks(initrc_t)
++files_manage_boot_files(initrc_t)
+ files_read_all_pids(initrc_t)
++files_delete_root_files(initrc_t)
+ files_delete_all_pids(initrc_t)
+ files_delete_all_pid_dirs(initrc_t)
+ files_read_etc_files(initrc_t)
+ files_manage_etc_runtime_files(initrc_t)
+ files_etc_filetrans_etc_runtime(initrc_t, file)
+-files_exec_etc_files(initrc_t)
+ files_read_usr_files(initrc_t)
+ files_manage_urandom_seed(initrc_t)
+ files_manage_generic_spool(initrc_t)
+@@ -364,8 +744,12 @@ files_list_isid_type_dirs(initrc_t)
+ files_mounton_isid_type_dirs(initrc_t)
+ files_list_default(initrc_t)
+ files_mounton_default(initrc_t)
++files_manage_mnt_dirs(initrc_t)
++files_manage_mnt_files(initrc_t)
+
+-fs_write_cgroup_files(initrc_t)
++fs_delete_cgroup_dirs(initrc_t)
++fs_list_cgroup_dirs(initrc_t)
++fs_rw_cgroup_files(initrc_t)
+ fs_list_inotifyfs(initrc_t)
+ fs_register_binary_executable_type(initrc_t)
+ # rhgb-console writes to ramfs
+@@ -375,10 +759,11 @@ fs_mount_all_fs(initrc_t)
+ fs_unmount_all_fs(initrc_t)
+ fs_remount_all_fs(initrc_t)
+ fs_getattr_all_fs(initrc_t)
++fs_search_all(initrc_t)
++fs_getattr_nfsd_files(initrc_t)
++fs_dontaudit_create_tmpfs_chr_dev(initrc_t)
+
+ # initrc_t needs to do a pidof which requires ptrace
+-mcs_ptrace_all(initrc_t)
+-mcs_killall(initrc_t)
+ mcs_process_set_categories(initrc_t)
+
+ mls_file_read_all_levels(initrc_t)
+@@ -387,8 +772,10 @@ mls_process_read_up(initrc_t)
+ mls_process_write_down(initrc_t)
+ mls_rangetrans_source(initrc_t)
+ mls_fd_share_all_levels(initrc_t)
++mls_socket_write_to_clearance(initrc_t)
+
+ selinux_get_enforce_mode(initrc_t)
++selinux_setcheckreqprot(initrc_t)
+
+ storage_getattr_fixed_disk_dev(initrc_t)
+ storage_setattr_fixed_disk_dev(initrc_t)
+@@ -398,6 +785,7 @@ term_use_all_terms(initrc_t)
+ term_reset_tty_labels(initrc_t)
+
+ auth_rw_login_records(initrc_t)
++auth_manage_faillog(initrc_t)
+ auth_setattr_login_records(initrc_t)
+ auth_rw_lastlog(initrc_t)
+ auth_read_pam_pid(initrc_t)
+@@ -416,20 +804,18 @@ logging_read_all_logs(initrc_t)
+ logging_append_all_logs(initrc_t)
+ logging_read_audit_config(initrc_t)
+
+-miscfiles_read_localization(initrc_t)
+ # slapd needs to read cert files from its initscript
+-miscfiles_read_generic_certs(initrc_t)
++miscfiles_manage_generic_cert_files(initrc_t)
+
+-modutils_read_module_config(initrc_t)
+-modutils_domtrans_insmod(initrc_t)
+
+ seutil_read_config(initrc_t)
+
++userdom_read_admin_home_files(initrc_t)
+ userdom_read_user_home_content_files(initrc_t)
+ # Allow access to the sysadm TTYs. Note that this will give access to the
+ # TTYs to any process in the initrc_t domain. Therefore, daemons and such
+ # started from init should be placed in their own domain.
+-userdom_use_user_terminals(initrc_t)
++userdom_use_inherited_user_terminals(initrc_t)
+
+ ifdef(`distro_debian',`
+ dev_setattr_generic_dirs(initrc_t)
+@@ -451,7 +837,6 @@ ifdef(`distro_gentoo',`
+ allow initrc_t self:process setfscreate;
+ dev_create_null_dev(initrc_t)
+ dev_create_zero_dev(initrc_t)
+- dev_create_generic_dirs(initrc_t)
+ term_create_console_dev(initrc_t)
+
+ # unfortunately /sbin/rc does stupid tricks
+@@ -486,6 +871,10 @@ ifdef(`distro_gentoo',`
+ sysnet_setattr_config(initrc_t)
+
+ optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
+ alsa_read_lib(initrc_t)
+ ')
+
+@@ -506,7 +895,7 @@ ifdef(`distro_redhat',`
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+- kernel_dontaudit_use_fds(initrc_t)
++ kernel_use_fds(initrc_t)
+ files_dontaudit_read_root_files(initrc_t)
+
+ # These seem to be from the initrd
+@@ -521,6 +910,7 @@ ifdef(`distro_redhat',`
+ files_create_boot_dirs(initrc_t)
+ files_create_boot_flag(initrc_t)
+ files_rw_boot_symlinks(initrc_t)
++
+ # wants to read /.fonts directory
+ files_read_default_files(initrc_t)
+ files_mountpoint(initrc_tmp_t)
+@@ -541,6 +931,7 @@ ifdef(`distro_redhat',`
+ miscfiles_rw_localization(initrc_t)
+ miscfiles_setattr_localization(initrc_t)
+ miscfiles_relabel_localization(initrc_t)
++ miscfiles_filetrans_named_content(initrc_t)
+
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+@@ -550,8 +941,44 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
+ bind_manage_config_dirs(initrc_t)
++ bind_manage_config(initrc_t)
+ bind_write_config(initrc_t)
++ bind_setattr_zone_dirs(initrc_t)
++ ')
++
++ optional_policy(`
++ cyrus_write_data(initrc_t)
++ ')
++
++ optional_policy(`
++ devicekit_append_inherited_log_files(initrc_t)
++ devicekit_dbus_chat_power(initrc_t)
++ ')
++
++ optional_policy(`
++ dirsrvadmin_read_config(initrc_t)
++ dirsrv_manage_var_run(initrc_t)
++ ')
++
++ optional_policy(`
++ gnome_manage_gconf_config(initrc_t)
++ ')
++
++ optional_policy(`
++ ldap_read_db_files(initrc_t)
++ ')
++
++ optional_policy(`
++ ntp_filetrans_named_content(initrc_t)
++ ')
++
++ optional_policy(`
++ pulseaudio_stream_connect(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -559,14 +986,31 @@ ifdef(`distro_redhat',`
+ rpc_write_exports(initrc_t)
+ rpc_manage_nfs_state_data(initrc_t)
+ ')
++ optional_policy(`
++ rpcbind_stream_connect(initrc_t)
++ ')
+
+ optional_policy(`
+ sysnet_rw_dhcp_config(initrc_t)
+ sysnet_manage_config(initrc_t)
++ sysnet_manage_dhcpc_state(initrc_t)
++ sysnet_relabelfrom_dhcpc_state(initrc_t)
++ sysnet_relabelfrom_net_conf(initrc_t)
++ sysnet_relabelto_net_conf(initrc_t)
++ sysnet_filetrans_named_content(initrc_t)
++ ')
++
++ optional_policy(`
++ tgtd_stream_connect(initrc_t)
++ ')
++
++ optional_policy(`
++ wdmd_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
+ xserver_delete_log(initrc_t)
++ xserver_manage_user_fonts_dir(initrc_t)
+ ')
+ ')
+
+@@ -577,6 +1021,39 @@ ifdef(`distro_suse',`
+ ')
+ ')
+
++domain_dontaudit_use_interactive_fds(daemon)
++
++userdom_dontaudit_list_admin_dir(daemon)
++userdom_dontaudit_search_user_tmp(daemon)
++
++tunable_policy(`daemons_use_tcp_wrapper',`
++ corenet_tcp_connect_auth_port(daemon)
++')
++
++tunable_policy(`daemons_use_tty',`
++ term_use_unallocated_ttys(daemon)
++ term_use_generic_ptys(daemon)
++ term_use_all_ttys(daemon)
++ term_use_all_ptys(daemon)
++',`
++ term_dontaudit_use_unallocated_ttys(daemon)
++ term_dontaudit_use_generic_ptys(daemon)
++ term_dontaudit_use_all_ttys(daemon)
++ term_dontaudit_use_all_ptys(daemon)
++ ')
++
++# system-config-services causes avc messages that should be dontaudited
++tunable_policy(`daemons_dump_core',`
++ files_manage_root_files(daemon)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(daemon)
++ unconfined_dontaudit_rw_stream(daemon)
++ userdom_dontaudit_read_user_tmp_files(daemon)
++ userdom_dontaudit_write_user_tmp_files(daemon)
++')
++
+ optional_policy(`
+ amavis_search_lib(initrc_t)
+ amavis_setattr_pid_files(initrc_t)
+@@ -589,6 +1066,8 @@ optional_policy(`
+ optional_policy(`
+ apache_read_config(initrc_t)
+ apache_list_modules(initrc_t)
++ # webmin seems to cause this.
++ apache_search_sys_content(daemon)
+ ')
+
+ optional_policy(`
+@@ -610,6 +1089,7 @@ optional_policy(`
+
+ optional_policy(`
+ cgroup_stream_connect_cgred(initrc_t)
++ domain_setpriority_all_domains(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -626,6 +1106,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chronyd_append_keys(initrc_t)
++ chronyd_read_keys(initrc_t)
++')
++
++optional_policy(`
++ cron_read_pipes(initrc_t)
++ # managing /etc/cron.d/mailman content
++ cron_manage_system_spool(initrc_t)
++')
++
++optional_policy(`
+ dev_getattr_printer_dev(initrc_t)
+
+ cups_read_log(initrc_t)
+@@ -642,9 +1133,13 @@ optional_policy(`
+ dbus_connect_system_bus(initrc_t)
+ dbus_system_bus_client(initrc_t)
+ dbus_read_config(initrc_t)
++ dbus_manage_lib_files(initrc_t)
++
++ init_dbus_chat(initrc_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(initrc_t)
++ consolekit_manage_log(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -657,15 +1152,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+- # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+- # the directory. But we do not want to allow this.
+- # The master process of dovecot will manage this file.
+- dovecot_dontaudit_unlink_lib_files(initrc_t)
++ ftp_read_config(initrc_t)
+ ')
+
+ optional_policy(`
+- ftp_read_config(initrc_t)
++ glance_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -686,6 +1177,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_dbus_chat(initrc_t)
++')
++
++optional_policy(`
++ modutils_read_module_config(initrc_t)
++ modutils_domtrans_insmod(initrc_t)
++')
++
++optional_policy(`
+ inn_exec_config(initrc_t)
+ ')
+
+@@ -726,6 +1226,7 @@ optional_policy(`
+ lpd_list_spool(initrc_t)
+
+ lpd_read_config(initrc_t)
++ lpd_manage_spool(init_t)
+ ')
+
+ optional_policy(`
+@@ -743,7 +1244,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mta_read_config(initrc_t)
++ milter_delete_dkim_pid_files(initrc_t)
++ milter_setattr_all_dirs(initrc_t)
++')
++
++optional_policy(`
++ mta_manage_aliases(initrc_t)
++ mta_manage_config(initrc_t)
+ mta_dontaudit_read_spool_symlinks(initrc_t)
+ ')
+
+@@ -766,6 +1273,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ plymouthd_stream_connect(initrc_t)
++')
++
++optional_policy(`
+ postgresql_manage_db(initrc_t)
+ postgresql_read_config(initrc_t)
+ ')
+@@ -775,10 +1286,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ psad_setattr_fifo_file(initrc_t)
++ psad_setattr_log(initrc_t)
++ psad_write_log(initrc_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(initrc_t)
+ ')
+
+ optional_policy(`
++ qpidd_manage_var_run(initrc_t)
++')
++
++optional_policy(`
+ quota_manage_flags(initrc_t)
+ ')
+
+@@ -787,6 +1308,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ricci_manage_lib_files(initrc_t)
++')
++
++optional_policy(`
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+@@ -808,8 +1333,6 @@ optional_policy(`
+ # bash tries ioctl for some reason
+ files_dontaudit_ioctl_all_pids(initrc_t)
+
+- # why is this needed:
+- rpm_manage_db(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -818,6 +1341,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sendmail_setattr_pid_files(initrc_t)
++')
++
++optional_policy(`
+ # shorewall-init script run /var/lib/shorewall/firewall
+ shorewall_lib_domtrans(initrc_t)
+ ')
+@@ -827,10 +1354,12 @@ optional_policy(`
+ squid_manage_logs(initrc_t)
+ ')
+
++ifdef(`enabled_mls',`
+ optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc, initrc_t, system_r)
+ ')
++')
+
+ optional_policy(`
+ ssh_dontaudit_read_server_keys(initrc_t)
+@@ -857,21 +1386,60 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_read_config(init_t)
++ virt_stream_connect(init_t)
++ virt_noatsecure(init_t)
++ virt_rlimitinh(init_t)
++')
++
++optional_policy(`
++ virt_manage_pid_dirs(initrc_t)
++ virt_manage_cache(initrc_t)
++ virt_manage_lib_files(initrc_t)
+ virt_stream_connect(initrc_t)
+- virt_manage_virt_cache(initrc_t)
++')
++
++# Cron jobs used to start and stop services
++optional_policy(`
++ cron_rw_pipes(daemon)
++ cron_rw_inherited_user_spool_files(daemon)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(daemon)
+ ')
+
+ optional_policy(`
+ unconfined_domain(initrc_t)
++ domain_named_filetrans(initrc_t)
++ domain_role_change_exemption(initrc_t)
++
++ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
++ optional_policy(`
++ authconfig_domtrans(initrc_t)
++ ')
++
+ optional_policy(`
+ mono_domtrans(initrc_t)
+ ')
++
++ # Allow SELinux aware applications to request rpm_script_t execution
++ rpm_transition_script(initrc_t, system_r)
++
++ optional_policy(`
++ rtkit_scheduled(initrc_t)
++ ')
++')
++
++optional_policy(`
++ rpm_read_db(initrc_t)
++ rpm_delete_db(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -887,6 +1455,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sanlock_manage_pid_files(initrc_t)
++')
++
++optional_policy(`
+ # Set device ownerships/modes.
+ xserver_setattr_console_pipes(initrc_t)
+
+@@ -897,3 +1469,218 @@ optional_policy(`
+ optional_policy(`
+ zebra_read_config(initrc_t)
+ ')
++
++userdom_inherit_append_user_home_content_files(daemon)
++userdom_inherit_append_user_tmp_files(daemon)
++userdom_dontaudit_rw_stream(daemon)
++
++logging_inherit_append_all_logs(daemon)
++
++optional_policy(`
++ # sudo service restart causes this
++ unconfined_signull(daemon)
++')
++
++
++optional_policy(`
++ xserver_dontaudit_append_xdm_home_files(daemon)
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_rw_nfs_files(daemon)
++ ')
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_rw_cifs_files(daemon)
++ ')
++')
++
++init_rw_script_stream_sockets(daemon)
++
++optional_policy(`
++ abrt_stream_connect(daemon)
++')
++
++optional_policy(`
++ fail2ban_read_lib_files(daemon)
++')
++
++optional_policy(`
++ firstboot_dontaudit_leaks(daemon)
++')
++
++init_rw_stream_sockets(daemon)
++init_dontaudit_script_leaks(daemon)
++
++allow init_t var_run_t:dir relabelto;
++
++init_stream_connect(initrc_t)
++
++allow initrc_t daemon:process siginh;
++allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_transition_domain:fd use;
++allow daemon init_var_run_t:dir search_dir_perms;
++allow systemprocess init_var_run_t:dir search_dir_perms;
++
++allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++allow init_t daemon:unix_dgram_socket create_socket_perms;
++allow init_t daemon:tcp_socket create_stream_socket_perms;
++allow init_t daemon:udp_socket create_socket_perms;
++allow daemon init_t:unix_dgram_socket sendto;
++# need write to /var/run/systemd/notify
++init_write_pid_socket(daemon)
++allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
++
++# daemons started from init will
++# inherit fds from init for the console
++init_dontaudit_use_fds(daemon)
++term_dontaudit_use_console(daemon)
++# init script ptys are the stdin/out/err
++# when using run_init
++init_use_script_ptys(daemon)
++
++allow init_t daemon:process siginh;
++
++ifdef(`hide_broken_symptoms',`
++ # RHEL4 systems seem to have a stray
++ # fds open from the initrd
++ ifdef(`distro_rhel4',`
++ kernel_dontaudit_use_fds(daemon)
++ ')
++
++ dontaudit daemon init_t:dir search_dir_perms;
++')
++
++optional_policy(`
++ nscd_socket_use(daemon)
++')
++
++optional_policy(`
++ puppet_rw_tmp(daemon)
++')
++
++allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
++
++allow initrc_t systemprocess:process siginh;
++allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_transition_domain:fd use;
++
++dontaudit systemprocess init_t:unix_stream_socket getattr;
++
++allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++allow init_t daemon:unix_dgram_socket create_socket_perms;
++allow daemon init_t:unix_stream_socket ioctl;
++allow daemon init_t:unix_dgram_socket sendto;
++# need write to /var/run/systemd/notify
++init_write_pid_socket(daemon)
++init_rw_inherited_script_tmp_files(daemon)
++
++# Handle upstart/systemd direct transition to a executable
++allow init_t systemprocess:process { dyntransition siginh };
++allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
++allow init_t systemprocess:unix_dgram_socket create_socket_perms;
++allow systemprocess init_t:unix_dgram_socket sendto;
++allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
++
++files_dontaudit_rw_inherited_locks(systemprocess)
++files_dontaudit_tmp_file_leaks(systemprocess)
++init_rw_inherited_script_tmp_files(systemprocess)
++
++logging_dontaudit_rw_inherited_generic_logs(systemprocess)
++
++userdom_dontaudit_search_user_home_dirs(systemprocess)
++userdom_dontaudit_rw_stream(systemprocess)
++userdom_dontaudit_write_user_tmp_files(systemprocess)
++
++tunable_policy(`daemons_use_tty',`
++ term_use_all_ttys(systemprocess)
++ term_use_all_ptys(systemprocess)
++',`
++ term_dontaudit_use_all_ttys(systemprocess)
++ term_dontaudit_use_all_ptys(systemprocess)
++')
++
++# these apps are often redirect output to random log files
++logging_inherit_append_all_logs(systemprocess)
++
++optional_policy(`
++ abrt_stream_connect(systemprocess)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(systemprocess)
++')
++
++optional_policy(`
++ cron_rw_pipes(systemprocess)
++')
++
++optional_policy(`
++ puppet_rw_tmp(systemprocess)
++')
++
++optional_policy(`
++ xserver_dontaudit_append_xdm_home_files(systemprocess)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(systemprocess)
++ unconfined_dontaudit_rw_stream(systemprocess)
++ userdom_dontaudit_read_user_tmp_files(systemprocess)
++')
++
++init_rw_script_stream_sockets(systemprocess)
++
++role system_r types systemprocess;
++role system_r types daemon;
++
++#ifdef(`enable_mls',`
++# mls_rangetrans_target(systemprocess)
++#')
++
++allow initrc_domain daemon:process transition;
++allow daemon initrc_domain:fd use;
++allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_domain:process sigchld;
++allow initrc_domain direct_init_entry:file { getattr open read execute };
++
++allow systemprocess initrc_domain:fd use;
++allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_domain:process sigchld;
++allow initrc_domain systemprocess_entry:file { getattr open read execute };
++allow initrc_domain systemprocess:process transition;
++
++optional_policy(`
++ systemd_getattr_unit_dirs(daemon)
++ systemd_getattr_unit_dirs(systemprocess)
++')
++
++optional_policy(`
++ rgmanager_search_lib(initrc_domain)
++')
++
++ifdef(`direct_sysadm_daemon',`
++ allow daemon direct_run_init:fd use;
++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
++ allow daemon direct_run_init:process sigchld;
++ allow direct_run_init direct_init_entry:file { getattr open read execute };
++')
++
++optional_policy(`
++ tunable_policy(`daemons_enable_cluster_mode',`
++ rhcs_manage_cluster_pid_files(daemon)
++ rhcs_manage_cluster_lib_files(daemon)
++ rhcs_rw_inherited_cluster_tmp_files(daemon)
++ rhcs_stream_connect_cluster_to(daemon,daemon)
++',`
++ rhcs_read_cluster_lib_files(daemon)
++ rhcs_read_cluster_pid_files(daemon)
++ ')
++
++ ')
++
++optional_policy(`
++ tunable_policy(`daemons_enable_cluster_mode',`
++ #resource agents placed config files in /etc/cluster
++ ccs_manage_config(daemon)
++',`
++ ccs_read_config(daemon)
++ ')
++ ')
+diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
+index 662e79b..ad9ef4e 100644
+--- a/policy/modules/system/ipsec.fc
++++ b/policy/modules/system/ipsec.fc
+@@ -1,14 +1,25 @@
+ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
+-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+ /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+ /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+ /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
++/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++
+ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+ /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
+@@ -26,16 +37,27 @@
+ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+ /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
++/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+ /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
+-/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
++/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
+ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
++/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
++/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
+index 0d4c8d3..12c7fa6 100644
+--- a/policy/modules/system/ipsec.if
++++ b/policy/modules/system/ipsec.if
+@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
+ domtrans_pattern($1, ipsec_exec_t, ipsec_t)
+ ')
+
++#######################################
++##
++## Allow read/write ipsec pipes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_rw_inherited_pipes',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ##
+ ## Connect to IPSEC using a unix domain stream socket.
+@@ -55,6 +73,64 @@ interface(`ipsec_domtrans_mgmt',`
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+ ')
+
++#######################################
++##
++## Allow to create OBJECT in /etc with ipsec_key_file_t.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_filetrans_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ files_etc_filetrans($1, ipsec_key_file_t, file)
++')
++
++#######################################
++##
++## Allow to manage ipsec key files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_manage_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets")
++')
++
++########################################
++##
++## Read the ipsec_mgmt_var_run_t files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_mgmt_read_pid',`
++ gen_require(`
++ type ipsec_var_run_t;
++ type ipsec_mgmt_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t)
++')
++
++
+ ########################################
+ ##
+ ## Connect to racoon using a unix domain stream socket.
+@@ -120,7 +196,6 @@ interface(`ipsec_exec_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_signal_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -139,7 +214,6 @@ interface(`ipsec_signal_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_signull_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -158,7 +232,6 @@ interface(`ipsec_signull_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_kill_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -167,6 +240,60 @@ interface(`ipsec_kill_mgmt',`
+ allow $1 ipsec_mgmt_t:process sigkill;
+ ')
+
++########################################
++##
++## Send ipsec a general signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_signal',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process signal;
++')
++
++########################################
++##
++## Send ipsec a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_signull',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process signull;
++')
++
++########################################
++##
++## Send ipsec a kill signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_kill',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process sigkill;
++')
++
+ ######################################
+ ##
+ ## Send and receive messages from
+@@ -225,6 +352,7 @@ interface(`ipsec_match_default_spd',`
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
++ allow $1 self:peer recv;
+ ')
+
+ ########################################
+@@ -245,6 +373,25 @@ interface(`ipsec_setcontext_default_spd',`
+
+ allow $1 ipsec_spd_t:association setcontext;
+ ')
++########################################
++##
++## Read the ipsec_var_run_t files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_read_pid',`
++ gen_require(`
++ type ipsec_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++ read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++')
+
+ ########################################
+ ##
+@@ -282,6 +429,7 @@ interface(`ipsec_manage_pid',`
+
+ files_search_pids($1)
+ manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++ manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+ ')
+
+ ########################################
+@@ -369,3 +517,27 @@ interface(`ipsec_run_setkey',`
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+ ')
++
++#######################################
++##
++## Execute strongswan in the ipsec_mgmt domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ipsec_mgmt_systemctl',`
++ gen_require(`
++ type ipsec_mgmt_unit_file_t;
++ type ipsec_mgmt_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
++ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ipsec_mgmt_t)
++')
+diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
+index 312cd04..dd6638a 100644
+--- a/policy/modules/system/ipsec.te
++++ b/policy/modules/system/ipsec.te
+@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+ corecmd_shell_entry_type(ipsec_mgmt_t)
+ role system_r types ipsec_mgmt_t;
+
++type ipsec_mgmt_unit_file_t;
++systemd_unit_file(ipsec_mgmt_unit_file_t)
++
+ type ipsec_mgmt_lock_t;
+ files_lock_file(ipsec_mgmt_lock_t)
+
+@@ -72,24 +75,32 @@ role system_r types setkey_t;
+ # ipsec Local policy
+ #
+
+-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
+-allow ipsec_t self:process { getcap setcap getsched signal setsched };
++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
++dontaudit ipsec_t self:capability sys_tty_config;
++allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
++allow ipsec_t self:packet_socket create_socket_perms;
+ allow ipsec_t self:key_socket create_socket_perms;
+ allow ipsec_t self:fifo_file read_fifo_file_perms;
+ allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
++allow ipsec_t self:netlink_selinux_socket create_socket_perms;
++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
+
+ allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+
+ allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+-read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+ read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
++manage_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
++filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
+
+ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
++manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
++
++manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t)
++logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log")
+
+ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+ manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+-allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
++allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull };
+
+ kernel_read_kernel_sysctls(ipsec_t)
+-kernel_read_net_sysctls(ipsec_t)
++kernel_rw_net_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
+ corecmd_exec_bin(ipsec_t)
+
+ # Pluto needs network access
+-corenet_all_recvfrom_unlabeled(ipsec_t)
+-corenet_tcp_sendrecv_all_if(ipsec_t)
+-corenet_raw_sendrecv_all_if(ipsec_t)
+-corenet_tcp_sendrecv_all_nodes(ipsec_t)
+-corenet_raw_sendrecv_all_nodes(ipsec_t)
++corenet_tcp_sendrecv_generic_if(ipsec_t)
++corenet_raw_sendrecv_generic_if(ipsec_t)
++corenet_tcp_sendrecv_generic_node(ipsec_t)
++corenet_raw_sendrecv_generic_node(ipsec_t)
+ corenet_tcp_sendrecv_all_ports(ipsec_t)
+-corenet_tcp_bind_all_nodes(ipsec_t)
+-corenet_udp_bind_all_nodes(ipsec_t)
++corenet_tcp_bind_generic_node(ipsec_t)
++corenet_udp_bind_generic_node(ipsec_t)
+ corenet_tcp_bind_reserved_port(ipsec_t)
+ corenet_tcp_bind_isakmp_port(ipsec_t)
+ corenet_udp_bind_isakmp_port(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
++corenet_udp_bind_dhcpc_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t)
+ fs_getattr_all_fs(ipsec_t)
+ fs_search_auto_mountpoints(ipsec_t)
+
++selinux_compute_access_vector(ipsec_t)
++
+ term_use_console(ipsec_t)
+ term_dontaudit_use_all_ttys(ipsec_t)
+
+ auth_use_nsswitch(ipsec_t)
++auth_read_home_content(ipsec_t)
+
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+
++logging_send_audit_msgs(ipsec_t)
+ logging_send_syslog_msg(ipsec_t)
+
+-miscfiles_read_localization(ipsec_t)
+-
+ sysnet_domtrans_ifconfig(ipsec_t)
++sysnet_manage_config(ipsec_t)
++sysnet_etc_filetrans_config(ipsec_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
+ userdom_dontaudit_search_user_home_dirs(ipsec_t)
+
+ optional_policy(`
++ iptables_domtrans(ipsec_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+ ')
+
+@@ -187,10 +208,10 @@ optional_policy(`
+ # ipsec_mgmt Local policy
+ #
+
+-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
+-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
++dontaudit ipsec_mgmt_t self:capability sys_tty_config;
++allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
++allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
+ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
++filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
+
+ manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
++manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+ manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+
+ allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
+
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
+@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+ kernel_getattr_core_if(ipsec_mgmt_t)
+ kernel_getattr_message_if(ipsec_mgmt_t)
+
++domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
++domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
++
++dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
++dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
++
++dev_read_sysfs(ipsec_mgmt_t)
++
++files_dontaudit_getattr_all_files(ipsec_mgmt_t)
++files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+ files_read_kernel_symbol_table(ipsec_mgmt_t)
+ files_getattr_kernel_modules(ipsec_mgmt_t)
+
+@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+ corecmd_exec_bin(ipsec_mgmt_t)
+ corecmd_exec_shell(ipsec_mgmt_t)
+
++corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
++
+ dev_read_rand(ipsec_mgmt_t)
+ dev_read_urand(ipsec_mgmt_t)
+
+@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+ files_read_etc_files(ipsec_mgmt_t)
+ files_exec_etc_files(ipsec_mgmt_t)
+ files_read_etc_runtime_files(ipsec_mgmt_t)
++files_list_kernel_modules(ipsec_mgmt_t)
+ files_read_usr_files(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+ fs_list_tmpfs(ipsec_mgmt_t)
+
+ term_use_console(ipsec_mgmt_t)
+-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
++term_use_all_inherited_terms(ipsec_mgmt_t)
+
+ auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_use_nsswitch(ipsec_mgmt_t)
+
+ init_read_utmp(ipsec_mgmt_t)
+ init_use_script_ptys(ipsec_mgmt_t)
+@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t)
+ init_use_fds(ipsec_mgmt_t)
+ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+
+-logging_send_syslog_msg(ipsec_mgmt_t)
+-
+-miscfiles_read_localization(ipsec_mgmt_t)
++ipsec_mgmt_systemctl(ipsec_mgmt_t)
+
+-seutil_dontaudit_search_config(ipsec_mgmt_t)
++logging_read_all_logs(ipsec_mgmt_t)
++logging_send_syslog_msg(ipsec_mgmt_t)
+
+ sysnet_manage_config(ipsec_mgmt_t)
+ sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+ sysnet_etc_filetrans_config(ipsec_mgmt_t)
+
+-userdom_use_user_terminals(ipsec_mgmt_t)
++systemd_exec_systemctl(ipsec_mgmt_t)
++
++userdom_use_inherited_user_terminals(ipsec_mgmt_t)
++
++optional_policy(`
++ bind_domtrans(ipsec_mgmt_t)
++ bind_read_dnssec_keys(ipsec_mgmt_t)
++ bind_read_config(ipsec_mgmt_t)
++ bind_read_state(ipsec_mgmt_t)
++')
+
+ optional_policy(`
+ consoletype_exec(ipsec_mgmt_t)
+@@ -322,6 +367,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ l2tpd_read_pid_files(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+
+@@ -335,7 +384,7 @@ optional_policy(`
+ #
+
+ allow racoon_t self:capability { net_admin net_bind_service };
+-allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
+ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+ allow racoon_t self:netlink_selinux_socket { bind create read };
+ allow racoon_t self:udp_socket create_socket_perms;
+@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t)
+ corecmd_exec_shell(racoon_t)
+ corecmd_exec_bin(racoon_t)
+
+-corenet_all_recvfrom_unlabeled(racoon_t)
+-corenet_tcp_sendrecv_all_if(racoon_t)
+-corenet_udp_sendrecv_all_if(racoon_t)
+-corenet_tcp_sendrecv_all_nodes(racoon_t)
+-corenet_udp_sendrecv_all_nodes(racoon_t)
+-corenet_tcp_bind_all_nodes(racoon_t)
+-corenet_udp_bind_all_nodes(racoon_t)
++corenet_tcp_sendrecv_generic_if(racoon_t)
++corenet_udp_sendrecv_generic_if(racoon_t)
++corenet_tcp_sendrecv_generic_node(racoon_t)
++corenet_udp_sendrecv_generic_node(racoon_t)
++corenet_tcp_bind_generic_node(racoon_t)
++corenet_udp_bind_generic_node(racoon_t)
+ corenet_udp_bind_isakmp_port(racoon_t)
+ corenet_udp_bind_ipsecnat_port(racoon_t)
+
+@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t)
+ logging_send_syslog_msg(racoon_t)
+ logging_send_audit_msgs(racoon_t)
+
+-miscfiles_read_localization(racoon_t)
+-
+ sysnet_exec_ifconfig(racoon_t)
+
++auth_use_pam(racoon_t)
++
+ auth_can_read_shadow_passwords(racoon_t)
+ tunable_policy(`racoon_read_shadow',`
+ auth_tunable_read_shadow(racoon_t)
+@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t)
+
+ locallogin_use_fds(setkey_t)
+
+-miscfiles_read_localization(setkey_t)
+
+ seutil_read_config(setkey_t)
+
+-userdom_use_user_terminals(setkey_t)
+-
++userdom_use_inherited_user_terminals(setkey_t)
++userdom_read_user_tmp_files(setkey_t)
+diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
+index 73a1c4e..af8050d 100644
+--- a/policy/modules/system/iptables.fc
++++ b/policy/modules/system/iptables.fc
+@@ -1,22 +1,39 @@
+ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
++/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
+-/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++
++/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
++/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+-/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
+index c42fbc3..277fe6c 100644
+--- a/policy/modules/system/iptables.if
++++ b/policy/modules/system/iptables.if
+@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iptables_exec_t, iptables_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit iptables_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -86,6 +82,30 @@ interface(`iptables_initrc_domtrans',`
+ init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+ ')
+
++########################################
++##
++## Execute iptables server in the iptables domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`iptables_systemctl',`
++ gen_require(`
++ type iptables_unit_file_t;
++ type iptables_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 iptables_unit_file_t:file read_file_perms;
++ allow $1 iptables_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, iptables_t)
++')
++
+ #####################################
+ ##
+ ## Set the attributes of iptables config files.
+diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
+index be8ed1e..f0ed532 100644
+--- a/policy/modules/system/iptables.te
++++ b/policy/modules/system/iptables.te
+@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
+ type iptables_initrc_exec_t;
+ init_script_file(iptables_initrc_exec_t)
+
+-type iptables_conf_t;
+-files_config_file(iptables_conf_t)
+-
+ type iptables_tmp_t;
+ files_tmp_file(iptables_tmp_t)
+
+ type iptables_var_run_t;
+ files_pid_file(iptables_var_run_t)
+
++type iptables_unit_file_t;
++systemd_unit_file(iptables_unit_file_t)
++
+ ########################################
+ #
+ # Iptables local policy
+@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ allow iptables_t self:netlink_socket create_socket_perms;
+ allow iptables_t self:rawip_socket create_socket_perms;
+
+-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
+-files_etc_filetrans(iptables_t, iptables_conf_t, file)
++files_manage_system_conf_files(iptables_t)
++files_etc_filetrans_system_conf(iptables_t)
+
+ manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+ files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+@@ -49,11 +49,12 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+ allow iptables_t iptables_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
++kernel_getattr_proc(iptables_t)
+ kernel_request_load_module(iptables_t)
+ kernel_read_system_state(iptables_t)
+ kernel_read_network_state(iptables_t)
+ kernel_read_kernel_sysctls(iptables_t)
+-kernel_read_modprobe_sysctls(iptables_t)
++kernel_read_usermodehelper_state(iptables_t)
+ kernel_use_fds(iptables_t)
+
+ # needed by ipvsadm
+@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t)
+ corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+ dev_read_sysfs(iptables_t)
++dev_read_urand(iptables_t)
++dev_read_rand(iptables_t)
+
+ fs_getattr_xattr_fs(iptables_t)
+ fs_search_auto_mountpoints(iptables_t)
+@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t)
+ mls_file_read_all_levels(iptables_t)
+
+ term_dontaudit_use_console(iptables_t)
++term_use_all_inherited_terms(iptables_t)
+
+ domain_use_interactive_fds(iptables_t)
+
+-files_read_etc_files(iptables_t)
+-files_read_etc_runtime_files(iptables_t)
++files_rw_etc_runtime_files(iptables_t)
++files_rw_inherited_tmp_file(iptables_t)
+
+ auth_use_nsswitch(iptables_t)
+
+@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t)
+ # to allow rules to be saved on reboot:
+ init_rw_script_tmp_files(iptables_t)
+ init_rw_script_stream_sockets(iptables_t)
++init_dontaudit_script_leaks(iptables_t)
+
+ logging_send_syslog_msg(iptables_t)
+
+-miscfiles_read_localization(iptables_t)
+-
+ sysnet_run_ifconfig(iptables_t, iptables_roles)
+ sysnet_dns_name_resolve(iptables_t)
+
+-userdom_use_user_terminals(iptables_t)
++userdom_use_inherited_user_terminals(iptables_t)
+ userdom_use_all_users_fds(iptables_t)
+
+ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +105,9 @@ ifdef(`hide_broken_symptoms',`
+
+ optional_policy(`
+ fail2ban_append_log(iptables_t)
++ fail2ban_read_log(iptables_t)
++ fail2ban_dontaudit_leaks(iptables_t)
++ fail2ban_rw_inherited_tmp_files(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -110,6 +116,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_read_config(iptables_t)
++ firewalld_dontaudit_write_tmp_files(iptables_t)
++')
++
++optional_policy(`
+ modutils_run_insmod(iptables_t, iptables_roles)
+ ')
+
+@@ -124,6 +135,12 @@ optional_policy(`
+
+ optional_policy(`
+ psad_rw_tmp_files(iptables_t)
++ psad_write_log(iptables_t)
++')
++
++optional_policy(`
++ neutron_rw_inherited_pipes(iptables_t)
++ neutron_sigchld(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -135,9 +152,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ shorewall_read_config(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
+ shorewall_rw_lib_files(iptables_t)
+- shorewall_read_config(iptables_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
+index 73bb3c0..4fef124 100644
+--- a/policy/modules/system/libraries.fc
++++ b/policy/modules/system/libraries.fc
+@@ -1,3 +1,4 @@
++
+ #
+ # /emul
+ #
+@@ -28,14 +29,17 @@ ifdef(`distro_redhat',`
+ # /etc
+ #
+ /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+ /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+
+ /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+ #
+ # /lib(64)?
+ #
+-/lib -d gen_context(system_u:object_r:lib_t,s0)
++/lib gen_context(system_u:object_r:lib_t,s0)
++/lib64 gen_context(system_u:object_r:lib_t,s0)
+ /lib/.* gen_context(system_u:object_r:lib_t,s0)
+ /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',`
+ #
+ # /opt
+ #
+-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+@@ -103,6 +106,12 @@ ifdef(`distro_redhat',`
+ #
+ # /usr
+ #
++/usr/lib -d gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/.* gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
++/usr/lib/gvfs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -111,12 +120,12 @@ ifdef(`distro_redhat',`
+ /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
+
+ /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
+-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
++/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+
+ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+@@ -125,10 +134,12 @@ ifdef(`distro_redhat',`
+ /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -141,19 +152,21 @@ ifdef(`distro_redhat',`
+ /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib.*/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -182,11 +195,13 @@ ifdef(`distro_redhat',`
+ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+
+ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+ /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Jai, Sun Microsystems (Jpackage SPRM)
+ /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+ #
+ /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+
+-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+-
+-/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+
++/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++
++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
+ ')
+
+-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
++/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
++
++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
++
++/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++
++/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++ifdef(`fixed',`
++/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++# Flash plugin, Macromedia
++/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++')
++/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index 808ba93..57a68da 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
+
+ ########################################
+ ##
++## Make ldconfig_exec_t entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which bin_t is an entrypoint.
++##
++##
++#
++interface(`libs_ldconfig_exec_entry_type',`
++ gen_require(`
++ type ldconfig_exec_t;
++ ')
++
++ domain_entry_file($1, ldconfig_exec_t)
++')
++
++########################################
++##
+ ## Use the dynamic link/loader for automatic loading
+ ## of shared libraries.
+ ##
+@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',`
+ type lib_t, ld_so_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, ld_so_t)
+ ')
+
+@@ -205,8 +225,26 @@ interface(`libs_search_lib',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ allow $1 lib_t:dir search_dir_perms;
+ ')
++########################################
++##
++## dontaudit attempts to setattr on library files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`libs_dontaudit_setattr_lib_files',`
++ gen_require(`
++ type lib_t;
++ ')
++
++ dontaudit $1 lib_t:file setattr;
++')
+
+ ########################################
+ ##
+@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ allow $1 lib_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## dontaudit attempts to setattr on library files
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`libs_dontaudit_setattr_lib_files',`
+- gen_require(`
+- type lib_t;
+- ')
+-
+- dontaudit $1 lib_t:file setattr;
+-')
+-
+-########################################
+-##
+ ## Read files in the library directories, such
+ ## as static libraries.
+ ##
+@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, lib_t)
+ ')
+
+@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',`
+ type lib_t, textrel_shlib_t;
+ ')
+
+- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ read_lnk_files_pattern($1, lib_t, lib_t)
++ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+
+ ########################################
+@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',`
+ ')
+
+ files_search_usr($1)
+- allow $1 lib_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
++ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
++ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
++# allow $1 lib_t:file execmod;
+ allow $1 textrel_shlib_t:file execmod;
+ ')
+
+@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',`
+ type lib_t, textrel_shlib_t;
+ ')
+
+- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+
+ ########################################
+@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
+ interface(`files_lib_filetrans_shared_lib',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++##
++## Transition to lib named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`libs_filetrans_named_content',`
++ gen_require(`
++ type lib_t;
++ type ld_so_cache_t;
++ type ldconfig_cache_t;
++ ')
++
++ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug")
++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
++')
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index 54f8fa5..1584203 100644
+--- a/policy/modules/system/libraries.te
++++ b/policy/modules/system/libraries.te
+@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
+ # lib_t is the type of files in the system lib directories.
+ #
+ type lib_t alias shlib_t;
+-files_type(lib_t)
++files_ro_base_file(lib_t)
+
+ #
+ # textrel_shlib_t is the type of shared objects in the system lib
+ # directories, which require text relocation.
+ #
+ type textrel_shlib_t alias texrel_shlib_t;
+-files_type(textrel_shlib_t)
++files_ro_base_file(textrel_shlib_t)
+
+ ifdef(`distro_gentoo',`
+ # openrc unfortunately mounts a tmpfs
+@@ -59,9 +59,11 @@ optional_policy(`
+
+ allow ldconfig_t self:capability { dac_override sys_chroot };
+
++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
+ manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
+
+-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
++manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
+ files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
+
+ manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+@@ -72,14 +74,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
+ manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
+
+ kernel_read_system_state(ldconfig_t)
++kernel_read_network_state(ldconfig_t)
+
+ fs_getattr_xattr_fs(ldconfig_t)
+
++files_list_var_lib(ldconfig_t)
++files_dontaudit_leaks(ldconfig_t)
++files_manage_var_lib_symlinks(ldconfig_t)
++
+ corecmd_search_bin(ldconfig_t)
+
+ domain_use_interactive_fds(ldconfig_t)
+
+-files_search_var_lib(ldconfig_t)
++files_search_home(ldconfig_t)
+ files_read_etc_files(ldconfig_t)
+ files_read_usr_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
+@@ -90,11 +97,11 @@ files_delete_etc_files(ldconfig_t)
+ init_use_script_ptys(ldconfig_t)
+ init_read_script_tmp_files(ldconfig_t)
+
+-miscfiles_read_localization(ldconfig_t)
+
+ logging_send_syslog_msg(ldconfig_t)
+
+-userdom_use_user_terminals(ldconfig_t)
++term_use_console(ldconfig_t)
++userdom_use_inherited_user_terminals(ldconfig_t)
+ userdom_use_all_users_fds(ldconfig_t)
+
+ ifdef(`distro_ubuntu',`
+@@ -103,6 +110,13 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
++userdom_dontaudit_list_admin_dir(ldconfig_t)
++userdom_list_user_home_dirs(ldconfig_t)
++userdom_manage_user_home_content_files(ldconfig_t)
++userdom_manage_user_tmp_files(ldconfig_t)
++userdom_manage_user_tmp_symlinks(ldconfig_t)
++userdom_rw_inherited_user_tmp_pipes(ldconfig_t)
++
+ ifdef(`hide_broken_symptoms',`
+ ifdef(`distro_gentoo',`
+ # leaked fds from portage
+@@ -114,6 +128,11 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ ')
+
++ dev_dontaudit_rw_lvm_control(ldconfig_t)
++ dev_dontaudit_read_all_chr_files(ldconfig_t)
++ dev_dontaudit_read_all_blk_files(ldconfig_t)
++ term_dontaudit_use_unallocated_ttys(ldconfig_t)
++
+ optional_policy(`
+ unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ ')
+@@ -131,6 +150,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_append_generic_cache_files(ldconfig_t)
++')
++
++optional_policy(`
++ kdump_manage_kdumpctl_tmp_files(ldconfig_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(ldconfig_t)
+ ')
+
+@@ -141,6 +168,3 @@ optional_policy(`
+ rpm_manage_script_tmp_files(ldconfig_t)
+ ')
+
+-optional_policy(`
+- unconfined_domain(ldconfig_t)
+-')
+diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
+index be6a81b..a5303e9 100644
+--- a/policy/modules/system/locallogin.fc
++++ b/policy/modules/system/locallogin.fc
+@@ -1,3 +1,8 @@
++HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
++/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
+
+ /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+ /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++
++/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
+index 0e3c2a9..ea9bd57 100644
+--- a/policy/modules/system/locallogin.if
++++ b/policy/modules/system/locallogin.if
+@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',`
+
+ domtrans_pattern($1, sulogin_exec_t, sulogin_t)
+ ')
++
++#######################################
++##
++## Allow domain to gettatr local login home content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`locallogin_getattr_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ getattr_files_pattern($1, local_login_home_t, local_login_home_t)
++')
++
++########################################
++##
++## create local login content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`locallogin_filetrans_admin_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++')
++
++########################################
++##
++## Transition to local login named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`locallogin_filetrans_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++')
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 446fa99..22f539c 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
+ type local_login_lock_t;
+ files_lock_file(local_login_lock_t)
+
+-type local_login_tmp_t;
+-files_tmp_file(local_login_tmp_t)
+-files_poly_parent(local_login_tmp_t)
++type local_login_home_t;
++userdom_user_home_content(local_login_home_t)
+
+ type sulogin_t;
+ type sulogin_exec_t;
+@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t)
+ init_system_domain(sulogin_t, sulogin_exec_t)
+ role system_r types sulogin_t;
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++')
++
+ ########################################
+ #
+ # Local login local policy
+ #
+
+-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-allow local_login_t self:process { setrlimit setexec };
++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
+ allow local_login_t self:fd use;
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;
+@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link };
+ allow local_login_t local_login_lock_t:file manage_file_perms;
+ files_lock_filetrans(local_login_t, local_login_lock_t, file)
+
+-allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+-allow local_login_t local_login_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
++allow local_login_t local_login_home_t:file read_file_perms;
+
+ kernel_read_system_state(local_login_t)
+ kernel_read_kernel_sysctls(local_login_t)
+@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
+ dev_setattr_power_mgmt_dev(local_login_t)
+ dev_getattr_sound_dev(local_login_t)
+ dev_setattr_sound_dev(local_login_t)
++dev_rw_generic_usb_dev(local_login_t)
++dev_read_video_dev(local_login_t)
+ dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+ dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+ dev_dontaudit_read_framebuffer(local_login_t)
+@@ -117,16 +123,18 @@ term_relabel_unallocated_ttys(local_login_t)
+ term_relabel_all_ttys(local_login_t)
+ term_setattr_all_ttys(local_login_t)
+ term_setattr_unallocated_ttys(local_login_t)
++term_relabel_all_ptys(local_login_t)
++term_setattr_generic_ptys(local_login_t)
+
+ auth_rw_login_records(local_login_t)
+ auth_rw_faillog(local_login_t)
+-auth_manage_pam_pid(local_login_t)
+ auth_manage_pam_console_data(local_login_t)
+ auth_domtrans_pam_console(local_login_t)
++auth_use_nsswitch(local_login_t)
+
+ init_dontaudit_use_fds(local_login_t)
++init_stream_connect(local_login_t)
+
+-miscfiles_read_localization(local_login_t)
+
+ userdom_spec_domtrans_all_users(local_login_t)
+ userdom_signal_all_users(local_login_t)
+@@ -141,19 +149,15 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`console_login',`
+- # Able to relabel /dev/console to user tty types.
+- term_relabel_console(local_login_t)
+-')
++userdom_home_reader(local_login_t)
++userdom_manage_tmp_files(local_login_t)
++userdom_tmp_filetrans_user_tmp(local_login_t, file)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(local_login_t)
+- fs_read_nfs_symlinks(local_login_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(local_login_t)
+- fs_read_cifs_symlinks(local_login_t)
++tunable_policy(`login_console_enabled',`
++ term_use_console(local_login_t)
++ # Able to relabel /dev/console to user tty types.
++ term_relabel_console(local_login_t)
++ term_setattr_console(local_login_t)
+ ')
+
+ optional_policy(`
+@@ -177,14 +181,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(local_login_t)
+-')
+-
+-optional_policy(`
+- nscd_use(local_login_t)
+-')
+-
+-optional_policy(`
+ unconfined_shell_domtrans(local_login_t)
+ ')
+
+@@ -195,6 +191,7 @@ optional_policy(`
+ optional_policy(`
+ xserver_read_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_tmp_files(local_login_t)
++ xserver_rw_xdm_keys(local_login_t)
+ ')
+
+ #################################
+@@ -202,7 +199,7 @@ optional_policy(`
+ # Sulogin local policy
+ #
+
+-allow sulogin_t self:capability dac_override;
++allow sulogin_t self:capability { dac_override sys_admin };
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_fifo_file_perms;
+@@ -215,18 +212,30 @@ allow sulogin_t self:sem create_sem_perms;
+ allow sulogin_t self:msgq create_msgq_perms;
+ allow sulogin_t self:msg { send receive };
+
++kernel_getattr_core_if(sulogin_t)
++kernel_read_crypto_sysctls(sulogin_t)
+ kernel_read_system_state(sulogin_t)
+
++dev_getattr_all_chr_files(sulogin_t)
++dev_getattr_all_blk_files(sulogin_t)
++
++dev_read_urand(sulogin_t)
++dev_read_rand(sulogin_t)
++
+ fs_search_auto_mountpoints(sulogin_t)
+ fs_rw_tmpfs_chr_files(sulogin_t)
+
+ files_read_etc_files(sulogin_t)
+ # because file systems are not mounted:
+ files_dontaudit_search_isid_type_dirs(sulogin_t)
++files_search_pids(sulogin_t)
+
+ auth_read_shadow(sulogin_t)
++auth_use_nsswitch(sulogin_t)
+
+ init_getpgid_script(sulogin_t)
++init_getpgid(sulogin_t)
++init_getattr_initctl(sulogin_t)
+
+ logging_send_syslog_msg(sulogin_t)
+
+@@ -235,17 +244,28 @@ seutil_read_default_contexts(sulogin_t)
+
+ userdom_use_unpriv_users_fds(sulogin_t)
+
++userdom_search_admin_dir(sulogin_t)
+ userdom_search_user_home_dirs(sulogin_t)
+ userdom_use_user_ptys(sulogin_t)
+
+-sysadm_shell_domtrans(sulogin_t)
++term_use_console(sulogin_t)
++term_use_unallocated_ttys(sulogin_t)
++term_use_generic_ptys(sulogin_t)
++
++ifdef(`enable_mls',`
++ sysadm_shell_domtrans(sulogin_t)
++',`
++ optional_policy(`
++ unconfined_shell_domtrans(sulogin_t)
++ ')
++')
+
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+
++allow sulogin_t self:capability sys_tty_config;
+ ifdef(`sulogin_no_pam', `
+- allow sulogin_t self:capability sys_tty_config;
+ init_getpgid(sulogin_t)
+ ', `
+ allow sulogin_t self:process setexec;
+@@ -258,9 +278,5 @@ ifdef(`sulogin_no_pam', `
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(sulogin_t)
+-')
+-
+-optional_policy(`
+- nscd_use(sulogin_t)
++ plymouthd_exec_plymouth(sulogin_t)
+ ')
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index b50c5fe..e55a556 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,10 +2,13 @@
+
+ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
++
+ /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+@@ -17,12 +20,25 @@
+ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
++/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++
++/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
++/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
++/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
++/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+-/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
++/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
++/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+
+ ifndef(`distro_gentoo',`
+-/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ ')
+
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+@@ -65,11 +82,16 @@ ifdef(`distro_redhat',`
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+ /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
+ /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+ /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+-/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
+ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 4e94884..8de26ad 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
+
+ ########################################
+ ##
+-## Connect to auditdstored over an unix stream socket.
++## Connect to auditdstored over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',`
+
+ ########################################
+ ##
+-## Connect to the audit dispatcher over an unix stream socket.
++## Connect to the audit dispatcher over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',`
+ filetrans_pattern($1, var_log_t, $2, $3, $4)
+ ')
+
++#######################################
++##
++## Create an object in the log directory, with a private type.
++##
++##
++##
++## Allow the specified domain to create an object
++## in the general system log directories (e.g., /var/log)
++## with a private type. Typically this is used for creating
++## private log files in /var/log with the private type instead
++## of the general system log type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++##
++##
++## Related interfaces:
++##
++##
++## - logging_log_file()
++##
++##
++## Example usage with a domain that can create
++## and append to a private log file stored in the
++## general directories (e.g., /var/log):
++##
++##
++## type mylogfile_t;
++## logging_log_file(mylogfile_t)
++## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
++## logging_log_filetrans(mydomain_t, mylogfile_t, file)
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++##
++#
++interface(`logging_log_named_filetrans',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ files_search_var($1)
++ filetrans_pattern($1, var_log_t, $2, $3, $4)
++')
++
+ ########################################
+ ##
+ ## Send system log messages.
+@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',`
+ #
+ interface(`logging_send_syslog_msg',`
+ gen_require(`
+- type syslogd_t, devlog_t;
++ attribute syslog_client_type;
++ ')
++
++ typeattribute $1 syslog_client_type;
++')
++
++########################################
++##
++## Connect to the syslog control unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_create_devlog_dev',`
++ gen_require(`
++ type devlog_t;
++ ')
++
++ allow $1 devlog_t:sock_file manage_sock_file_perms;
++ dev_filetrans($1, devlog_t, sock_file)
++ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
++')
++
++########################################
++##
++## Relabel the devlog sock_file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_relabel_devlog_dev',`
++ gen_require(`
++ type devlog_t;
++ ')
++
++ allow $1 devlog_t:sock_file relabel_sock_file_perms;
++')
++
++########################################
++##
++## Allow domain to read the syslog pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_read_syslog_pid',`
++ gen_require(`
++ type syslogd_var_run_t;
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
++ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++')
++
++########################################
++##
++## Relabel the syslog pid sock_file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_relabel_syslog_pid_socket',`
++ gen_require(`
++ type syslogd_var_run_t;
++ ')
++
++ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
++')
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
++########################################
++##
++## Connect to the syslog control unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_stream_connect_syslog',`
++ gen_require(`
++ type syslogd_t, syslogd_var_run_t;
++ ')
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
++ files_search_pids($1)
++ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+ ')
+
+ ########################################
+@@ -571,6 +715,25 @@ interface(`logging_read_audit_config',`
+
+ ########################################
+ ##
++## dontaudit search of auditd log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`logging_dontaudit_search_audit_logs',`
++ gen_require(`
++ type auditd_log_t;
++ ')
++
++ dontaudit $1 auditd_log_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## dontaudit search of auditd configuration files.
+ ##
+ ##
+@@ -609,6 +772,25 @@ interface(`logging_read_syslog_config',`
+
+ ########################################
+ ##
++## Manage syslog configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_manage_syslog_config',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
++')
++
++########################################
++##
+ ## Allows the domain to open a file in the
+ ## log directory, but does not allow the listing
+ ## of the contents of the log directory.
+@@ -722,6 +904,25 @@ interface(`logging_setattr_all_log_dirs',`
+ allow $1 logfile:dir setattr;
+ ')
+
++#######################################
++##
++## Relabel on all log dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_relabel_all_log_dirs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ relabel_dirs_pattern($1, logfile, logfile)
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to get the attributes
+@@ -776,7 +977,25 @@ interface(`logging_append_all_logs',`
+ ')
+
+ files_search_var($1)
+- append_files_pattern($1, var_log_t, logfile)
++ append_files_pattern($1, logfile, logfile)
++')
++
++########################################
++##
++## Append to all log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_inherit_append_all_logs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ allow $1 logfile:file { getattr append ioctl lock };
+ ')
+
+ ########################################
+@@ -859,7 +1078,7 @@ interface(`logging_manage_all_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, logfile, logfile)
+- read_lnk_files_pattern($1, logfile, logfile)
++ manage_lnk_files_pattern($1, logfile, logfile)
+ ')
+
+ ########################################
+@@ -885,6 +1104,44 @@ interface(`logging_read_generic_logs',`
+
+ ########################################
+ ##
++## Link generic log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_link_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file link;
++')
++
++########################################
++##
++## Delete generic log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_delete_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file unlink;
++')
++
++########################################
++##
+ ## Write generic log files.
+ ##
+ ##
+@@ -905,6 +1162,24 @@ interface(`logging_write_generic_logs',`
+
+ ########################################
+ ##
++## Dontaudit read/Write inherited generic log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`logging_dontaudit_rw_inherited_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ dontaudit $1 var_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Dontaudit Write generic log files.
+ ##
+ ##
+@@ -984,11 +1259,16 @@ interface(`logging_admin_audit',`
+ type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_var_run_t;
+ type auditd_initrc_exec_t;
++ type auditd_unit_file_t;
+ ')
+
+- allow $1 auditd_t:process { ptrace signal_perms };
++ allow $1 auditd_t:process signal_perms;
+ ps_process_pattern($1, auditd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 auditd_t:process ptrace;
++ ')
++
+ manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+ manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+@@ -1004,6 +1284,33 @@ interface(`logging_admin_audit',`
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ logging_systemctl_audit($1)
++ admin_pattern($1, auditd_unit_file_t)
++ allow $1 auditd_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Execute auditd server in the auditd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`logging_systemctl_audit',`
++ gen_require(`
++ type auditd_t;
++ type auditd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 auditd_unit_file_t:file read_file_perms;
++ allow $1 auditd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, auditd_t)
+ ')
+
+ ########################################
+@@ -1032,10 +1339,15 @@ interface(`logging_admin_syslog',`
+ type syslogd_initrc_exec_t;
+ ')
+
+- allow $1 syslogd_t:process { ptrace signal_perms };
+- allow $1 klogd_t:process { ptrace signal_perms };
++ allow $1 self:capability2 syslog;
++ allow $1 syslogd_t:process signal_perms;
++ allow $1 klogd_t:process signal_perms;
+ ps_process_pattern($1, syslogd_t)
+ ps_process_pattern($1, klogd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 syslogd_t:process ptrace;
++ allow $1 klogd_t:process ptrace;
++ ')
+
+ manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+ manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+@@ -1057,6 +1369,8 @@ interface(`logging_admin_syslog',`
+ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+ logging_manage_all_logs($1)
++ allow $1 logfile:dir relabel_dir_perms;
++ allow $1 logfile:file relabel_file_perms;
+
+ init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -1085,3 +1399,54 @@ interface(`logging_admin',`
+ logging_admin_audit($1, $2)
+ logging_admin_syslog($1, $2)
+ ')
++
++########################################
++##
++## Transition to syslog.conf
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_filetrans_named_conf',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++')
++
++########################################
++##
++## Transition to logging named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_filetrans_named_content',`
++ gen_require(`
++ type var_log_t;
++ type audit_spool_t;
++ type syslogd_var_run_t;
++ type syslog_conf_t;
++ ')
++
++ files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
++ files_spool_filetrans($1, var_log_t, dir, "rsyslog")
++ files_spool_filetrans($1, var_log_t, dir, "log")
++ files_spool_filetrans($1, audit_spool_t, dir, "audit")
++ files_var_filetrans($1, var_log_t, dir, "webmin")
++
++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++
++ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
++
++ logging_log_filetrans($1, var_log_t, dir, "anaconda")
++')
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 59b04c1..077c808 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
+ #
+ # Declarations
+ #
++attribute syslog_client_type;
++
++##
++##
++## Allow syslogd daemon to send mail
++##
++##
++gen_tunable(logging_syslogd_can_sendmail, false)
++
++##
++##
++## Allow syslogd the ability to read/write terminals
++##
++##
++gen_tunable(logging_syslogd_use_tty, true)
+
+ attribute logfile;
+
+@@ -20,6 +35,7 @@ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+
+ type audit_spool_t;
++files_spool_file(audit_spool_t)
+ files_security_file(audit_spool_t)
+ files_security_mountpoint(audit_spool_t)
+
+@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t)
+ type auditd_var_run_t;
+ files_pid_file(auditd_var_run_t)
+
++type auditd_unit_file_t;
++systemd_unit_file(auditd_unit_file_t)
++
+ type audisp_t;
+ type audisp_exec_t;
+ init_system_domain(audisp_t, audisp_exec_t)
+@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t)
+ type syslogd_t;
+ type syslogd_exec_t;
+ init_daemon_domain(syslogd_t, syslogd_exec_t)
++mls_trusted_object(syslogd_t)
+
+ type syslogd_initrc_exec_t;
+ init_script_file(syslogd_initrc_exec_t)
+@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t)
+ type syslogd_tmp_t;
+ files_tmp_file(syslogd_tmp_t)
+
++type syslogd_tmpfs_t;
++files_tmpfs_file(syslogd_tmpfs_t)
++
+ type syslogd_var_lib_t;
+ files_type(syslogd_var_lib_t)
+
+ type syslogd_var_run_t;
+ files_pid_file(syslogd_var_run_t)
++mls_trusted_object(syslogd_var_run_t)
+
+ type var_log_t;
+ logging_log_file(var_log_t)
+@@ -94,6 +118,8 @@ ifdef(`enable_mls',`
+ allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+
++allow auditctl_t self:process getcap;
++
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
+
+@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t)
+
+ mls_file_read_all_levels(auditctl_t)
+
+-term_use_all_terms(auditctl_t)
++storage_getattr_removable_dev(auditctl_t)
++
++term_use_all_inherited_terms(auditctl_t)
+
+ init_dontaudit_use_fds(auditctl_t)
+
+@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
+ allow auditd_t auditd_etc_t:dir list_dir_perms;
+ allow auditd_t auditd_etc_t:file read_file_perms;
+
++manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+-allow auditd_t var_log_t:dir search_dir_perms;
++logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit")
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t)
+ # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ kernel_read_system_state(auditd_t)
++kernel_read_network_state(auditd_t)
+
+ dev_read_sysfs(auditd_t)
+
+@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t)
+ fs_search_auto_mountpoints(auditd_t)
+ fs_rw_anon_inodefs_files(auditd_t)
+
+-selinux_search_fs(auditctl_t)
+-
+-corenet_all_recvfrom_unlabeled(auditd_t)
+ corenet_all_recvfrom_netlabel(auditd_t)
+ corenet_tcp_sendrecv_generic_if(auditd_t)
+ corenet_tcp_sendrecv_generic_node(auditd_t)
+@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t)
+ logging_domtrans_dispatcher(auditd_t)
+ logging_signal_dispatcher(auditd_t)
+
+-miscfiles_read_localization(auditd_t)
++auth_use_nsswitch(auditd_t)
+
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+-
+-seutil_dontaudit_read_config(auditd_t)
++mls_socket_write_all_levels(auditd_t)
+
+ sysnet_dns_name_resolve(auditd_t)
+
+-userdom_use_user_terminals(auditd_t)
++systemd_start_systemd_services(auditd_t)
++
++userdom_use_inherited_user_terminals(auditd_t)
+ userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+ userdom_dontaudit_search_user_home_dirs(auditd_t)
+
+@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t)
+
+ domain_use_interactive_fds(audisp_t)
+
++fs_getattr_all_fs(audisp_t)
++
+ files_read_etc_files(audisp_t)
+ files_read_etc_runtime_files(audisp_t)
+
++mls_file_read_all_levels(audisp_t)
+ mls_file_write_all_levels(audisp_t)
++mls_socket_write_all_levels(audisp_t)
++mls_dbus_send_all_levels(audisp_t)
++
++auth_use_nsswitch(audisp_t)
+
+ logging_send_syslog_msg(audisp_t)
+
+-miscfiles_read_localization(audisp_t)
+
+ sysnet_dns_name_resolve(audisp_t)
+
+ optional_policy(`
+ dbus_system_bus_client(audisp_t)
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(audisp_t)
++ ')
+ ')
+
+ ########################################
+@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+
+ corecmd_exec_bin(audisp_remote_t)
+
+-corenet_all_recvfrom_unlabeled(audisp_remote_t)
+ corenet_all_recvfrom_netlabel(audisp_remote_t)
+ corenet_tcp_sendrecv_generic_if(audisp_remote_t)
+ corenet_tcp_sendrecv_generic_node(audisp_remote_t)
+@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+
+ files_read_etc_files(audisp_remote_t)
+
++mls_socket_write_all_levels(audisp_remote_t)
++
+ logging_send_syslog_msg(audisp_remote_t)
+ logging_send_audit_msgs(audisp_remote_t)
+
+-miscfiles_read_localization(audisp_remote_t)
++auth_use_nsswitch(audisp_remote_t)
++auth_append_login_records(audisp_remote_t)
++
++
++init_telinit(audisp_remote_t)
++init_read_utmp(audisp_remote_t)
++init_dontaudit_write_utmp(audisp_remote_t)
+
+ sysnet_dns_name_resolve(audisp_remote_t)
+
+@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t)
+
+ logging_send_syslog_msg(klogd_t)
+
+-miscfiles_read_localization(klogd_t)
+
+ mls_file_read_all_levels(klogd_t)
+
+@@ -355,13 +399,12 @@ optional_policy(`
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # sys_nice for rsyslog
+ # cjp: why net_admin!
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
+ dontaudit syslogd_t self:capability sys_tty_config;
++allow syslogd_t self:capability2 { syslog block_suspend };
+ # setpgid for metalog
+ # setrlimit for syslog-ng
+-# getsched for syslog-ng
+-# setsched for rsyslog
+-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
++allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
+ # receive messages to be logged
+ allow syslogd_t self:unix_dgram_socket create_socket_perms;
+ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+ allow syslogd_t self:fifo_file rw_fifo_file_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
++allow syslogd_t self:rawip_socket create_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:dir list_dir_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+
++manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
++manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
++fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file })
++
++manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+ manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+ files_search_var_lib(syslogd_t)
+
+-# manage pid file
++manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
++manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
++files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
+
++kernel_rw_stream_socket_perms(syslogd_t)
+ kernel_read_system_state(syslogd_t)
+ kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+ kernel_read_proc_symlinks(syslogd_t)
+ # Allow access to /proc/kmsg for syslog-ng
+ kernel_read_messages(syslogd_t)
++kernel_request_load_module(syslogd_t)
+ kernel_read_vm_sysctls(syslogd_t)
+ kernel_clear_ring_buffer(syslogd_t)
+ kernel_change_ring_buffer_level(syslogd_t)
++kernel_read_ring_buffer(syslogd_t)
++
++ifdef(`hide_broken_symptoms',`
++ kernel_rw_unix_dgram_sockets(syslogd_t)
++')
++
++corecmd_exec_bin(syslogd_t)
++corecmd_exec_shell(syslogd_t)
+
+-corenet_all_recvfrom_unlabeled(syslogd_t)
+ corenet_all_recvfrom_netlabel(syslogd_t)
+ corenet_udp_sendrecv_generic_if(syslogd_t)
+ corenet_udp_sendrecv_generic_node(syslogd_t)
+ corenet_udp_sendrecv_all_ports(syslogd_t)
+ corenet_udp_bind_generic_node(syslogd_t)
+ corenet_udp_bind_syslogd_port(syslogd_t)
++corenet_udp_bind_syslog_tls_port(syslogd_t)
+ # syslog-ng can listen and connect on tcp port 514 (rsh)
+ corenet_tcp_sendrecv_generic_if(syslogd_t)
+ corenet_tcp_sendrecv_generic_node(syslogd_t)
+@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+ corenet_tcp_connect_rsh_port(syslogd_t)
+ # Allow users to define additional syslog ports to connect to
+ corenet_tcp_bind_syslogd_port(syslogd_t)
++corenet_tcp_bind_syslog_tls_port(syslogd_t)
++corenet_tcp_connect_syslog_tls_port(syslogd_t)
+ corenet_tcp_connect_syslogd_port(syslogd_t)
+ corenet_tcp_connect_postgresql_port(syslogd_t)
+ corenet_tcp_connect_mysqld_port(syslogd_t)
+@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_sendrecv_postgresql_client_packets(syslogd_t)
+ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+
++tunable_policy(`logging_syslogd_use_tty',`
++ term_use_all_ttys(syslogd_t)
++ term_use_all_ptys(syslogd_t)
++')
++
++tunable_policy(`logging_syslogd_can_sendmail',`
++ # support for ommail module to send logs via mail
++ corenet_tcp_connect_smtp_port(syslogd_t)
++')
++
+ dev_filetrans(syslogd_t, devlog_t, sock_file)
+ dev_read_sysfs(syslogd_t)
+-
++dev_read_rand(syslogd_t)
++dev_read_urand(syslogd_t)
++# relating to systemd-kmsg-syslogd
++dev_write_kmsg(syslogd_t)
++dev_read_kmsg(syslogd_t)
++
++domain_read_all_domains_state(syslogd_t)
++domain_getattr_all_domains(syslogd_t)
+ domain_use_interactive_fds(syslogd_t)
+
+ files_read_etc_files(syslogd_t)
+@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_search_cgroup_dirs(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+ term_write_unallocated_ttys(syslogd_t)
++term_use_generic_ptys(syslogd_t)
+
++init_stream_connect(syslogd_t)
+ # for sending messages to logged in users
+ init_read_utmp(syslogd_t)
+ init_dontaudit_write_utmp(syslogd_t)
+@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
+
+ # cjp: this doesnt make sense
+ logging_send_syslog_msg(syslogd_t)
+-
+-miscfiles_read_localization(syslogd_t)
++logging_manage_all_logs(syslogd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+-userdom_dontaudit_search_user_home_dirs(syslogd_t)
++userdom_search_user_home_dirs(syslogd_t)
++userdom_rw_inherited_user_tmp_files(syslogd_t)
+
+ ifdef(`distro_gentoo',`
+ # default gentoo syslog-ng config appends kernel
+@@ -497,6 +581,7 @@ optional_policy(`
+ optional_policy(`
+ cron_manage_log_files(syslogd_t)
+ cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
++ cron_generic_log_filetrans_log(syslogd_t, file, "cron")
+ ')
+
+ optional_policy(`
+@@ -507,15 +592,40 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_keytab_template(syslogd, syslogd_t)
++ kerberos_manage_host_rcache(syslogd_t)
++ kerberos_read_config(syslogd_t)
++')
++
++optional_policy(`
++ mysql_read_config(syslogd_t)
+ mysql_stream_connect(syslogd_t)
+ ')
+
+ optional_policy(`
++ plymouthd_manage_log(syslogd_t)
++')
++
++optional_policy(`
++ postfix_search_spool(syslogd_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(syslogd_t)
+ ')
+
+ optional_policy(`
++ psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(syslogd_t)
++ snmp_read_snmp_var_lib_files(syslogd_t)
++ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
++')
++
++optional_policy(`
++ daemontools_search_svc_dir(syslogd_t)
+ ')
+
+ optional_policy(`
+@@ -526,3 +636,26 @@ optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++#####################################################
++#
++# syslog client rules
++#
++allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms;
++allow syslog_client_type devlog_t:sock_file write_sock_file_perms;
++
++# the type of socket depends on the syslog daemon
++allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
++allow syslog_client_type syslogd_t:unix_stream_socket connectto;
++allow syslog_client_type self:unix_dgram_socket create_socket_perms;
++allow syslog_client_type self:unix_stream_socket create_socket_perms;
++
++# If syslog is down, the glibc syslog() function
++# will write to the console.
++term_write_console(syslog_client_type)
++term_dontaudit_read_console(syslog_client_type)
++ifdef(`hide_broken_symptoms',`
++ kernel_dgram_send(syslog_client_type)
++')
++
++logging_stream_connect_syslog(syslog_client_type)
+diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
+index 6b91740..562d1fd 100644
+--- a/policy/modules/system/lvm.fc
++++ b/policy/modules/system/lvm.fc
+@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
+ /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+
++/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
++
+ #
+ # /lib
+ #
+@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',`
+ #
+ # /sbin
+ #
++/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -89,8 +95,74 @@ ifdef(`distro_gentoo',`
+ #
+ # /usr
+ #
+-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
+-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0)
++/usr/lib/systemd/system/lvm2.*\.service gen_context(system_u:object_r:lvm_unit_file_t,s0)
++
++/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
++/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
++
++/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/storaged/storaged-lvm-helper -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+ #
+ # /var
+@@ -98,5 +170,9 @@ ifdef(`distro_gentoo',`
+ /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
++/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
++/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
+ /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
+diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
+index 58bc27f..f5ae583 100644
+--- a/policy/modules/system/lvm.if
++++ b/policy/modules/system/lvm.if
+@@ -86,6 +86,50 @@ interface(`lvm_read_config',`
+
+ ########################################
+ ##
++## Read LVM configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`lvm_read_metadata',`
++ gen_require(`
++ type lvm_etc_t;
++ type lvm_metadata_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 lvm_etc_t:dir list_dir_perms;
++ read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++##
++## Read LVM configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`lvm_write_metadata',`
++ gen_require(`
++ type lvm_etc_t;
++ type lvm_metadata_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 lvm_etc_t:dir list_dir_perms;
++ write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++##
+ ## Manage LVM configuration files.
+ ##
+ ##
+@@ -123,3 +167,131 @@ interface(`lvm_domtrans_clvmd',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+ ')
++
++########################################
++##
++## Read and write to lvm temporary file system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_rw_clvmd_tmpfs_files',`
++ gen_require(`
++ type clvmd_tmpfs_t;
++ ')
++
++ allow $1 clvmd_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++##
++## Delete lvm temporary file system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_delete_clvmd_tmpfs_files',`
++ gen_require(`
++ type clvmd_tmpfs_t;
++ ')
++
++ allow $1 clvmd_tmpfs_t:file unlink;
++')
++
++########################################
++##
++## Send lvm a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_signull',`
++ gen_require(`
++ type lvm_t;
++ ')
++
++ allow $1 lvm_t:process signull;
++')
++
++########################################
++##
++## Send a message to lvm over the
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_dgram_send',`
++ gen_require(`
++ type lvm_t;
++ ')
++
++ allow $1 lvm_t:unix_dgram_socket sendto;
++')
++
++########################################
++##
++## Read and write a lvm unnamed pipe.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_rw_pipes',`
++ gen_require(`
++ type lvm_var_run_t;
++ ')
++
++ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to access check cert dirs/files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`lvm_dontaudit_access_check_lock',`
++ gen_require(`
++ type lvm_lock_t;
++ ')
++
++ dontaudit $1 lvm_lock_t:dir audit_access;
++')
++
++########################################
++##
++## Read the process state (/proc/pid) of lvm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_read_state',`
++ gen_require(`
++ type lvm_t;
++ ')
++
++ ps_process_pattern($1, lvm_t)
++')
++
+diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
+index 79048c4..ce6f0ce 100644
+--- a/policy/modules/system/lvm.te
++++ b/policy/modules/system/lvm.te
+@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
+ type clvmd_initrc_exec_t;
+ init_script_file(clvmd_initrc_exec_t)
+
++type clvmd_tmpfs_t alias clmvd_tmpfs_t;
++files_tmpfs_file(clvmd_tmpfs_t)
++
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+
+@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t)
+ role system_r types lvm_t;
+
+ type lvm_etc_t;
+-files_type(lvm_etc_t)
++files_config_file(lvm_etc_t)
+
+ type lvm_lock_t;
+ files_lock_file(lvm_lock_t)
+@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t)
+ type lvm_tmp_t;
+ files_tmp_file(lvm_tmp_t)
+
++type lvm_unit_file_t;
++systemd_unit_file(lvm_unit_file_t)
++
+ ########################################
+ #
+ # Cluster LVM daemon local policy
+@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t)
+ allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+ dontaudit clvmd_t self:capability sys_tty_config;
+ allow clvmd_t self:process { signal_perms setsched };
+-dontaudit clvmd_t self:process ptrace;
+ allow clvmd_t self:socket create_socket_perms;
+ allow clvmd_t self:fifo_file rw_fifo_file_perms;
+ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow clvmd_t self:tcp_socket create_stream_socket_perms;
+ allow clvmd_t self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
++
++manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+ manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+-files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
++files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir })
+
+ read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
+
+@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
+ corecmd_exec_shell(clvmd_t)
+ corecmd_getattr_bin_files(clvmd_t)
+
+-corenet_all_recvfrom_unlabeled(clvmd_t)
+ corenet_all_recvfrom_netlabel(clvmd_t)
+ corenet_tcp_sendrecv_generic_if(clvmd_t)
+ corenet_udp_sendrecv_generic_if(clvmd_t)
+@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t)
+
+ logging_send_syslog_msg(clvmd_t)
+
+-miscfiles_read_localization(clvmd_t)
+-
+-seutil_dontaudit_search_config(clvmd_t)
+ seutil_sigchld_newrole(clvmd_t)
+ seutil_read_config(clvmd_t)
+ seutil_read_file_contexts(clvmd_t)
+@@ -141,6 +147,11 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ aisexec_stream_connect(clvmd_t)
++ corosync_stream_connect(clvmd_t)
++')
++
++optional_policy(`
+ ccs_stream_connect(clvmd_t)
+ ')
+
+@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config;
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
+ # LVM will complain a lot if it cannot set its priority.
+ allow lvm_t self:process setsched;
++allow lvm_t self:sem create_sem_perms;
+ allow lvm_t self:file rw_file_perms;
+ allow lvm_t self:fifo_file manage_fifo_file_perms;
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
++allow lvm_t self:socket create_stream_socket_perms;
+ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow lvm_t self:sem create_sem_perms;
+
+ allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+
++allow lvm_t lvm_unit_file_t:file manage_file_perms;
++systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file)
++systemd_create_unit_file_dirs(lvm_t)
++systemd_create_unit_file_lnk(lvm_t)
++
+ manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+ manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+ files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
+@@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+ can_exec(lvm_t, lvm_exec_t)
+
+ # Creating lock files
++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ files_lock_filetrans(lvm_t, lvm_lock_t, file)
+ files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
++files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid")
+
+ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+ manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+
+ manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
++manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
++init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
+
+ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+ read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t)
+ # it has no reason to need this
+ kernel_dontaudit_getattr_core_if(lvm_t)
+ kernel_use_fds(lvm_t)
++kernel_request_load_module(lvm_t)
+ kernel_search_debugfs(lvm_t)
+
+ corecmd_exec_bin(lvm_t)
+@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t)
+ dev_read_rand(lvm_t)
+ dev_read_urand(lvm_t)
+ dev_rw_lvm_control(lvm_t)
++dev_write_kmsg(lvm_t)
+ dev_manage_generic_symlinks(lvm_t)
+ dev_relabel_generic_dev_dirs(lvm_t)
+ dev_manage_generic_blk_files(lvm_t)
+ # Read /sys/block. Device mapper metadata is kept there.
+-dev_read_sysfs(lvm_t)
++# cryptsetup writes read_ahead_kb
++dev_rw_sysfs(lvm_t)
+ # cjp: this has no effect since LVM does not
+ # have lnk_file relabelto for anything else.
+ # perhaps this should be blk_files?
+@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+ dev_dontaudit_getattr_generic_blk_files(lvm_t)
+ dev_dontaudit_getattr_generic_pipes(lvm_t)
+ dev_create_generic_dirs(lvm_t)
++dev_rw_generic_files(lvm_t)
+
+ domain_use_interactive_fds(lvm_t)
+ domain_read_all_domains_state(lvm_t)
+@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t)
+ files_read_etc_runtime_files(lvm_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(lvm_t)
++fs_rw_inherited_tmpfs_files(lvm_t)
+
+-fs_getattr_xattr_fs(lvm_t)
++fs_getattr_all_fs(lvm_t)
+ fs_search_auto_mountpoints(lvm_t)
+ fs_list_tmpfs(lvm_t)
+ fs_read_tmpfs_symlinks(lvm_t)
+ fs_dontaudit_read_removable_files(lvm_t)
+ fs_dontaudit_getattr_tmpfs_files(lvm_t)
+ fs_rw_anon_inodefs_files(lvm_t)
++fs_list_auto_mountpoints(lvm_t)
++fs_list_hugetlbfs(lvm_t)
+
+ mls_file_read_all_levels(lvm_t)
+ mls_file_write_to_clearance(lvm_t)
++mls_file_upgrade(lvm_t)
+
+ selinux_get_fs_mount(lvm_t)
+ selinux_validate_context(lvm_t)
+@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+ # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+ storage_manage_fixed_disk(lvm_t)
+
+-term_use_all_terms(lvm_t)
++term_use_all_inherited_terms(lvm_t)
+
+ init_use_fds(lvm_t)
+ init_dontaudit_getattr_initctl(lvm_t)
+@@ -293,15 +323,22 @@ init_use_script_ptys(lvm_t)
+ init_read_script_state(lvm_t)
+
+ logging_send_syslog_msg(lvm_t)
++logging_stream_connect_syslog(lvm_t)
+
+-miscfiles_read_localization(lvm_t)
++authlogin_rw_pipes(lvm_t)
++auth_use_nsswitch(lvm_t)
+
+ seutil_read_config(lvm_t)
+ seutil_read_file_contexts(lvm_t)
+ seutil_search_default_contexts(lvm_t)
+ seutil_sigchld_newrole(lvm_t)
+
++userdom_use_inherited_user_terminals(lvm_t)
+ userdom_use_user_terminals(lvm_t)
++userdom_rw_semaphores(lvm_t)
++userdom_search_user_home_dirs(lvm_t)
++
++usermanage_read_crack_db(lvm_t)
+
+ ifdef(`distro_redhat',`
+ # this is from the initrd:
+@@ -313,6 +350,11 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
++')
++
++optional_policy(`
+ bootloader_rw_tmp_files(lvm_t)
+ ')
+
+@@ -333,14 +375,34 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ docker_rw_sem(lvm_t)
++')
++
++optional_policy(`
++ livecd_rw_semaphores(lvm_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+ ')
+
+ optional_policy(`
++ raid_read_mdadm_pid(lvm_t)
++')
++
++optional_policy(`
+ rpm_manage_script_tmp_files(lvm_t)
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(lvm_t)
++')
++
++optional_policy(`
++ systemd_manage_passwd_run(lvm_t)
++')
++
++optional_policy(`
+ udev_read_db(lvm_t)
+ udev_read_pid_files(lvm_t)
+ ')
+diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
+index 9fe8e01..3d71062 100644
+--- a/policy/modules/system/miscfiles.fc
++++ b/policy/modules/system/miscfiles.fc
+@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
+ # /etc
+ #
+ /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/etc/localtime gen_context(system_u:object_r:locale_t,s0)
++/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
++/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
+@@ -37,24 +40,20 @@ ifdef(`distro_redhat',`
+
+ /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-
+-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+-
+ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+-/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+-
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
++/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+ /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
+
+ /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
+ /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
++
+
+ /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
+ ')
+
+ ifdef(`distro_redhat',`
++/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ ')
+diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
+index fc28bc3..8828b8a 100644
+--- a/policy/modules/system/miscfiles.if
++++ b/policy/modules/system/miscfiles.if
+@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
+
+ ########################################
+ ##
++## Read all SSL certificates.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`miscfiles_manage_all_certs',`
++ gen_require(`
++ attribute cert_type;
++ ')
++
++ allow $1 cert_type:dir list_dir_perms;
++ manage_files_pattern($1, cert_type, cert_type)
++ manage_lnk_files_pattern($1, cert_type, cert_type)
++')
++
++########################################
++##
+ ## Read generic SSL certificates.
+ ##
+ ##
+@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+
+ ########################################
+ ##
++## Dontaudit attempts to write generic SSL certificates.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_dontaudit_write_generic_cert_files',`
++ gen_require(`
++ type cert_t;
++ ')
++
++ dontaudit $1 cert_t:file write;
++')
++
++########################################
++##
+ ## Manage generic SSL certificates.
+ ##
+ ##
+@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',`
+ ')
+
+ manage_files_pattern($1, cert_t, cert_t)
+- read_lnk_files_pattern($1, cert_t, cert_t)
++ manage_lnk_files_pattern($1, cert_t, cert_t)
+ ')
+
+ ########################################
+@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
+
+ ########################################
+ ##
++## Do not audit attempts to access check cert dirs/files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`miscfiles_dontaudit_access_check_cert',`
++ gen_require(`
++ type cert_t;
++ ')
++
++ dontaudit $1 cert_t:file audit_access;
++ dontaudit $1 cert_t:dir audit_access;
++')
++
++
++########################################
++##
+ ## Manage SSL certificates.
+ ##
+ ##
+@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',`
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ rw_files_pattern($1, locale_t, locale_t)
++ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+ ########################################
+@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',`
+
+ files_search_usr($1)
+ relabel_files_pattern($1, locale_t, locale_t)
++ relabel_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+ ########################################
+@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',`
+ type locale_t;
+ ')
+
+- miscfiles_read_localization($1)
+ allow $1 locale_t:file execute;
+ ')
+
+@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',`
+ allow $1 { man_cache_t man_t }:dir list_dir_perms;
+ read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
++
++ optional_policy(`
++ mandb_read_cache_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',`
+ delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
++ optional_policy(`
++ mandb_setattr_cache_dirs($1)
++ mandb_delete_cache($1)
++ ')
++')
++#######################################
++##
++## Create, read, write, and delete man pages
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_setattr_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ files_search_usr($1)
++
++ allow $1 man_t:dir setattr;
+ ')
+
+ ########################################
+@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',`
+
+ ########################################
+ ##
++## Allow process to relabel man_pages info
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_relabel_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ files_search_usr($1)
++ relabel_dirs_pattern($1, man_t, man_t)
++ relabel_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_relabel_cache($1)
++ ')
++')
++
++########################################
++##
+ ## Read public files used for file
+ ## transfer services.
+ ##
+@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+ type locale_t;
+ ')
+
+- files_etc_filetrans($1, locale_t, file)
+-
++ files_etc_filetrans($1, locale_t, lnk_file)
++ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
++ files_etc_filetrans($1, locale_t, file, "locale.conf" )
++ files_etc_filetrans($1, locale_t, file, "timezone" )
++ files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
+ ')
+
+ ########################################
+@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',`
+ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
++########################################
++##
++## Transition to miscfiles locale named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_filetrans_locale_named_content',`
++ gen_require(`
++ type locale_t;
++ ')
++
++ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
++ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "vconsole.conf")
++ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
++ files_etc_filetrans($1, locale_t, file, "timezone")
++ files_etc_filetrans($1, locale_t, file, "clock")
++ files_usr_filetrans($1, locale_t, dir, "locale")
++ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
++')
++
++########################################
++##
++## Transition to miscfiles named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_filetrans_named_content',`
++ gen_require(`
++ type man_t;
++ type cert_t;
++ type fonts_t;
++ type fonts_cache_t;
++ type hwdata_t;
++ type tetex_data_t;
++ type public_content_t;
++ ')
++
++ miscfiles_filetrans_locale_named_content($1)
++ files_var_filetrans($1, man_t, dir, "man")
++ files_etc_filetrans($1, cert_t, dir, "pki")
++ files_usr_filetrans($1, cert_t, dir, "certs")
++ files_usr_filetrans($1, fonts_t, dir, "fonts")
++ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
++ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
++ files_var_filetrans($1, tetex_data_t, dir, "fonts")
++ files_spool_filetrans($1, tetex_data_t, dir, "texmf")
++ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
++ files_var_filetrans($1, public_content_t, dir, "ftp")
++')
+diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
+index 1361961..be6b7fc 100644
+--- a/policy/modules/system/miscfiles.te
++++ b/policy/modules/system/miscfiles.te
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.11.0)
+ #
+ # Declarations
+ #
+-
+ attribute cert_type;
+
+ #
+@@ -48,10 +47,10 @@ files_type(man_cache_t)
+ # Types for public content
+ #
+ type public_content_t; #, customizable;
+-files_type(public_content_t)
++files_mountpoint(public_content_t)
+
+ type public_content_rw_t; #, customizable;
+-files_type(public_content_rw_t)
++files_mountpoint(public_content_rw_t)
+
+ #
+ # Base type for the tests directory.
+diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
+index 9933677..ca14c17 100644
+--- a/policy/modules/system/modutils.fc
++++ b/policy/modules/system/modutils.fc
+@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',`
+ /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
+ /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
++
++/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
++/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++
++/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
++
++/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
+diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
+index 7449974..23bbbf2 100644
+--- a/policy/modules/system/modutils.if
++++ b/policy/modules/system/modutils.if
+@@ -12,7 +12,7 @@
+ #
+ interface(`modutils_getattr_module_deps',`
+ gen_require(`
+- type modules_dep_t;
++ type modules_dep_t, modules_object_t;
+ ')
+
+ getattr_files_pattern($1, modules_object_t, modules_dep_t)
+@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
+
+ ########################################
+ ##
++## Read the dependencies of kernel modules.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modutils_delete_module_deps',`
++ gen_require(`
++ type modules_dep_t;
++ ')
++
++ delete_files_pattern($1, modules_dep_t, modules_dep_t)
++')
++
++########################################
++##
++## list the configuration options used when
++## loading modules.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`modutils_list_module_config',`
++ gen_require(`
++ type modules_conf_t;
++ ')
++
++ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
++')
++
++########################################
++##
+ ## Read the configuration options used when
+ ## loading modules.
+ ##
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+
+ ########################################
+ ##
++## Allow send signal to insmod.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`modutils_signal_insmod',`
++ gen_require(`
++ type insmod_t;
++ ')
++
++ allow $1 insmod_t:process signal;
++')
++
++########################################
++##
+ ## Execute insmod in the insmod domain, and
+ ## allow the specified role the insmod domain,
+ ## and use the caller's terminal. Has a sigchld
+@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
+ can_exec($1, insmod_exec_t)
+ ')
+
++#######################################
++##
++## Don't audit execute insmod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modutils_dontaudit_exec_insmod',`
++ gen_require(`
++ type insmod_exec_t;
++ ')
++
++ dontaudit $1 insmod_exec_t:file exec_file_perms;
++')
++
+ ########################################
+ ##
+ ## Execute depmod in the depmod domain.
+@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
+ #
+ interface(`modutils_run_update_mods',`
+ gen_require(`
+- attribute_role update_modules_roles;
++ #attribute_role update_modules_roles;
++ type update_modules_t;
+ ')
+
++ #modutils_domtrans_update_mods($1)
++ #roleattribute $2 update_modules_roles;
++
+ modutils_domtrans_update_mods($1)
+- roleattribute $2 update_modules_roles;
++ role $2 types update_modules_t;
++
++ modutils_run_insmod(update_modules_t, $2)
++
+ ')
+
+ ########################################
+@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
+ corecmd_search_bin($1)
+ can_exec($1, update_modules_exec_t)
+ ')
++
++########################################
++##
++## Transition to modutils named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modules_filetrans_named_content',`
++ gen_require(`
++ type modules_dep_t;
++ type modules_conf_t;
++ ')
++
++ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
++ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
++')
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 7a363b8..ba534ac 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
+ # Declarations
+ #
+
+-attribute_role update_modules_roles;
++#attribute_role update_modules_roles;
+
+ type depmod_t;
+ type depmod_exec_t;
+@@ -16,11 +16,15 @@ type insmod_t;
+ type insmod_exec_t;
+ application_domain(insmod_t, insmod_exec_t)
+ mls_file_write_all_levels(insmod_t)
++mls_process_write_down(insmod_t)
+ role system_r types insmod_t;
+
++type insmod_var_run_t;
++files_pid_file(insmod_var_run_t)
++
+ # module loading config
+ type modules_conf_t;
+-files_type(modules_conf_t)
++files_config_file(modules_conf_t)
+
+ # module dependencies
+ type modules_dep_t;
+@@ -29,12 +33,16 @@ files_type(modules_dep_t)
+ type update_modules_t;
+ type update_modules_exec_t;
+ init_system_domain(update_modules_t, update_modules_exec_t)
+-roleattribute system_r update_modules_roles;
+-role update_modules_roles types update_modules_t;
++#roleattribute system_r update_modules_roles;
++#role update_modules_roles types update_modules_t;
++role system_r types update_modules_t;
+
+ type update_modules_tmp_t;
+ files_tmp_file(update_modules_tmp_t)
+
++type insmod_tmpfs_t;
++files_tmpfs_file(insmod_tmpfs_t)
++
+ ########################################
+ #
+ # depmod local policy
+@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t)
+
+ domain_use_interactive_fds(depmod_t)
+
++files_delete_kernel_modules(depmod_t)
+ files_read_kernel_symbol_table(depmod_t)
+ files_read_kernel_modules(depmod_t)
+ files_read_etc_runtime_files(depmod_t)
+ files_read_etc_files(depmod_t)
+ files_read_usr_src_files(depmod_t)
+ files_list_usr(depmod_t)
++files_append_var_files(depmod_t)
++files_read_boot_files(depmod_t)
+
+ fs_getattr_xattr_fs(depmod_t)
+
+@@ -69,10 +80,12 @@ init_use_fds(depmod_t)
+ init_use_script_fds(depmod_t)
+ init_use_script_ptys(depmod_t)
+
+-userdom_use_user_terminals(depmod_t)
++userdom_use_inherited_user_terminals(depmod_t)
+ # Read System.map from home directories.
+ files_list_home(depmod_t)
+ userdom_read_user_home_content_files(depmod_t)
++userdom_manage_user_tmp_files(depmod_t)
++userdom_home_reader(depmod_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(depmod_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(depmod_t)
++optional_policy(`
++ bootloader_rw_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -94,7 +103,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- # Read System.map from home directories.
+ unconfined_domain(depmod_t)
+ ')
+
+@@ -103,11 +111,12 @@ optional_policy(`
+ # insmod local policy
+ #
+
+-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
++allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
+ allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+
+ allow insmod_t self:udp_socket create_socket_perms;
+ allow insmod_t self:rawip_socket create_socket_perms;
++allow insmod_t self:shm create_shm_perms;
+
+ # Read module config and dependency information
+ list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+@@ -115,20 +124,28 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+ list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
++manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
++manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
++files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file })
++
+ can_exec(insmod_t, insmod_exec_t)
+
++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
++
+ kernel_load_module(insmod_t)
+-kernel_request_load_module(insmod_t)
++files_manage_kernel_modules(insmod_t)
+ kernel_read_system_state(insmod_t)
+ kernel_read_network_state(insmod_t)
+ kernel_write_proc_files(insmod_t)
+ kernel_mount_debugfs(insmod_t)
+ kernel_mount_kvmfs(insmod_t)
+ kernel_read_debugfs(insmod_t)
++kernel_request_load_module(insmod_t)
+ # Rules for /proc/sys/kernel/tainted
+ kernel_read_kernel_sysctls(insmod_t)
+ kernel_rw_kernel_sysctl(insmod_t)
+-kernel_read_hotplug_sysctls(insmod_t)
++kernel_read_usermodehelper_state(insmod_t)
+ kernel_setsched(insmod_t)
+
+ corecmd_exec_bin(insmod_t)
+@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t)
+ dev_read_sound(insmod_t)
+ dev_write_sound(insmod_t)
+ dev_rw_apm_bios(insmod_t)
++dev_create_generic_chr_files(insmod_t)
+
+ domain_signal_all_domains(insmod_t)
+ domain_use_interactive_fds(insmod_t)
+@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t)
+ files_read_etc_files(insmod_t)
+ files_read_usr_files(insmod_t)
+ files_exec_etc_files(insmod_t)
++# users installing vbox put kernel modules in /var/lib
++files_read_var_lib_files(insmod_t)
++files_read_kernel_symbol_table(insmod_t)
+ # for nscd:
+ files_dontaudit_search_pids(insmod_t)
+ # for when /var is not mounted early in the boot:
+ files_dontaudit_search_isid_type_dirs(insmod_t)
+ # for locking: (cjp: ????)
+ files_write_kernel_modules(insmod_t)
++allow insmod_t modules_dep_t:file manage_file_perms;
+
+ fs_getattr_xattr_fs(insmod_t)
+ fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
++fs_mount_rpc_pipefs(insmod_t)
++fs_search_rpc(insmod_t)
++
++auth_use_nsswitch(insmod_t)
+
+ init_rw_initctl(insmod_t)
+ init_use_fds(insmod_t)
+ init_use_script_fds(insmod_t)
+ init_use_script_ptys(insmod_t)
++init_spec_domtrans_script(insmod_t)
++init_rw_script_tmp_files(insmod_t)
++init_dontaudit_getattr_stream_socket(insmod_t)
+
+ logging_send_syslog_msg(insmod_t)
+ logging_search_logs(insmod_t)
+
+-miscfiles_read_localization(insmod_t)
+-
+ seutil_read_file_contexts(insmod_t)
+
+-userdom_use_user_terminals(insmod_t)
+-
++term_use_all_inherited_terms(insmod_t)
+ userdom_dontaudit_search_user_home_dirs(insmod_t)
+
+ kernel_domtrans_to(insmod_t, insmod_exec_t)
+@@ -184,28 +210,33 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- firstboot_dontaudit_rw_pipes(insmod_t)
+- firstboot_dontaudit_rw_stream_sockets(insmod_t)
++ devicekit_use_fds_disk(insmod_t)
++ devicekit_dontaudit_read_pid_files(insmod_t)
+ ')
+
+ optional_policy(`
+- hal_write_log(insmod_t)
++ firstboot_dontaudit_leaks(insmod_t)
+ ')
+
+ optional_policy(`
+- hotplug_search_config(insmod_t)
++ firewalld_dontaudit_write_tmp_files(insmod_t)
++ firewallgui_dontaudit_rw_pipes(insmod_t)
+ ')
+
+ optional_policy(`
+- mount_domtrans(insmod_t)
++ hal_write_log(insmod_t)
++')
++
++optional_policy(`
++ hotplug_search_config(insmod_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(insmod_t)
++ kdump_manage_kdumpctl_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+- nscd_use(insmod_t)
++ mount_domtrans(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -225,6 +256,7 @@ optional_policy(`
+
+ optional_policy(`
+ rpm_rw_pipes(insmod_t)
++ rpm_manage_script_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -233,6 +265,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_dontaudit_write_pipes(insmod_t)
++')
++
++optional_policy(`
+ # cjp: why is this needed:
+ dev_rw_xserver_misc(insmod_t)
+
+@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t)
+
+ logging_send_syslog_msg(update_modules_t)
+
+-miscfiles_read_localization(update_modules_t)
+
+-modutils_run_insmod(update_modules_t, update_modules_roles)
++#modutils_run_insmod(update_modules_t, update_modules_roles)
+
+-userdom_use_user_terminals(update_modules_t)
++userdom_use_inherited_user_terminals(update_modules_t)
+ userdom_dontaudit_search_user_home_dirs(update_modules_t)
+
+ ifdef(`distro_gentoo',`
+diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
+index a38605e..f035d9f 100644
+--- a/policy/modules/system/mount.fc
++++ b/policy/modules/system/mount.fc
+@@ -1,6 +1,26 @@
++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+ /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+
+-/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
++/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
++
++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
+index 4584457..c2ae1ea 100644
+--- a/policy/modules/system/mount.if
++++ b/policy/modules/system/mount.if
+@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
+ ')
+
+ domtrans_pattern($1, mount_exec_t, mount_t)
++ mount_domtrans_fusermount($1)
++
++ allow $1 mount_t:fd use;
++ ps_process_pattern(mount_t, $1)
++
++ allow mount_t $1:key write;
++ allow mount_t $1:unix_stream_socket { read write };
+ ')
+
+ ########################################
+@@ -39,6 +46,7 @@ interface(`mount_domtrans',`
+ interface(`mount_run',`
+ gen_require(`
+ attribute_role mount_roles;
++ type mount_t;
+ ')
+
+ mount_domtrans($1)
+@@ -47,6 +55,110 @@ interface(`mount_run',`
+
+ ########################################
+ ##
++## Execute fusermount in the mount domain, and
++## allow the specified role the mount domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the mount domain.
++##
++##
++##
++#
++interface(`mount_run_fusermount',`
++ gen_require(`
++ type mount_t;
++ ')
++
++ mount_domtrans_fusermount($1)
++ role $2 types mount_t;
++
++ fstools_run(mount_t, $2)
++')
++
++########################################
++##
++## Read mount PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_read_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ read_files_pattern($1, mount_var_run_t, mount_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++##
++## Read/write mount PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_rw_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
++ files_search_pids($1)
++')
++
++#######################################
++##
++## Do not audit attemps to write mount PID files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mount_dontaudit_write_mount_pid',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ dontaudit $1 mount_var_run_t:file write;
++')
++
++########################################
++##
++## Manage mount PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_manage_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:file manage_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++##
+ ## Execute mount in the caller domain.
+ ##
+ ##
+@@ -91,7 +203,7 @@ interface(`mount_signal',`
+ ##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
+ #
+@@ -131,45 +243,184 @@ interface(`mount_send_nfs_client_request',`
+
+ ########################################
+ ##
+-## Execute mount in the unconfined mount domain.
++## Read the mount tmp directory
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`mount_domtrans_unconfined',`
++interface(`mount_list_tmp',`
+ gen_require(`
+- type unconfined_mount_t, mount_exec_t;
++ type mount_tmp_t;
+ ')
+
+- domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
++ allow $1 mount_tmp_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute mount in the unconfined mount domain, and
+-## allow the specified role the unconfined mount domain,
+-## and use the caller's terminal.
++## Execute fusermount in the mount domain.
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`mount_domtrans_fusermount',`
++ gen_require(`
++ type mount_t, fusermount_exec_t;
++ ')
++
++ domtrans_pattern($1, fusermount_exec_t, mount_t)
++ ps_process_pattern(mount_t, $1)
++
++ allow mount_t $1:unix_stream_socket { read write };
++ allow $1 mount_t:fd use;
++')
++
++########################################
++##
++## Execute fusermount.
++##
++##
+ ##
+-## Role allowed access.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`mount_run_unconfined',`
++interface(`mount_exec_fusermount',`
++ gen_require(`
++ type fusermount_exec_t;
++ ')
++
++ can_exec($1, fusermount_exec_t)
++')
++
++########################################
++##
++## dontaudit Execute fusermount.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mount_dontaudit_exec_fusermount',`
+ gen_require(`
+- type unconfined_mount_t;
++ type fusermount_exec_t;
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
++ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+ ')
++
++######################################
++##
++## Execute a domain transition to run showmount.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mount_domtrans_showmount',`
++ gen_require(`
++ type showmount_t, showmount_exec_t;
++ ')
++
++ domtrans_pattern($1, showmount_exec_t, showmount_t)
++')
++
++######################################
++##
++## Execute showmount in the showmount domain, and
++## allow the specified role the showmount domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the showmount domain.
++##
++##
++#
++interface(`mount_run_showmount',`
++ gen_require(`
++ type showmount_t;
++ ')
++
++ mount_domtrans_showmount($1)
++ role $2 types showmount_t;
++')
++
++#######################################
++##
++## Transition to ecryptmount.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mount_domtrans_ecryptmount',`
++ gen_require(`
++ type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
++')
++
++#######################################
++##
++## Execute mount in the unconfined mount domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mount_domtrans_unconfined',`
++ gen_require(`
++ type unconfined_mount_t, mount_exec_t;
++ ')
++
++ domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
++')
++
++#######################################
++##
++## Execute mount in the unconfined mount domain, and
++## allow the specified role the unconfined mount domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`mount_run_unconfined',`
++ gen_require(`
++ type unconfined_mount_t;
++ ')
++
++ mount_domtrans_unconfined($1)
++ role $2 types unconfined_mount_t;
++')
++
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 459a0ef..9933cad 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
+ # Declarations
+ #
+
+-##
+-##
+-## Allow the mount command to mount any directory or file.
+-##
+-##
+-gen_tunable(allow_mount_anyfile, false)
+-
+ attribute_role mount_roles;
+ roleattribute system_r mount_roles;
+
+@@ -20,14 +13,37 @@ type mount_exec_t;
+ init_system_domain(mount_t, mount_exec_t)
+ role mount_roles types mount_t;
+
++type fusermount_exec_t;
++domain_entry_file(mount_t, fusermount_exec_t)
++
++typealias mount_t alias mount_ntfs_t;
++typealias mount_exec_t alias mount_ntfs_exec_t;
++
+ type mount_loopback_t; # customizable
+ files_type(mount_loopback_t)
++typealias mount_loopback_t alias mount_loop_t;
+
+ type mount_tmp_t;
+ files_tmp_file(mount_tmp_t)
+
+ type mount_var_run_t;
+ files_pid_file(mount_var_run_t)
++dev_associate(mount_var_run_t)
++
++# showmount - show mount information for an NFS server
++
++type showmount_t;
++type showmount_exec_t;
++application_domain(showmount_t, showmount_exec_t)
++role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
+
+ # causes problems with interfaces when
+ # this is optionally declared in monolithic
+@@ -40,8 +56,12 @@ application_domain(unconfined_mount_t, mount_exec_t)
+ # mount local policy
+ #
+
+-# setuid/setgid needed to mount cifs
+-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
++# setuid/setgid needed to mount cifs
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
++allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
++allow mount_t self:fifo_file rw_fifo_file_perms;
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket create_socket_perms;
+
+ allow mount_t mount_loopback_t:file read_file_perms;
+
+@@ -52,13 +72,20 @@ can_exec(mount_t, mount_exec_t)
+
+ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+
+-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+ files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
++dev_filetrans(mount_t, mount_var_run_t, dir)
+
+ kernel_read_system_state(mount_t)
++kernel_read_network_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
++kernel_relabelfrom_unlabeled_fs(mount_t)
++kernel_list_unlabeled(mount_t)
++kernel_manage_debugfs(mount_t)
++kernel_mount_unlabeled(mount_t)
++kernel_unmount_unlabeled(mount_t)
++kernel_use_fds(mount_t)
+ kernel_setsched(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
+ kernel_dontaudit_write_debugfs_dirs(mount_t)
+@@ -69,31 +96,47 @@ kernel_request_load_module(mount_t)
+ # required for mount.smbfs
+ corecmd_exec_bin(mount_t)
+
++dev_getattr_generic_blk_files(mount_t)
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
++dev_read_usbfs(mount_t)
++dev_read_rand(mount_t)
++dev_read_urand(mount_t)
+ dev_read_sysfs(mount_t)
+ dev_dontaudit_write_sysfs_dirs(mount_t)
+ dev_rw_lvm_control(mount_t)
+ dev_dontaudit_getattr_all_chr_files(mount_t)
+ dev_dontaudit_getattr_memory_dev(mount_t)
+ dev_getattr_sound_dev(mount_t)
++dev_rw_loop_control(mount_t)
++
++ifdef(`hide_broken_symptoms',`
++ dev_rw_generic_blk_files(mount_t)
++')
++
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(mount_t)
+
+ domain_use_interactive_fds(mount_t)
++domain_read_all_domains_state(mount_t)
+
+ files_search_all(mount_t)
+ files_read_etc_files(mount_t)
++files_read_etc_runtime_files(mount_t)
+ files_manage_etc_runtime_files(mount_t)
+ files_etc_filetrans_etc_runtime(mount_t, file)
++# for when /etc/mtab loses its type
++files_delete_etc_files(mount_t)
+ files_mounton_all_mountpoints(mount_t)
++files_setattr_all_mountpoints(mount_t)
++# ntfs-3g checks whether the mountpoint is writable before mounting
++files_write_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
++
+ # These rules need to be generalized. Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
++files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+-# for when /etc/mtab loses its type
+-# cjp: this seems wrong, the type should probably be etc
+ files_read_isid_type_files(mount_t)
+ # For reading cert files
+ files_read_usr_files(mount_t)
+@@ -101,28 +144,39 @@ files_list_all_mountpoints(mount_t)
+ files_dontaudit_write_all_mountpoints(mount_t)
+ files_dontaudit_setattr_all_mountpoints(mount_t)
+
+-fs_getattr_xattr_fs(mount_t)
+-fs_getattr_cifs(mount_t)
++fs_list_all(mount_t)
++fs_getattr_all_fs(mount_t)
+ fs_mount_all_fs(mount_t)
+ fs_unmount_all_fs(mount_t)
+ fs_remount_all_fs(mount_t)
+ fs_relabelfrom_all_fs(mount_t)
+-fs_list_auto_mountpoints(mount_t)
++fs_rw_anon_inodefs_files(mount_t)
+ fs_rw_tmpfs_chr_files(mount_t)
++fs_rw_nfsd_fs(mount_t)
++fs_rw_removable_blk_files(mount_t)
++#fs_manage_tmpfs_dirs(mount_t)
+ fs_read_tmpfs_symlinks(mount_t)
++fs_read_fusefs_files(mount_t)
++fs_manage_nfs_dirs(mount_t)
++fs_read_nfs_symlinks(mount_t)
++fs_manage_cgroup_dirs(mount_t)
++fs_manage_cgroup_files(mount_t)
+ fs_dontaudit_write_tmpfs_dirs(mount_t)
+
+-mls_file_read_all_levels(mount_t)
+-mls_file_write_all_levels(mount_t)
++mls_file_read_to_clearance(mount_t)
++mls_file_write_to_clearance(mount_t)
++mls_process_write_to_clearance(mount_t)
+
+ selinux_get_enforce_mode(mount_t)
++selinux_mounton_fs(mount_t)
+
+ storage_raw_read_fixed_disk(mount_t)
+ storage_raw_write_fixed_disk(mount_t)
+ storage_raw_read_removable_device(mount_t)
+ storage_raw_write_removable_device(mount_t)
++storage_rw_fuse(mount_t)
+
+-term_use_all_terms(mount_t)
++term_use_all_inherited_terms(mount_t)
+ term_dontaudit_manage_pty_dirs(mount_t)
+
+ auth_use_nsswitch(mount_t)
+@@ -130,16 +184,21 @@ auth_use_nsswitch(mount_t)
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+
+ logging_send_syslog_msg(mount_t)
+
+-miscfiles_read_localization(mount_t)
+-
+ sysnet_use_portmap(mount_t)
+
+ seutil_read_config(mount_t)
+
++systemd_passwd_agent_domtrans(mount_t)
++
+ userdom_use_all_users_fds(mount_t)
++userdom_manage_user_home_content_dirs(mount_t)
++userdom_read_user_home_content_symlinks(mount_t)
++userdom_list_user_tmp(mount_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+@@ -155,26 +214,27 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`allow_mount_anyfile',`
+- files_list_non_auth_dirs(mount_t)
+- files_read_non_auth_files(mount_t)
++corecmd_exec_shell(mount_t)
++
++tunable_policy(`mount_anyfile',`
++ files_read_non_security_files(mount_t)
+ files_mounton_non_security(mount_t)
++ files_rw_inherited_non_security_files(mount_t)
+ ')
+
+ optional_policy(`
+ # for nfs
+- corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
+- corenet_tcp_sendrecv_all_if(mount_t)
+- corenet_raw_sendrecv_all_if(mount_t)
+- corenet_udp_sendrecv_all_if(mount_t)
+- corenet_tcp_sendrecv_all_nodes(mount_t)
+- corenet_raw_sendrecv_all_nodes(mount_t)
+- corenet_udp_sendrecv_all_nodes(mount_t)
++ corenet_tcp_sendrecv_generic_if(mount_t)
++ corenet_raw_sendrecv_generic_if(mount_t)
++ corenet_udp_sendrecv_generic_if(mount_t)
++ corenet_tcp_sendrecv_generic_node(mount_t)
++ corenet_raw_sendrecv_generic_node(mount_t)
++ corenet_udp_sendrecv_generic_node(mount_t)
+ corenet_tcp_sendrecv_all_ports(mount_t)
+ corenet_udp_sendrecv_all_ports(mount_t)
+- corenet_tcp_bind_all_nodes(mount_t)
+- corenet_udp_bind_all_nodes(mount_t)
++ corenet_tcp_bind_generic_node(mount_t)
++ corenet_udp_bind_generic_node(mount_t)
+ corenet_tcp_bind_generic_port(mount_t)
+ corenet_udp_bind_generic_port(mount_t)
+ corenet_tcp_bind_reserved_port(mount_t)
+@@ -188,6 +248,9 @@ optional_policy(`
+ fs_search_rpc(mount_t)
+
+ rpc_stub(mount_t)
++
++ rpc_domtrans_rpcd(mount_t)
++ rpcbind_stream_connect(mount_t)
+ ')
+
+ optional_policy(`
+@@ -195,6 +258,40 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_system_entry(mount_t, mount_exec_t)
++')
++
++optional_policy(`
++ devicekit_read_state_power(mount_t)
++')
++
++optional_policy(`
++ fsadm_manage_pid(mount_t)
++')
++
++optional_policy(`
++ glusterd_domtrans(mount_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(mount_t)
++
++ optional_policy(`
++ hal_dbus_chat(mount_t)
++ ')
++')
++
++optional_policy(`
++ glusterd_domtrans(mount_t)
++')
++
++optional_policy(`
++ hal_write_log(mount_t)
++ hal_use_fds(mount_t)
++ hal_dontaudit_rw_pipes(mount_t)
++')
++
++optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ # for a bug in the X server
+ rhgb_dontaudit_rw_stream_sockets(mount_t)
+@@ -203,28 +300,136 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ livecd_rw_tmp_files(mount_t)
++')
++
++# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
++optional_policy(`
++ lvm_run(mount_t, mount_roles)
++')
++
++optional_policy(`
++ modutils_run_insmod(mount_t, mount_roles)
+ modutils_read_module_deps(mount_t)
+ ')
+
+ optional_policy(`
++ fstools_run(mount_t, mount_roles)
++')
++
++optional_policy(`
++ rhcs_stream_connect_gfs_controld(mount_t)
++')
++
++optional_policy(`
++ rpc_run_rpcd(mount_t, mount_roles)
++')
++
++optional_policy(`
+ puppet_rw_tmp(mount_t)
+ ')
+
+ # for kernel package installation
+ optional_policy(`
+ rpm_rw_pipes(mount_t)
++ rpm_dontaudit_leaks(mount_t)
+ ')
+
+ optional_policy(`
++ samba_read_config(mount_t)
+ samba_run_smbmount(mount_t, mount_roles)
+ ')
+
++optional_policy(`
++ ssh_exec(mount_t)
++ ssh_append_home_files(mount_t)
++')
++
++optional_policy(`
++ usbmuxd_stream_connect(mount_t)
++')
++
++optional_policy(`
++ userhelper_exec_consolehelper(mount_t)
++')
++
++optional_policy(`
++ unconfined_write_keys(mount_t)
++')
++
++optional_policy(`
++ virt_read_blk_images(mount_t)
++')
++
++optional_policy(`
++ vmware_exec_host(mount_t)
++')
++
++optional_policy(`
++ unconfined_domain(mount_t)
++')
++
++######################################
++#
++# showmount local policy
++#
++
++allow showmount_t self:tcp_socket create_stream_socket_perms;
++allow showmount_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(showmount_t)
++
++corenet_all_recvfrom_netlabel(showmount_t)
++corenet_tcp_sendrecv_generic_if(showmount_t)
++corenet_udp_sendrecv_generic_if(showmount_t)
++corenet_tcp_sendrecv_generic_node(showmount_t)
++corenet_udp_sendrecv_generic_node(showmount_t)
++corenet_tcp_sendrecv_all_ports(showmount_t)
++corenet_udp_sendrecv_all_ports(showmount_t)
++corenet_tcp_bind_generic_node(showmount_t)
++corenet_udp_bind_generic_node(showmount_t)
++corenet_tcp_bind_all_rpc_ports(showmount_t)
++corenet_udp_bind_all_rpc_ports(showmount_t)
++corenet_tcp_connect_all_ports(showmount_t)
++
++files_read_etc_runtime_files(showmount_t)
++
++sysnet_dns_name_resolve(showmount_t)
++
++userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmp_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
+ ########################################
+ #
+ # Unconfined mount local policy
+ #
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
++ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
++ unconfined_domain(unconfined_mount_t)
+ ')
+diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
+index b263a8a..15576ab 100644
+--- a/policy/modules/system/netlabel.fc
++++ b/policy/modules/system/netlabel.fc
+@@ -1 +1,6 @@
+ /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
++
++/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0)
++
++/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
++/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
+index cbbda4a..b569d5f 100644
+--- a/policy/modules/system/netlabel.te
++++ b/policy/modules/system/netlabel.te
+@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
+
+ type netlabel_mgmt_t;
+ type netlabel_mgmt_exec_t;
++init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ role system_r types netlabel_mgmt_t;
+
++type netlabel_mgmt_unit_file_t;
++systemd_unit_file(netlabel_mgmt_unit_file_t)
++
+ ########################################
+ #
+ # NetLabel Management Tools Local policy
+@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t;
+ allow netlabel_mgmt_t self:capability net_admin;
+ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
++can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
++
+ kernel_read_network_state(netlabel_mgmt_t)
++kernel_read_system_state(netlabel_mgmt_t)
++
++corecmd_exec_bin(netlabel_mgmt_t)
++corecmd_exec_shell(netlabel_mgmt_t)
+
+ files_read_etc_files(netlabel_mgmt_t)
+
++term_use_all_inherited_terms(netlabel_mgmt_t)
++
+ seutil_use_newrole_fds(netlabel_mgmt_t)
+
+-userdom_use_user_terminals(netlabel_mgmt_t)
++auth_read_passwd(netlabel_mgmt_t)
++
++userdom_use_inherited_user_terminals(netlabel_mgmt_t)
++
+diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
+index d43f3b1..870bc36 100644
+--- a/policy/modules/system/selinuxutil.fc
++++ b/policy/modules/system/selinuxutil.fc
+@@ -6,13 +6,14 @@
+ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+ /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
+
+ #
+ # /root
+@@ -35,19 +36,27 @@
+ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+
+ /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
++/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+ /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+ /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
+ /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+ /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
+
+ #
+ # /var/lib
+ #
+ /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
++/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+
+ #
+ # /var/run
+ #
+ /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
++
++
++/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
++/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..0bd60a7 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
+
+ ########################################
+ ##
++## Allow access check on load_policy.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_access_check_load_policy',`
++ gen_require(`
++ type load_policy_exec_t;
++ ')
++
++ allow $1 load_policy_exec_t:file execute;
++')
++
++########################################
++##
++## Dontaudit access check on load_policy.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_load_policy',`
++ gen_require(`
++ type load_policy_exec_t;
++ ')
++
++ dontaudit $1 load_policy_exec_t:file audit_access;
++')
++
++########################################
++##
+ ## Read the load_policy program file.
+ ##
+ ##
+@@ -192,11 +228,22 @@ interface(`seutil_domtrans_newrole',`
+ #
+ interface(`seutil_run_newrole',`
+ gen_require(`
+- attribute_role newrole_roles;
++ type newrole_t;
++ #attribute_role newrole_roles;
+ ')
+
++ #seutil_domtrans_newrole($1)
++ #roleattribute $2 newrole_roles;
++
+ seutil_domtrans_newrole($1)
+- roleattribute $2 newrole_roles;
++ role $2 types newrole_t;
++
++ auth_run_upd_passwd(newrole_t, $2)
++
++ optional_policy(`
++ namespace_init_run(newrole_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -359,6 +406,27 @@ interface(`seutil_exec_restorecon',`
+
+ ########################################
+ ##
++## Execute restorecond in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_exec_restorecond',`
++ gen_require(`
++ type restorecond_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ can_exec($1, restorecond_exec_t)
++')
++
++########################################
++##
+ ## Execute run_init in the run_init domain.
+ ##
+ ##
+@@ -425,11 +493,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+ #
+ interface(`seutil_run_runinit',`
+ gen_require(`
+- attribute_role run_init_roles;
++ #attribute_role run_init_roles;
++ type run_init_t;
++ role system_r;
+ ')
+
+- seutil_domtrans_runinit($1)
+- roleattribute $2 run_init_roles;
++ #seutil_domtrans_runinit($1)
++ #roleattribute $2 run_init_roles;
++
++ auth_run_chk_passwd(run_init_t, $2)
++ seutil_domtrans_runinit($1)
++ role $2 types run_init_t;
++
++ allow $2 system_r;
++
+ ')
+
+ ########################################
+@@ -461,11 +538,19 @@ interface(`seutil_run_runinit',`
+ #
+ interface(`seutil_init_script_run_runinit',`
+ gen_require(`
+- attribute_role run_init_roles;
++ #attribute_role run_init_roles;
++ type run_init_t;
++ role system_r;
+ ')
+
+- seutil_init_script_domtrans_runinit($1)
+- roleattribute $2 run_init_roles;
++ #seutil_init_script_domtrans_runinit($1)
++ #roleattribute $2 run_init_roles;
++ auth_run_chk_passwd(run_init_t, $2)
++ seutil_init_script_domtrans_runinit($1)
++ role $2 types run_init_t;
++
++ allow $2 system_r;
++
+ ')
+
+ ########################################
+@@ -535,6 +620,53 @@ interface(`seutil_run_setfiles',`
+
+ ########################################
+ ##
++## Execute setfiles in the setfiles domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_domtrans_setfiles_mac',`
++ gen_require(`
++ type setfiles_mac_t, setfiles_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
++')
++
++########################################
++##
++## Execute setfiles in the setfiles_mac domain, and
++## allow the specified role the setfiles_mac domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the setfiles_mac domain.
++##
++##
++##
++#
++interface(`seutil_run_setfiles_mac',`
++ gen_require(`
++ type setfiles_mac_t;
++ ')
++
++ seutil_domtrans_setfiles_mac($1)
++ role $2 types setfiles_mac_t;
++')
++
++########################################
++##
+ ## Execute setfiles in the caller domain.
+ ##
+ ##
+@@ -555,6 +687,42 @@ interface(`seutil_exec_setfiles',`
+
+ ########################################
+ ##
++## Allow access check on setfiles.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_access_check_setfiles',`
++ gen_require(`
++ type setfiles_exec_t;
++ ')
++
++ allow $1 setfiles_exec_t:file execute;
++')
++
++########################################
++##
++## Dontaudit access check on setfiles.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_setfiles',`
++ gen_require(`
++ type setfiles_exec_t;
++ ')
++
++ dontaudit $1 setfiles_exec_t:file audit_access;
++')
++
++########################################
++##
+ ## Do not audit attempts to search the SELinux
+ ## configuration directory (/etc/selinux).
+ ##
+@@ -680,8 +848,113 @@ interface(`seutil_manage_config',`
+ ')
+
+ files_search_etc($1)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
++ manage_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
++')
++
++######################################
++##
++## Create, read, write, and delete
++## the general selinux configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_manage_config_dirs',`
++ gen_require(`
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir manage_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search the SELinux
++## login configuration directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`seutil_dontaudit_search_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read the SELinux
++## login configuration.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`seutil_dontaudit_read_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++ dontaudit $1 selinux_login_config_t:file read_file_perms;
++')
++
++########################################
++##
++## Read the SELinux login configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_read_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++########################################
++##
++## Read and write the SELinux login configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_rw_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ ')
+
+ #######################################
+@@ -694,15 +967,62 @@ interface(`seutil_manage_config',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`seutil_manage_config_dirs',`
++interface(`seutil_rw_login_config_dirs',`
+ gen_require(`
+ type selinux_config_t;
++ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 selinux_config_t:dir manage_dir_perms;
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir rw_dir_perms;
++')
++
++######################################
++##
++## Create, read, write, and delete
++## the general selinux configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_manage_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++######################################
++##
++## manage the login selinux configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_manage_login_config_files',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ ')
+
+ ########################################
+@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',`
+ read_files_pattern($1, default_context_t, default_context_t)
+ ')
+
++#######################################
++##
++## Read and write the default_contexts files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_rw_default_contexts',`
++ gen_require(`
++ type default_context_t;
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir list_dir_perms;
++ allow $1 default_context_t:dir list_dir_perms;
++ rw_files_pattern($1, default_context_t, default_context_t)
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete the default_contexts files.
+@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',`
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
++ list_dirs_pattern($1, file_context_t, file_context_t)
+ read_files_pattern($1, file_context_t, file_context_t)
++ read_lnk_files_pattern($1, file_context_t, file_context_t)
+ ')
+
+ ########################################
+@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',`
+
+ ########################################
+ ##
++## Execute a domain transition to run setsebool.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`seutil_domtrans_setsebool',`
++ gen_require(`
++ type setsebool_t, setsebool_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
++')
++
++########################################
++##
+ ## Execute semanage in the semanage domain, and
+ ## allow the specified role the semanage domain,
+ ## and use the caller's terminal.
+@@ -1017,11 +1382,85 @@ interface(`seutil_domtrans_semanage',`
+ #
+ interface(`seutil_run_semanage',`
+ gen_require(`
+- attribute_role semanage_roles;
++ #attribute_role semanage_roles;
++ type semanage_t;
+ ')
+
++ #seutil_domtrans_semanage($1)
++ #roleattribute $2 semanage_roles;
++
+ seutil_domtrans_semanage($1)
+- roleattribute $2 semanage_roles;
++ seutil_run_setfiles(semanage_t, $2)
++ seutil_run_loadpolicy(semanage_t, $2)
++ role $2 types semanage_t;
++
++')
++
++########################################
++##
++## Execute setsebool in the semanage domain, and
++## allow the specified role the semanage domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the setsebool domain.
++##
++##
++##
++#
++interface(`seutil_run_setsebool',`
++ gen_require(`
++ type semanage_t;
++ ')
++
++ seutil_domtrans_setsebool($1)
++ role $2 types setsebool_t;
++')
++
++########################################
++##
++## Full management of the semanage
++## module store.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_read_module_store',`
++ gen_require(`
++ type selinux_config_t, semanage_store_t;
++ ')
++
++ files_search_etc($1)
++ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
++ read_files_pattern($1, semanage_store_t, semanage_store_t)
++ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
++')
++
++#######################################
++##
++## Dontaudit access check on module store
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_semanage_module_store',`
++ gen_require(`
++ type semanage_store_t;
++ ')
++
++ dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
+ ')
+
+ ########################################
+@@ -1043,7 +1482,11 @@ interface(`seutil_manage_module_store',`
+ files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ manage_files_pattern($1, semanage_store_t, semanage_store_t)
++ manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
+ ')
+
+ #######################################
+@@ -1067,6 +1510,24 @@ interface(`seutil_get_semanage_read_lock',`
+
+ #######################################
+ ##
++## Dontaudit access check on module store
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_semanage_read_lock',`
++ gen_require(`
++ type semanage_read_lock_t;
++ ')
++
++ dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
++')
++
++#######################################
++##
+ ## Get trans lock on module store
+ ##
+ ##
+@@ -1137,3 +1598,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+ selinux_dontaudit_get_fs_mount($1)
+ seutil_dontaudit_read_config($1)
+ ')
++
++#######################################
++##
++## All rules necessary to run semanage command
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_semanage_policy',`
++ gen_require(`
++ type semanage_tmp_t;
++ type policy_config_t;
++ attribute policy_manager_domain;
++ ')
++ typeattribute $1 policy_manager_domain;
++
++ kernel_read_system_state($1)
++
++ # Running genhomedircon requires this for finding all users
++ auth_use_nsswitch($1)
++
++ mls_file_write_all_levels($1)
++ mls_file_read_all_levels($1)
++
++ selinux_get_enforce_mode($1)
++ selinux_set_enforce_mode($1)
++
++ seutil_manage_bin_policy($1)
++
++ logging_send_syslog_msg($1)
++')
++
++#######################################
++##
++## All rules necessary to run setfiles command
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_setfiles',`
++
++ gen_require(`
++ attribute setfiles_domain;
++ ')
++ typeattribute $1 setfiles_domain;
++
++ kernel_read_system_state($1)
++ seutil_libselinux_linked($1)
++
++ files_relabel_all_files($1)
++
++ mls_file_read_all_levels($1)
++ mls_file_write_all_levels($1)
++ mls_file_upgrade($1)
++ mls_file_downgrade($1)
++
++ # this is to satisfy the assertion:
++ auth_relabelto_shadow($1)
++
++ logging_send_syslog_msg($1)
++')
++
++#####################################
++##
++## File name transition for selinux utility content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_filetrans_named_content',`
++ gen_require(`
++ type default_context_t, semanage_store_t;
++ type selinux_config_t, semanage_trans_lock_t;
++ type file_context_t, selinux_login_config_t;
++ ')
++
++ filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
++ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK")
++ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK")
++ filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins")
++ filetrans_pattern($1, default_context_t, file_context_t, dir, "files")
++ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
++')
++
++########################################
++##
++## Send and receive messages from
++## semanage dbus server over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dbus_chat_semanage',`
++ gen_require(`
++ type semanage_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(semanage_t, $1)
++
++ allow $1 semanage_t:dbus send_msg;
++ allow semanage_t $1:dbus send_msg;
++')
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index dc46420..fa0e220 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -11,14 +11,16 @@ gen_require(`
+
+ attribute can_write_binary_policy;
+ attribute can_relabelto_binary_policy;
++attribute setfiles_domain;
++attribute policy_manager_domain;
+
+-attribute_role newrole_roles;
++#attribute_role newrole_roles;
+
+-attribute_role run_init_roles;
+-role system_r types run_init_t;
++#attribute_role run_init_roles;
++#role system_r types run_init_t;
+
+-attribute_role semanage_roles;
+-roleattribute system_r semanage_roles;
++#attribute_role semanage_roles;
++#roleattribute system_r semanage_roles;
+
+ #
+ # selinux_config_t is the type applied to
+@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
+ # in the domain_type interface
+ # (fix dup decl)
+ type selinux_config_t;
+-files_type(selinux_config_t)
++files_security_file(selinux_config_t)
++
++type selinux_login_config_t;
++files_security_file(selinux_login_config_t)
++
++type selinux_var_lib_t;
++files_type(selinux_var_lib_t)
+
+ type checkpolicy_t, can_write_binary_policy;
+ type checkpolicy_exec_t;
+@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
+ # /etc/selinux/*/contexts/*
+ #
+ type default_context_t;
+-files_type(default_context_t)
++files_security_file(default_context_t)
+
+ #
+ # file_context_t is the type applied to
+ # /etc/selinux/*/contexts/files
+ #
+ type file_context_t;
+-files_type(file_context_t)
++files_security_file(file_context_t)
+
+ type load_policy_t;
+ type load_policy_exec_t;
+@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
+ domain_role_change_exemption(newrole_t)
+ domain_obj_id_change_exemption(newrole_t)
+ domain_interactive_fd(newrole_t)
+-role newrole_roles types newrole_t;
++#role newrole_roles types newrole_t;
++role system_r types newrole_t;
+
+ #
+ # policy_config_t is the type of /etc/security/selinux/*
+ # the security server policy configuration.
+ #
+-type policy_config_t;
+-files_type(policy_config_t)
++#type policy_config_t;
++#files_type(policy_config_t)
++gen_require(`
++ type semanage_store_t;
++')
++
++typealias semanage_store_t alias policy_config_t;
+
+ neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+ #neverallow ~can_write_binary_policy policy_config_t:file { write append };
+@@ -83,7 +97,6 @@ type restorecond_t;
+ type restorecond_exec_t;
+ init_daemon_domain(restorecond_t, restorecond_exec_t)
+ domain_obj_id_change_exemption(restorecond_t)
+-role system_r types restorecond_t;
+
+ type restorecond_var_run_t;
+ files_pid_file(restorecond_var_run_t)
+@@ -92,25 +105,32 @@ type run_init_t;
+ type run_init_exec_t;
+ application_domain(run_init_t, run_init_exec_t)
+ domain_system_change_exemption(run_init_t)
+-role run_init_roles types run_init_t;
++#role run_init_roles types run_init_t;
++role system_r types run_init_t;
+
+ type semanage_t;
+ type semanage_exec_t;
+ application_domain(semanage_t, semanage_exec_t)
++init_daemon_domain(semanage_t, semanage_exec_t)
+ domain_interactive_fd(semanage_t)
+-role semanage_roles types semanage_t;
++#role semanage_roles types semanage_t;
++role system_r types semanage_t;
++
++type setsebool_t;
++type setsebool_exec_t;
++init_system_domain(setsebool_t, setsebool_exec_t)
+
+ type semanage_store_t;
+-files_type(semanage_store_t)
++files_security_file(semanage_store_t)
+
+ type semanage_read_lock_t;
+-files_type(semanage_read_lock_t)
++files_lock_file(semanage_read_lock_t)
+
+ type semanage_tmp_t;
+ files_tmp_file(semanage_tmp_t)
+
+-type semanage_trans_lock_t;
+-files_type(semanage_trans_lock_t)
++type semanage_trans_lock_t;
++files_lock_file(semanage_trans_lock_t)
+
+ type semanage_var_lib_t;
+ files_type(semanage_var_lib_t)
+@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+ init_system_domain(setfiles_t, setfiles_exec_t)
+ domain_obj_id_change_exemption(setfiles_t)
+
++type setfiles_mac_t;
++domain_type(setfiles_mac_t)
++domain_entry_file(setfiles_mac_t, setfiles_exec_t)
++domain_obj_id_change_exemption(setfiles_mac_t)
++
+ ########################################
+ #
+ # Checkpolicy local policy
+@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+ read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ allow checkpolicy_t selinux_config_t:dir search_dir_perms;
++allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
+
+ domain_use_interactive_fds(checkpolicy_t)
+
+@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
+ init_use_fds(checkpolicy_t)
+ init_use_script_ptys(checkpolicy_t)
+
+-userdom_use_user_terminals(checkpolicy_t)
++userdom_use_inherited_user_terminals(checkpolicy_t)
+ userdom_use_all_users_fds(checkpolicy_t)
+
+ ifdef(`distro_ubuntu',`
+@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
+
+ init_use_script_fds(load_policy_t)
+ init_use_script_ptys(load_policy_t)
+-
+-miscfiles_read_localization(load_policy_t)
++init_write_script_pipes(load_policy_t)
+
+ seutil_libselinux_linked(load_policy_t)
+
+-userdom_use_user_terminals(load_policy_t)
++userdom_use_inherited_user_terminals(load_policy_t)
+ userdom_use_all_users_fds(load_policy_t)
++userdom_dontaudit_read_user_tmp_files(load_policy_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
+ ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
++ dontaudit load_policy_t selinux_login_config_t:file write;
+
+ optional_policy(`
+ unconfined_dontaudit_read_pipes(load_policy_t)
+@@ -215,12 +242,21 @@ optional_policy(`
+ portage_dontaudit_use_fds(load_policy_t)
+ ')
+
++optional_policy(`
++ sssd_rw_inherited_pipes(load_policy_t)
++')
++
++optional_policy(`
++ # pki is leaking
++ pki_dontaudit_write_log(load_policy_t)
++')
++
+ ########################################
+ #
+ # Newrole local policy
+ #
+
+-allow newrole_t self:capability { fowner setuid setgid dac_override };
++allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
+ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+ allow newrole_t self:process setexec;
+ allow newrole_t self:fd use;
+@@ -232,7 +268,7 @@ allow newrole_t self:msgq create_msgq_perms;
+ allow newrole_t self:msg { send receive };
+ allow newrole_t self:unix_dgram_socket sendto;
+ allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++logging_send_audit_msgs(newrole_t)
+
+ read_files_pattern(newrole_t, default_context_t, default_context_t)
+ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+@@ -249,6 +285,7 @@ domain_use_interactive_fds(newrole_t)
+ # for when the user types "exec newrole" at the command line:
+ domain_sigchld_interactive_fds(newrole_t)
+
++files_list_var(newrole_t)
+ files_read_etc_files(newrole_t)
+ files_read_var_files(newrole_t)
+ files_read_var_symlinks(newrole_t)
+@@ -276,25 +313,34 @@ term_relabel_all_ptys(newrole_t)
+ term_getattr_unallocated_ttys(newrole_t)
+ term_dontaudit_use_unallocated_ttys(newrole_t)
+
+-auth_use_nsswitch(newrole_t)
+-auth_run_chk_passwd(newrole_t, newrole_roles)
+-auth_run_upd_passwd(newrole_t, newrole_roles)
+-auth_rw_faillog(newrole_t)
++auth_use_pam(newrole_t)
+
+ # Write to utmp.
+ init_rw_utmp(newrole_t)
+ init_use_fds(newrole_t)
+
+-logging_send_syslog_msg(newrole_t)
+-
+-miscfiles_read_localization(newrole_t)
+
+ seutil_libselinux_linked(newrole_t)
+
++userdom_use_unpriv_users_fds(newrole_t)
+ # for some PAM modules and for cwd
+ userdom_dontaudit_search_user_home_content(newrole_t)
+ userdom_search_user_home_dirs(newrole_t)
+
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(newrole_t)
++')
++
++#optional_policy(`
++# namespace_init_run(newrole_t, newrole_roles)
++#')
++
++
++optional_policy(`
++ xserver_dontaudit_exec_xauth(newrole_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(newrole_t)
+@@ -309,7 +355,7 @@ if(secure_mode) {
+ userdom_spec_domtrans_all_users(newrole_t)
+ }
+
+-tunable_policy(`allow_polyinstantiation',`
++tunable_policy(`polyinstantiation_enabled',`
+ files_polyinstantiate_all(newrole_t)
+ ')
+
+@@ -328,9 +374,13 @@ kernel_use_fds(restorecond_t)
+ kernel_rw_pipes(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+
++dev_relabel_all_dev_nodes(restorecond_t)
++
++files_dontaudit_read_all_symlinks(restorecond_t)
++
+ fs_relabelfrom_noxattr_fs(restorecond_t)
+ fs_dontaudit_list_nfs(restorecond_t)
+-fs_getattr_xattr_fs(restorecond_t)
++fs_getattr_all_fs(restorecond_t)
+ fs_list_inotifyfs(restorecond_t)
+
+ selinux_validate_context(restorecond_t)
+@@ -341,16 +391,17 @@ selinux_compute_user_contexts(restorecond_t)
+
+ files_relabel_non_auth_files(restorecond_t )
+ files_read_non_auth_files(restorecond_t)
++
+ auth_use_nsswitch(restorecond_t)
+
+ locallogin_dontaudit_use_fds(restorecond_t)
+
+ logging_send_syslog_msg(restorecond_t)
+
+-miscfiles_read_localization(restorecond_t)
+-
+ seutil_libselinux_linked(restorecond_t)
+
++userdom_read_user_home_content_symlinks(restorecond_t)
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(restorecond_t)
+@@ -366,21 +417,24 @@ optional_policy(`
+ # Run_init local policy
+ #
+
+-allow run_init_roles system_r;
++#allow run_init_roles system_r;
+
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
+ allow run_init_t self:fifo_file rw_file_perms;
+-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++logging_send_audit_msgs(run_init_t)
+
+ # often the administrator runs such programs from a directory that is owned
+ # by a different user or has restrictive SE permissions, do not want to audit
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
+
++kernel_dontaudit_getattr_core_if(run_init_t)
++
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
+
++dev_dontaudit_getattr_all(run_init_t)
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
+
+ domain_use_interactive_fds(run_init_t)
+@@ -398,23 +452,30 @@ selinux_compute_create_context(run_init_t)
+ selinux_compute_relabel_context(run_init_t)
+ selinux_compute_user_contexts(run_init_t)
+
++term_use_console(run_init_t)
++
++#auth_use_nsswitch(run_init_t)
++#auth_run_chk_passwd(run_init_t, run_init_roles)
++#auth_run_upd_passwd(run_init_t, run_init_roles)
++#auth_dontaudit_read_shadow(run_init_t)
++
+ auth_use_nsswitch(run_init_t)
+-auth_run_chk_passwd(run_init_t, run_init_roles)
+-auth_run_upd_passwd(run_init_t, run_init_roles)
++auth_domtrans_chk_passwd(run_init_t)
++auth_domtrans_upd_passwd(run_init_t)
+ auth_dontaudit_read_shadow(run_init_t)
+
++
+ init_spec_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
++init_dontaudit_getattr_initctl(run_init_t)
+
+ logging_send_syslog_msg(run_init_t)
+
+-miscfiles_read_localization(run_init_t)
+-
+ seutil_libselinux_linked(run_init_t)
+ seutil_read_default_contexts(run_init_t)
+
+-userdom_use_user_terminals(run_init_t)
++userdom_use_inherited_user_terminals(run_init_t)
+
+ ifndef(`direct_sysadm_daemon',`
+ ifdef(`distro_gentoo',`
+@@ -425,6 +486,19 @@ ifndef(`direct_sysadm_daemon',`
+ ')
+ ')
+
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(run_init_t)
++')
++
++optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(run_init_t)
++')
++
++optional_policy(`
++ rpm_domtrans(run_init_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(run_init_t)
+@@ -440,81 +514,87 @@ optional_policy(`
+ # semodule local policy
+ #
+
+-allow semanage_t self:capability { dac_override audit_write };
+-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+-allow semanage_t self:unix_dgram_socket create_socket_perms;
+ allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-allow semanage_t self:fifo_file rw_fifo_file_perms;
+-
+-allow semanage_t policy_config_t:file rw_file_perms;
+-
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+
+ manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+ manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+-
+-corecmd_exec_bin(semanage_t)
+-
+-dev_read_urand(semanage_t)
+-
+-domain_use_interactive_fds(semanage_t)
+-
+-files_read_etc_files(semanage_t)
+-files_read_etc_runtime_files(semanage_t)
+-files_read_usr_files(semanage_t)
+-files_list_pids(semanage_t)
+-
+-mls_file_write_all_levels(semanage_t)
+-mls_file_read_all_levels(semanage_t)
+-
+-selinux_validate_context(semanage_t)
+-selinux_get_enforce_mode(semanage_t)
+-selinux_getattr_fs(semanage_t)
+-# for setsebool:
+ selinux_set_all_booleans(semanage_t)
++can_exec(semanage_t, semanage_exec_t)
+
+-term_use_all_terms(semanage_t)
+-
+-# Running genhomedircon requires this for finding all users
+-auth_use_nsswitch(semanage_t)
+-
+-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
+-miscfiles_read_localization(semanage_t)
+-
+-seutil_libselinux_linked(semanage_t)
++seutil_semanage_policy(semanage_t)
+ seutil_manage_file_contexts(semanage_t)
+ seutil_manage_config(semanage_t)
+-seutil_run_setfiles(semanage_t, semanage_roles)
+-seutil_run_loadpolicy(semanage_t, semanage_roles)
+-seutil_manage_bin_policy(semanage_t)
+-seutil_use_newrole_fds(semanage_t)
+-seutil_manage_module_store(semanage_t)
+-seutil_get_semanage_trans_lock(semanage_t)
+-seutil_get_semanage_read_lock(semanage_t)
++seutil_domtrans_setfiles(semanage_t)
++
++#seutil_run_setfiles(semanage_t, semanage_roles)
++#seutil_run_loadpolicy(semanage_t, semanage_roles)
++#seutil_manage_bin_policy(semanage_t)
++#seutil_use_newrole_fds(semanage_t)
++#seutil_manage_module_store(semanage_t)
++#seutil_get_semanage_trans_lock(semanage_t)
++#seutil_get_semanage_read_lock(semanage_t)
+ # netfilter_contexts:
+ seutil_manage_default_contexts(semanage_t)
+
+ # Handle pp files created in homedir and /tmp
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
++userdom_home_reader(semanage_t)
+
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
+ files_read_var_lib_symlinks(semanage_t)
+ ')
+
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(semanage_t)
+- ')
++optional_policy(`
++ dbus_system_domain(semanage_t, semanage_exec_t)
++')
++
++optional_policy(`
++ mock_manage_lib_files(semanage_t)
++ mock_manage_lib_dirs(semanage_t)
++')
++
++optional_policy(`
++ unconfined_domain(semanage_t)
++')
++
++####################################n####
++#
++# setsebool local policy
++#
++seutil_semanage_policy(setsebool_t)
++selinux_set_all_booleans(setsebool_t)
++
++init_dontaudit_use_fds(setsebool_t)
++
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
++
++########################################
++#
++# Setfiles mac local policy
++#
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
++
++optional_policy(`
++ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
++ livecd_dontaudit_leaks(setfiles_mac_t)
++ livecd_rw_tmp_files(setfiles_mac_t)
++ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++')
++
++optional_policy(`
++ unconfined_domain(setfiles_mac_t)
+ ')
+
+ ########################################
+@@ -522,111 +602,196 @@ ifdef(`distro_ubuntu',`
+ # Setfiles local policy
+ #
+
+-allow setfiles_t self:capability { dac_override dac_read_search fowner };
+-dontaudit setfiles_t self:capability sys_tty_config;
+-allow setfiles_t self:fifo_file rw_file_perms;
+-
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+-
+-kernel_read_system_state(setfiles_t)
+-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+-kernel_relabelfrom_unlabeled_files(setfiles_t)
+-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+-kernel_use_fds(setfiles_t)
+-kernel_rw_pipes(setfiles_t)
+-kernel_rw_unix_dgram_sockets(setfiles_t)
+-kernel_dontaudit_list_all_proc(setfiles_t)
+-kernel_dontaudit_list_all_sysctls(setfiles_t)
+-
+-dev_relabel_all_dev_nodes(setfiles_t)
+-# to handle when /dev/console needs to be relabeled
+-dev_rw_generic_chr_files(setfiles_t)
+-
+-domain_use_interactive_fds(setfiles_t)
+-domain_dontaudit_search_all_domains_state(setfiles_t)
+-
+-files_read_etc_runtime_files(setfiles_t)
+-files_read_etc_files(setfiles_t)
+-files_list_all(setfiles_t)
+-files_relabel_all_files(setfiles_t)
+-files_read_usr_symlinks(setfiles_t)
+-files_dontaudit_read_all_symlinks(setfiles_t)
+-
+-fs_getattr_xattr_fs(setfiles_t)
+-fs_list_all(setfiles_t)
+-fs_search_auto_mountpoints(setfiles_t)
+-fs_relabelfrom_noxattr_fs(setfiles_t)
+-
+-mls_file_read_all_levels(setfiles_t)
+-mls_file_write_all_levels(setfiles_t)
+-mls_file_upgrade(setfiles_t)
+-mls_file_downgrade(setfiles_t)
+-
+-selinux_validate_context(setfiles_t)
+-selinux_compute_access_vector(setfiles_t)
+-selinux_compute_create_context(setfiles_t)
+-selinux_compute_relabel_context(setfiles_t)
+-selinux_compute_user_contexts(setfiles_t)
+-
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+-
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+-
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
++seutil_setfiles(setfiles_t)
++# During boot in Rawhide
++term_use_generic_ptys(setfiles_t)
++
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
+
+ logging_send_audit_msgs(setfiles_t)
+ logging_send_syslog_msg(setfiles_t)
+
+-miscfiles_read_localization(setfiles_t)
++optional_policy(`
++ cloudform_dontaudit_write_cloud_log(setfiles_t)
++')
+
+-seutil_libselinux_linked(setfiles_t)
++optional_policy(`
++ devicekit_dontaudit_read_pid_files(setfiles_t)
++ devicekit_dontaudit_rw_log(setfiles_t)
++')
++
++optional_policy(`
++ # pki is leaking
++ pki_dontaudit_write_log(setfiles_t)
++')
++
++optional_policy(`
++ xserver_append_xdm_tmp_files(setfiles_t)
++')
++
++ifdef(`hide_broken_symptoms',`
++
++ optional_policy(`
++ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
++ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
++ setroubleshoot_fixit_dontaudit_leaks(load_policy_t)
++ ')
++')
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain(setfiles_t)
++ ')
++')
+
+-userdom_use_all_users_fds(setfiles_t)
++########################################
++#
++# Setfiles common policy
++#
++allow setfiles_domain self:capability { dac_override dac_read_search fowner };
++dontaudit setfiles_domain self:capability sys_tty_config;
++allow setfiles_domain self:fifo_file rw_file_perms;
++dontaudit setfiles_domain self:dir relabelfrom;
++dontaudit setfiles_domain self:file relabelfrom;
++dontaudit setfiles_domain self:lnk_file relabelfrom;
++
++domain_relabelfrom(setfiles_domain)
++
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
++
++logging_send_audit_msgs(setfiles_domain)
++
++kernel_relabelfrom_unlabeled_dirs(setfiles_domain)
++kernel_relabelfrom_unlabeled_files(setfiles_domain)
++kernel_relabelfrom_unlabeled_symlinks(setfiles_domain)
++kernel_relabelfrom_unlabeled_pipes(setfiles_domain)
++kernel_relabelfrom_unlabeled_sockets(setfiles_domain)
++kernel_use_fds(setfiles_domain)
++kernel_rw_pipes(setfiles_domain)
++kernel_rw_unix_dgram_sockets(setfiles_domain)
++kernel_dontaudit_list_all_proc(setfiles_domain)
++kernel_read_all_sysctls(setfiles_domain)
++kernel_read_network_state_symlinks(setfiles_domain)
++
++dev_relabel_all_dev_nodes(setfiles_domain)
++dev_dontaudit_rw_lvm_control(setfiles_domain)
++dev_dontaudit_read_rand(setfiles_domain)
++dev_dontaudit_read_urand(setfiles_domain)
++
++domain_use_interactive_fds(setfiles_domain)
++domain_read_all_domains_state(setfiles_domain)
++
++files_read_etc_runtime_files(setfiles_domain)
++files_read_etc_files(setfiles_domain)
++files_list_all(setfiles_domain)
++files_list_isid_type_dirs(setfiles_domain)
++files_read_isid_type_files(setfiles_domain)
++files_dontaudit_read_all_symlinks(setfiles_domain)
++
++fs_getattr_all_fs(setfiles_domain)
++fs_list_all(setfiles_domain)
++fs_getattr_all_files(setfiles_domain)
++fs_search_auto_mountpoints(setfiles_domain)
++fs_relabelfrom_noxattr_fs(setfiles_domain)
++
++selinux_validate_context(setfiles_domain)
++selinux_compute_access_vector(setfiles_domain)
++selinux_compute_create_context(setfiles_domain)
++selinux_compute_relabel_context(setfiles_domain)
++selinux_compute_user_contexts(setfiles_domain)
++
++term_use_all_inherited_terms(setfiles_domain)
++
++init_use_fds(setfiles_domain)
++init_use_script_fds(setfiles_domain)
++init_use_script_ptys(setfiles_domain)
++init_exec_script_files(setfiles_domain)
++
++userdom_use_all_users_fds(setfiles_domain)
+ # for config files in a home directory
+-userdom_read_user_home_content_files(setfiles_t)
++userdom_read_user_home_content_files(setfiles_domain)
++userdom_rw_inherited_user_home_content_files(setfiles_domain)
+
+ ifdef(`distro_debian',`
+ # udev tmpfs is populated with static device nodes
+ # and then relabeled afterwards; thus
+ # /dev/console has the tmpfs type
+- fs_rw_tmpfs_chr_files(setfiles_t)
++ fs_rw_tmpfs_chr_files(setfiles_domain)
+ ')
+
+-ifdef(`distro_redhat', `
+- fs_rw_tmpfs_chr_files(setfiles_t)
+- fs_rw_tmpfs_blk_files(setfiles_t)
+- fs_relabel_tmpfs_blk_file(setfiles_t)
+- fs_relabel_tmpfs_chr_file(setfiles_t)
++ifdef(`distro_redhat',`
++ fs_rw_tmpfs_chr_files(setfiles_domain)
++ fs_rw_tmpfs_blk_files(setfiles_domain)
++ fs_relabel_tmpfs_blk_file(setfiles_domain)
++ fs_relabel_tmpfs_chr_file(setfiles_domain)
+ ')
+
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(setfiles_t)
+- ')
++optional_policy(`
++ hotplug_use_fds(setfiles_domain)
+ ')
+
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- udev_dontaudit_rw_dgram_sockets(setfiles_t)
+- ')
+-
+- # cjp: cover up stray file descriptors.
+- optional_policy(`
+- unconfined_dontaudit_read_pipes(setfiles_t)
+- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+- ')
++optional_policy(`
++ dbus_read_pid_files(setfiles_domain)
+ ')
+
++allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
++dontaudit policy_manager_domain self:capability sys_tty_config;
++allow policy_manager_domain self:process { signal setsched };
++allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
++allow policy_manager_domain self:unix_dgram_socket create_socket_perms;
++allow policy_manager_domain self:fifo_file rw_fifo_file_perms;
++
++dev_read_rand(policy_manager_domain)
++dev_read_urand(policy_manager_domain)
++
++logging_send_audit_msgs(policy_manager_domain)
++
++# Domains that will manage policy
++allow policy_manager_domain policy_config_t:file rw_file_perms;
++
++allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms;
++allow policy_manager_domain semanage_tmp_t:file manage_file_perms;
++files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir })
++
++kernel_read_kernel_sysctls(policy_manager_domain)
++
++corecmd_exec_bin(policy_manager_domain)
++corecmd_exec_shell(policy_manager_domain)
++
++domain_use_interactive_fds(policy_manager_domain)
++
++files_read_etc_files(policy_manager_domain)
++files_read_etc_runtime_files(policy_manager_domain)
++files_read_usr_files(policy_manager_domain)
++files_list_pids(policy_manager_domain)
++fs_list_inotifyfs(policy_manager_domain)
++fs_getattr_all_fs(policy_manager_domain)
++
++selinux_validate_context(policy_manager_domain)
++selinux_read_policy(policy_manager_domain)
++
++term_use_all_inherited_terms(policy_manager_domain)
++
++locallogin_use_fds(policy_manager_domain)
++
++seutil_search_default_contexts(policy_manager_domain)
++seutil_domtrans_loadpolicy(policy_manager_domain)
++seutil_read_config(policy_manager_domain)
++seutil_use_newrole_fds(policy_manager_domain)
++seutil_manage_module_store(policy_manager_domain)
++seutil_get_semanage_trans_lock(policy_manager_domain)
++seutil_get_semanage_read_lock(policy_manager_domain)
++
++userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
++userdom_use_user_ptys(policy_manager_domain)
++
++files_rw_inherited_generic_pid_files(setfiles_domain)
++files_rw_inherited_generic_pid_files(policy_manager_domain)
++files_create_boot_flag(policy_manager_domain, ".autorelabel")
++files_delete_boot_flag(policy_manager_domain)
++
+ optional_policy(`
+- hotplug_use_fds(setfiles_t)
++ policykit_dbus_chat(policy_manager_domain)
+ ')
+diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
+index bea4629..06e2834 100644
+--- a/policy/modules/system/setrans.fc
++++ b/policy/modules/system/setrans.fc
+@@ -2,4 +2,7 @@
+
+ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
++/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
++
+ /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
++/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
+index efa9c27..536a514 100644
+--- a/policy/modules/system/setrans.if
++++ b/policy/modules/system/setrans.if
+@@ -40,3 +40,21 @@ interface(`setrans_translate_context',`
+ stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
+ files_list_pids($1)
+ ')
++#######################################
++##
++## Allow a domain to manage pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`setrans_manage_pid_files',`
++ gen_require(`
++ type setrans_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
++')
+diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
+index 1447687..d5e6fb9 100644
+--- a/policy/modules/system/setrans.te
++++ b/policy/modules/system/setrans.te
+@@ -12,6 +12,7 @@ gen_require(`
+ type setrans_t;
+ type setrans_exec_t;
+ init_daemon_domain(setrans_t, setrans_exec_t)
++mls_trusted_object(setrans_t)
+
+ type setrans_initrc_exec_t;
+ init_script_file(setrans_initrc_exec_t)
+@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t)
+
+ logging_send_syslog_msg(setrans_t)
+
+-miscfiles_read_localization(setrans_t)
+
+ seutil_read_config(setrans_t)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 40edc18..8896a27 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -17,22 +17,25 @@ ifdef(`distro_debian',`
+ /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+
+-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+ ')
+
+ #
+@@ -44,6 +47,7 @@ ifdef(`distro_redhat',`
+ /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -55,6 +59,21 @@ ifdef(`distro_redhat',`
+ #
+ # /usr
+ #
++/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
++/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+ #
+@@ -77,3 +96,6 @@ ifdef(`distro_debian',`
+ /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+ ')
+
++/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
++/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
++
+diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
+index 2cea692..e094fc0 100644
+--- a/policy/modules/system/sysnetwork.if
++++ b/policy/modules/system/sysnetwork.if
+@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
+ #
+ interface(`sysnet_run_dhcpc',`
+ gen_require(`
++ type dhcpc_t;
+ attribute_role dhcpc_roles;
+ ')
+
+ sysnet_domtrans_dhcpc($1)
+ roleattribute $2 dhcpc_roles;
++
++ optional_policy(`
++ networkmanager_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ nis_run_ypbind(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ nscd_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ ntp_run(dhcpc_t, $2)
++ ')
++
++ seutil_run_setfiles(dhcpc_t, $2)
+ ')
+
+ ########################################
+@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
+ ')
+
+ files_search_etc($1)
+- allow $1 dhcp_etc_t:file rw_file_perms;
++ rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+ ')
+
+ ########################################
+@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
+ type dhcpc_state_t;
+ ')
+
++ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+
+@@ -290,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',`
+ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+
++########################################
++##
++## Allow caller to relabel dhcpc_state files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelfrom_dhcpc_state',`
++
++ gen_require(`
++ type dhcpc_state_t;
++ ')
++
++ allow $1 dhcpc_state_t:file relabelfrom;
++')
++
++#######################################
++##
++## Manage the dhcp client state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_manage_dhcpc_state',`
++ gen_require(`
++ type dhcpc_state_t;
++ ')
++
++ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
++')
++
+ #######################################
+ ##
+ ## Set the attributes of network config files.
+@@ -311,6 +368,44 @@ interface(`sysnet_setattr_config',`
+
+ #######################################
+ ##
++## Allow caller to relabel net_conf files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelfrom_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelfrom;
++')
++
++######################################
++##
++## Allow caller to relabel net_conf files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelto_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelto;
++')
++
++#######################################
++##
+ ## Read network config files.
+ ##
+ ##
+@@ -355,7 +450,10 @@ interface(`sysnet_read_config',`
+ ')
+
+ ifdef(`distro_redhat',`
++ files_search_pids($1)
++ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
++ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+ ')
+@@ -440,6 +538,40 @@ interface(`sysnet_etc_filetrans_config',`
+ files_etc_filetrans($1, net_conf_t, file, $2)
+ ')
+
++########################################
++##
++## Transition content to the type used for
++## the network config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the directory to which the object will be created.
++##
++##
++##
++##
++## The object class.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`sysnet_filetrans_config_fromdir',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ filetrans_pattern($1, $2, net_conf_t, $3, $4)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete network config files.
+@@ -463,12 +595,45 @@ interface(`sysnet_manage_config',`
+ ')
+
+ ifdef(`distro_redhat',`
++ files_search_pids($1)
++ init_search_pid_dirs($1)
++ allow $1 net_conf_t:dir list_dir_perms;
+ manage_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+ ')
+
+ #######################################
+ ##
++## Create, read, write, and delete network config dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_manage_config_dirs',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:dir manage_dir_perms;
++
++ ifdef(`distro_debian',`
++ files_search_pids($1)
++ manage_dirs_pattern($1, net_conf_t, net_conf_t)
++ ')
++
++ ifdef(`distro_redhat',`
++ files_search_pids($1)
++ init_search_pid_dirs($1)
++ allow $1 net_conf_t:dir list_dir_perms;
++ manage_dirs_pattern($1, net_conf_t, net_conf_t)
++ ')
++')
++
++#######################################
++##
+ ## Read the dhcp client pid file.
+ ##
+ ##
+@@ -501,6 +666,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+ type dhcpc_var_run_t;
+ ')
+
++ files_rw_pid_dirs($1)
+ allow $1 dhcpc_var_run_t:file unlink;
+ ')
+
+@@ -610,6 +776,25 @@ interface(`sysnet_signull_ifconfig',`
+
+ ########################################
+ ##
++## Send a kill signal to iconfig.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`sysnet_kill_ifconfig',`
++ gen_require(`
++ type ifconfig_t;
++ ')
++
++ allow $1 ifconfig_t:process sigkill;
++')
++
++########################################
++##
+ ## Read the DHCP configuration files.
+ ##
+ ##
+@@ -626,6 +811,7 @@ interface(`sysnet_read_dhcp_config',`
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:dir list_dir_perms;
+ read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
++ allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+ allow $1 dhcp_state_t:dir search_dir_perms;
+ ')
+
++#######################################
++##
++## Set the attributes of network config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_setattr_dhcp_state',`
++ gen_require(`
++ type dhcp_state_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 dhcp_state_t:file setattr_file_perms;
++')
++
++
+ ########################################
+ ##
+ ## Create DHCP state data.
+@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
+ allow $1 self:udp_socket create_socket_perms;
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
+ corenet_tcp_sendrecv_dns_port($1)
+ corenet_udp_sendrecv_dns_port($1)
+ corenet_tcp_connect_dns_port($1)
++ corenet_tcp_connect_dnssec_port($1)
+ corenet_sendrecv_dns_client_packets($1)
+
++ miscfiles_read_generic_certs($1)
++
+ sysnet_read_config($1)
+
+ optional_policy(`
+@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
+
+ allow $1 self:tcp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+
+ # Support for LDAPS
+ dev_read_rand($1)
++ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
+
+ sysnet_read_config($1)
++
++ optional_policy(`
++ ldap_read_certs($1)
++ ')
+ ')
+
+ ########################################
+@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+@@ -796,3 +1005,115 @@ interface(`sysnet_use_portmap',`
+
+ sysnet_read_config($1)
+ ')
++
++########################################
++##
++## Do not audit attempts to use
++## the dhcp file descriptors.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`sysnet_dontaudit_dhcpc_use_fds',`
++ gen_require(`
++ type dhcpc_t;
++ ')
++
++ dontaudit $1 dhcpc_t:fd use;
++')
++
++########################################
++##
++## Transition to system_r when execute an dhclient script
++##
++##
++##
++## Execute dhclient script in a specified role
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Role to transition from.
++##
++##
++interface(`sysnet_role_transition_dhcpc',`
++ gen_require(`
++ type dhcpc_exec_t;
++ ')
++
++ role_transition $1 dhcpc_exec_t system_r;
++')
++
++########################################
++##
++## Transition to sysnet named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_filetrans_named_content',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
++ files_etc_filetrans($1, net_conf_t, file, "hosts")
++ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
++ files_etc_filetrans($1, net_conf_t, file, "ethers")
++ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
++ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
++ init_pid_filetrans($1, net_conf_t, dir, "network")
++')
++
++########################################
++##
++## Transition to sysnet ifconfig named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_manage_ifconfig_run',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++')
++
++########################################
++##
++## Transition to sysnet ifconfig named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_filetrans_named_content_ifconfig',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
++')
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index a392fc4..ca1b2bc 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
+ # Declarations
+ #
+
++##
++##
++## Allow dhcpc client applications to execute iptables commands
++##
++##
++gen_tunable(dhcpc_exec_iptables, false)
++
+ attribute_role dhcpc_roles;
+ roleattribute system_r dhcpc_roles;
+
+@@ -20,7 +27,9 @@ files_type(dhcp_state_t)
+ type dhcpc_t;
+ type dhcpc_exec_t;
+ init_daemon_domain(dhcpc_t, dhcpc_exec_t)
+-role dhcpc_roles types dhcpc_t;
++
++type dhcpc_helper_exec_t;
++init_script_file(dhcpc_helper_exec_t)
+
+ type dhcpc_state_t;
+ files_type(dhcpc_state_t)
+@@ -36,8 +45,12 @@ type ifconfig_exec_t;
+ init_system_domain(ifconfig_t, ifconfig_exec_t)
+ role system_r types ifconfig_t;
+
++type ifconfig_var_run_t;
++files_pid_file(ifconfig_var_run_t)
++files_mountpoint(ifconfig_var_run_t)
++
+ type net_conf_t alias resolv_conf_t;
+-files_type(net_conf_t)
++files_config_file(net_conf_t)
+
+ ifdef(`distro_debian',`
+ init_daemon_run_dir(net_conf_t, "network")
+@@ -48,10 +61,10 @@ ifdef(`distro_debian',`
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
++dontaudit dhcpc_t self:capability sys_tty_config;
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
+
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+ exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+
+ allow dhcpc_t dhcp_state_t:file read_file_perms;
++allow dhcpc_t dhcp_state_t:file relabel_file_perms;
++
+ manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
+ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
++allow dhcpc_t dhcpc_state_t:file relabel_file_perms;
+
+ # create pid file
+ manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
+@@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+
+ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+ # in /etc created by dhcpcd will be labelled net_conf_t.
++allow dhcpc_t net_conf_t:file manage_file_perms;
++allow dhcpc_t net_conf_t:file relabel_file_perms;
+ sysnet_manage_config(dhcpc_t)
+ files_etc_filetrans(dhcpc_t, net_conf_t, file)
+
+@@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+ corecmd_exec_bin(dhcpc_t)
+ corecmd_exec_shell(dhcpc_t)
+
+-corenet_all_recvfrom_unlabeled(dhcpc_t)
+ corenet_all_recvfrom_netlabel(dhcpc_t)
+-corenet_tcp_sendrecv_all_if(dhcpc_t)
+-corenet_raw_sendrecv_all_if(dhcpc_t)
+-corenet_udp_sendrecv_all_if(dhcpc_t)
+-corenet_tcp_sendrecv_all_nodes(dhcpc_t)
+-corenet_raw_sendrecv_all_nodes(dhcpc_t)
+-corenet_udp_sendrecv_all_nodes(dhcpc_t)
++corenet_tcp_sendrecv_generic_if(dhcpc_t)
++corenet_raw_sendrecv_generic_if(dhcpc_t)
++corenet_udp_sendrecv_generic_if(dhcpc_t)
++corenet_tcp_sendrecv_generic_node(dhcpc_t)
++corenet_raw_sendrecv_generic_node(dhcpc_t)
++corenet_udp_sendrecv_generic_node(dhcpc_t)
+ corenet_tcp_sendrecv_all_ports(dhcpc_t)
+ corenet_udp_sendrecv_all_ports(dhcpc_t)
+ corenet_tcp_bind_all_nodes(dhcpc_t)
+@@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+ corenet_udp_bind_all_unreserved_ports(dhcpc_t)
+ corenet_tcp_connect_all_ports(dhcpc_t)
+ corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
++corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+ corenet_sendrecv_all_server_packets(dhcpc_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
+
+ dev_read_sysfs(dhcpc_t)
+ # for SSP:
+ dev_read_urand(dhcpc_t)
+
++domain_obj_id_change_exemption(dhcpc_t)
+ domain_use_interactive_fds(dhcpc_t)
+ domain_dontaudit_read_all_domains_state(dhcpc_t)
+
+-files_read_etc_files(dhcpc_t)
+ files_read_etc_runtime_files(dhcpc_t)
+-files_read_usr_files(dhcpc_t)
+ files_search_home(dhcpc_t)
+ files_search_var_lib(dhcpc_t)
+ files_dontaudit_search_locks(dhcpc_t)
+ files_getattr_generic_locks(dhcpc_t)
++files_rw_inherited_tmp_file(dhcpc_t)
++files_dontaudit_rw_inherited_locks(dhcpc_t)
+
+ fs_getattr_all_fs(dhcpc_t)
+ fs_search_auto_mountpoints(dhcpc_t)
+@@ -137,11 +157,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+ term_dontaudit_use_generic_ptys(dhcpc_t)
+
++auth_use_nsswitch(dhcpc_t)
++
+ init_rw_utmp(dhcpc_t)
++init_stream_connect(dhcpc_t)
++init_stream_send(dhcpc_t)
+
+ logging_send_syslog_msg(dhcpc_t)
+
+-miscfiles_read_localization(dhcpc_t)
++miscfiles_read_generic_certs(dhcpc_t)
+
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
+
+@@ -161,7 +185,14 @@ ifdef(`distro_ubuntu',`
+ ')
+
+ optional_policy(`
+- consoletype_run(dhcpc_t, dhcpc_roles)
++ chronyd_initrc_domtrans(dhcpc_t)
++ chronyd_systemctl(dhcpc_t)
++ chronyd_read_keys(dhcpc_t)
++')
++
++optional_policy(`
++ devicekit_dontaudit_rw_log(dhcpc_t)
++ devicekit_dontaudit_read_pid_files(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -179,10 +210,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+-')
+-
+-optional_policy(`
+ hotplug_getattr_config_dirs(dhcpc_t)
+ hotplug_search_config(dhcpc_t)
+
+@@ -195,23 +222,36 @@ optional_policy(`
+ optional_policy(`
+ netutils_run_ping(dhcpc_t, dhcpc_roles)
+ netutils_run(dhcpc_t, dhcpc_roles)
++ netutils_domtrans_ping(dhcpc_t)
++ netutils_domtrans(dhcpc_t)
+ ',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+ ')
+
+ optional_policy(`
++ networkmanager_domtrans(dhcpc_t)
++ networkmanager_read_pid_files(dhcpc_t)
++ networkmanager_manage_lib(dhcpc_t)
++ networkmanager_stream_connect(dhcpc_t)
++')
++
++optional_policy(`
++ nis_initrc_domtrans_ypbind(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
++ nis_systemctl_ypbind(dhcpc_t)
+ ')
+
+ optional_policy(`
+ nscd_initrc_domtrans(dhcpc_t)
++ nscd_systemctl(dhcpc_t)
+ nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
+ ')
+
+ optional_policy(`
+ ntp_initrc_domtrans(dhcpc_t)
++ ntp_systemctl(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -221,7 +261,11 @@ optional_policy(`
+
+ optional_policy(`
+ seutil_sigchld_newrole(dhcpc_t)
+- seutil_dontaudit_search_config(dhcpc_t)
++ seutil_domtrans_setfiles(dhcpc_t)
++')
++optional_policy(`
++ systemd_passwd_agent_domtrans(dhcpc_t)
++ systemd_signal_passwd_agent(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -233,6 +277,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_manage_pid_files(dhcpc_t)
++')
++
++optional_policy(`
+ vmware_append_log(dhcpc_t)
+ ')
+
+@@ -264,12 +312,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
+ allow ifconfig_t self:msg { send receive };
+ # Create UDP sockets, necessary when called from dhcpc
+ allow ifconfig_t self:udp_socket create_socket_perms;
++allow ifconfig_t self:appletalk_socket create_socket_perms;
+ # for /sbin/ip
+ allow ifconfig_t self:packet_socket create_socket_perms;
++allow ifconfig_t self:netlink_socket create_socket_perms;
+ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+ allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
++
+ allow ifconfig_t self:tcp_socket { create ioctl };
+
++can_exec(ifconfig_t, ifconfig_exec_t)
++
++manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
++allow ifconfig_t ifconfig_var_run_t:file mounton;
++
+ kernel_use_fds(ifconfig_t)
+ kernel_read_system_state(ifconfig_t)
+ kernel_read_network_state(ifconfig_t)
+@@ -279,14 +339,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+
+ corenet_rw_tun_tap_dev(ifconfig_t)
+
++corecmd_exec_bin(ifconfig_t)
++corecmd_exec_shell(ifconfig_t)
++
+ dev_read_sysfs(ifconfig_t)
+ # for IPSEC setup:
+ dev_read_urand(ifconfig_t)
++# needed by tuned
++dev_rw_netcontrol(ifconfig_t)
++dev_mounton_sysfs(ifconfig_t)
++dev_mount_sysfs_fs(ifconfig_t)
++dev_unmount_sysfs_fs(ifconfig_t)
+
+ domain_use_interactive_fds(ifconfig_t)
++domain_read_all_domains_state(ifconfig_t)
++
++read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
++
++files_dontaudit_rw_inherited_pipes(ifconfig_t)
++files_dontaudit_rw_inherited_locks(ifconfig_t)
++files_dontaudit_read_root_files(ifconfig_t)
++files_rw_inherited_tmp_file(ifconfig_t)
++files_dontaudit_rw_var_files(ifconfig_t)
+
+ files_read_etc_files(ifconfig_t)
+ files_read_etc_runtime_files(ifconfig_t)
++files_read_usr_files(ifconfig_t)
+
+ fs_getattr_xattr_fs(ifconfig_t)
+ fs_search_auto_mountpoints(ifconfig_t)
+@@ -299,33 +377,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+ term_dontaudit_use_ptmx(ifconfig_t)
+ term_dontaudit_use_generic_ptys(ifconfig_t)
+
+-files_dontaudit_read_root_files(ifconfig_t)
++auth_use_nsswitch(ifconfig_t)
+
+ init_use_fds(ifconfig_t)
+ init_use_script_ptys(ifconfig_t)
++init_rw_inherited_script_tmp_files(ifconfig_t)
+
+ libs_read_lib_files(ifconfig_t)
+
+ logging_send_syslog_msg(ifconfig_t)
+
+-miscfiles_read_localization(ifconfig_t)
+-
+-modutils_domtrans_insmod(ifconfig_t)
+-
+ seutil_use_runinit_fds(ifconfig_t)
+
++sysnet_dns_name_resolve(ifconfig_t)
+ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
++sysnet_filetrans_named_content_ifconfig(ifconfig_t)
+
+-userdom_use_user_terminals(ifconfig_t)
++userdom_use_inherited_user_terminals(ifconfig_t)
+ userdom_use_all_users_fds(ifconfig_t)
+
++optional_policy(`
++ hostname_exec(ifconfig_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(ifconfig_t)
+ ')
+ ')
+
++optional_policy(`
++ brctl_domtrans(ifconfig_t)
++')
++
++optional_policy(`
++ cfengine_dontaudit_write_log(ifconfig_t)
++')
++
++optional_policy(`
++ ctdbd_read_lib_files(ifconfig_t)
++')
++
+ ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit ifconfig_t self:capability sys_module;
++
+ optional_policy(`
+ dev_dontaudit_rw_cardmgr(ifconfig_t)
+ ')
+@@ -336,7 +432,11 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
+- devicekit_read_pid_files(ifconfig_t)
++ dnsmasq_domtrans(ifconfig_t)
++')
++
++optional_policy(`
++ devicekit_dontaudit_read_pid_files(ifconfig_t)
+ ')
+
+ optional_policy(`
+@@ -350,7 +450,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(ifconfig_t)
++ kdump_dontaudit_read_config(ifconfig_t)
++ kdump_rw_inherited_kdumpctl_tmp_pipes(ifconfig_t)
++')
++
++optional_policy(`
++ libs_exec_ldconfig(ifconfig_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(ifconfig_t)
+ ')
+
+ optional_policy(`
+@@ -371,3 +480,13 @@ optional_policy(`
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+ ')
++
++optional_policy(`
++ iptables_domtrans(ifconfig_t)
++')
++
++optional_policy(`
++ tunable_policy(`dhcpc_exec_iptables',`
++ iptables_domtrans(dhcpc_t)
++ ')
++')
+diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
+new file mode 100644
+index 0000000..a6664be
+--- /dev/null
++++ b/policy/modules/system/systemd.fc
+@@ -0,0 +1,50 @@
++HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
++/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
++
++/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
++/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
++
++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
++/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++
++/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
++/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++
++/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
++/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
++/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
++/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
++/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
++/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0)
++/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
++/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++
++/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
++/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
++/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
++
++/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
++/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
++/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
++/var/run/initramfs(/.*)? <>
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+new file mode 100644
+index 0000000..d2a8fc7
+--- /dev/null
++++ b/policy/modules/system/systemd.if
+@@ -0,0 +1,1460 @@
++## SELinux policy for systemd components
++
++######################################
++##
++## Creates types and rules for a basic
++## systemd domains.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`systemd_domain_template',`
++ gen_require(`
++ attribute systemd_domain;
++ ')
++
++ type $1_t, systemd_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ kernel_read_system_state($1_t)
++')
++
++######################################
++##
++## Create a domain for processes which are started
++## exuting systemctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_stub_unit_file',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++')
++
++#######################################
++##
++## Create a domain for processes which are started
++## exuting systemctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_systemctl_domain',`
++ gen_require(`
++ type systemd_systemctl_exec_t;
++ role system_r;
++ attribute systemctl_domain;
++ ')
++
++ type $1_systemctl_t, systemctl_domain;
++ domain_type($1_systemctl_t)
++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
++
++ role system_r types $1_systemctl_t;
++
++ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
++')
++
++########################################
++##
++## Execute systemctl in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_exec_systemctl',`
++ gen_require(`
++ type systemd_systemctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, systemd_systemctl_exec_t)
++
++ fs_list_cgroup_dirs($1)
++ fs_read_cgroup_files($1)
++ systemd_list_unit_dirs($1)
++ init_list_pid_dirs($1)
++ init_read_state($1)
++ init_stream_send($1)
++ init_stream_connect($1)
++
++ systemd_login_list_pid_dirs($1)
++ systemd_login_read_pid_files($1)
++ systemd_passwd_agent_exec($1)
++
++ dontaudit $1 self:capability net_admin;
++')
++
++#######################################
++##
++## Create a file type used for systemd unit files.
++##
++##
++##
++## Type to be used for an unit file.
++##
++##
++#
++interface(`systemd_unit_file',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ typeattribute $1 systemd_unit_file_type;
++ files_type($1)
++')
++
++######################################
++##
++## Allow domain to search systemd unit dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_search_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir search_dir_perms;
++')
++
++######################################
++##
++## Allow domain to list systemd unit dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_list_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir list_dir_perms;
++')
++
++######################################
++##
++## Allow domain to list systemd unit dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_create_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir create;
++')
++
++#####################################
++##
++## Allow domain to getattr all systemd unit files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_getattr_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#####################################
++##
++## Allow domain to getattr all systemd unit directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_getattr_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:dir getattr;
++')
++
++######################################
++##
++## Allow domain to read all systemd unit files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file read_file_perms;
++ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
++ allow $1 systemd_unit_file_type:dir list_dir_perms;
++')
++
++#####################################
++##
++## Dontaudit domain to read all systemd unit files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`systemd_dontaudit_read_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ dontaudit $1 systemd_unit_file_type:file read_file_perms;
++')
++
++######################################
++##
++## Read systemd_login PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_read_pid_files',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++')
++
++######################################
++##
++## Read systemd_login PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_manage_pid_files',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
++')
++
++######################################
++##
++## Read systemd_login PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_list_pid_dirs',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++')
++
++######################################
++##
++## Use and and inherited systemd
++## logind file descriptors.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_use_fds_logind',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:fd use;
++')
++
++######################################
++##
++## Read logind sessions files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_logind_sessions_files',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ ')
++
++ init_search_pid_dirs($1)
++ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
++ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
++')
++
++######################################
++##
++## Write inherited logind sessions pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_write_inherited_logind_sessions_pipes',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:fd use;
++ allow $1 systemd_logind_sessions_t:fifo_file write;
++')
++
++######################################
++##
++## Dontaudit attempts to write inherited logind sessions pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ ')
++
++ dontaudit $1 systemd_logind_sessions_t:fifo_file write;
++')
++
++######################################
++##
++## Write systemd inhibit pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_write_inhibit_pipes',`
++ gen_require(`
++ type systemd_logind_inhibit_var_run_t;
++ ')
++
++ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
++')
++
++########################################
++##
++## Send and receive messages from
++## systemd logind over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_logind',`
++ gen_require(`
++ type systemd_logind_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_logind_t:dbus send_msg;
++ allow systemd_logind_t $1:dbus send_msg;
++ ps_process_pattern(systemd_logind_t, $1)
++ allow systemd_logind_t $1:process signal;
++ allow $1 systemd_logind_t:fd use;
++')
++
++#######################################
++##
++## Execute a domain transition to run systemd-tmpfiles.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_tmpfiles_domtrans',`
++ gen_require(`
++ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
++')
++
++#######################################
++##
++## Execute a domain transition to run systemd-localed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_localed_domtrans',`
++ gen_require(`
++ type systemd_localed_t, systemd_localed_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t)
++')
++
++########################################
++##
++## Execute a domain transition to run systemd-tty-ask-password-agent.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_passwd_agent_domtrans',`
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
++')
++
++#######################################
++##
++## Execute systemd-tty-ask-password-agent in the caller domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_passwd_agent_exec',`
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
++
++ can_exec($1, systemd_passwd_agent_exec_t)
++ systemd_manage_passwd_run($1)
++')
++
++########################################
++##
++## Execute a domain transition to run systemd_notify.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_notify_domtrans',`
++ gen_require(`
++ type systemd_notify_t, systemd_notify_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
++')
++
++########################################
++##
++## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
++## allow the specified role the systemd_passwd_agent domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the systemd_passwd_agent domain.
++##
++##
++#
++interface(`systemd_passwd_agent_run',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ systemd_passwd_agent_domtrans($1)
++ role $2 types systemd_passwd_agent_t;
++')
++
++########################################
++##
++## Role access for systemd_passwd_agent
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`systemd_passwd_agent_role',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ role $1 types systemd_passwd_agent_t;
++
++ systemd_passwd_agent_domtrans($2)
++
++ ps_process_pattern($2, systemd_passwd_agent_t)
++ allow $2 systemd_passwd_agent_t:process signal;
++')
++
++########################################
++##
++## Send generic signals to systemd_passwd_agent processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_signal_passwd_agent',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ allow $1 systemd_passwd_agent_t:process signal;
++')
++
++######################################
++##
++## Allow to domain to read systemd-passwd pipe
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_fifo_file_passwd_run',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ init_search_pid_dirs($1)
++ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++')
++
++########################################
++##
++## Relabel to user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_relabelto_fifo_file_passwd_run',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ allow $1 systemd_passwd_var_run_t:fifo_file relabelto;
++')
++
++#######################################
++##
++## Relabel systemd unit directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_relabel_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#######################################
++##
++## Relabel systemd unit files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_relabel_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#######################################
++##
++## Send generic signals to systemd_passwd_agent processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_passwd_run',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ type systemd_passwd_var_run_t;
++ ')
++
++ init_search_pid_dirs($1)
++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++
++ allow systemd_passwd_agent_t $1:process signull;
++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
++')
++
++######################################
++##
++## Template for temporary sockets and files in /dev/.systemd/ask-password
++## which are used by systemd-passwd-agent
++##
++##
++##
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
++##
++##
++#
++interface(`systemd_passwd_agent_dev_template',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ type systemd_$1_device_t;
++ files_type(systemd_$1_device_t)
++ dev_associate(systemd_$1_device_t)
++
++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ allow $1_t systemd_$1_device_t:file manage_file_perms;
++ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
++
++ allow systemd_passwd_agent_t $1_t:process signull;
++ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
++ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
++ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
++')
++
++########################################
++##
++## Allow the specified domain to connect to
++## systemd_logger with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_logger_stream_connect',`
++ gen_require(`
++ type systemd_logger_t;
++ ')
++
++ allow $1 systemd_logger_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## manage systemd unit dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## manage systemd unit link files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_unit_symlinks',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## manage all systemd unit files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## manage all systemd unit lnk_files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_all_unit_lnk_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## Allow the specified domain to start all systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_start_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service start;
++')
++
++#######################################
++##
++## Allow the specified domain to reload all systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_reload_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service reload;
++')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## all systemd services
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_config_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service all_service_perms;
++ init_config_all_script_files($1)
++')
++
++########################################
++##
++## Allow the specified domain to start systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_start_systemd_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service start;
++')
++
++#######################################
++##
++## Allow the specified domain to reload all systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_reload_systemd_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service reload;
++')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## all systemd services
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_config_systemd_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service all_service_perms;
++ init_config_all_script_files($1)
++')
++
++########################################
++##
++## manage all systemd random seed file
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_random_seed',`
++ gen_require(`
++ type random_seed_t;
++ ')
++
++ allow $1 random_seed_t:file manage_file_perms;
++ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
++')
++
++########################################
++##
++## Allow process to read hostname config file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`systemd_hostnamed_read_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file read_file_perms;
++')
++
++########################################
++##
++## Allow process to manage hostname config file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`systemd_hostnamed_manage_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file manage_file_perms;
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname")
++')
++
++#######################################
++##
++## Create objects in /run/systemd/generator directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`systemd_unit_file_filetrans',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
++')
++
++#######################################
++##
++## Create a directory in the /usr/lib/systemd/system directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_create_unit_file_dirs',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
++')
++
++#######################################
++##
++## Create a link in the /usr/lib/systemd/system directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_create_unit_file_lnk',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
++')
++
++########################################
++##
++## Transition to systemd named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_filetrans_named_content',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ type systemd_logind_var_run_t;
++ type hostname_etc_t;
++ type systemd_home_t;
++ ')
++
++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
++')
++
++########################################
++##
++## read systemd homedir content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_home_content',`
++ gen_require(`
++ type systemd_home_t;
++ ')
++
++ optional_policy(`
++ gnome_search_gconf_data_dir($1)
++ ')
++ read_files_pattern($1, systemd_home_t, systemd_home_t)
++ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
++')
++
++########################################
++##
++## Manage systemd homedir content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_home_content',`
++ gen_require(`
++ type systemd_home_t;
++ ')
++
++ optional_policy(`
++ gnome_search_gconf_data_dir($1)
++ ')
++ manage_dirs_pattern($1, systemd_home_t, systemd_home_t)
++ manage_files_pattern($1, systemd_home_t, systemd_home_t)
++ manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
++
++ systemd_filetrans_home_content($1)
++')
++
++########################################
++##
++## Transition to systemd named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_filetrans_home_content',`
++ gen_require(`
++ type systemd_home_t;
++ ')
++
++ optional_policy(`
++ gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
++ ')
++')
++
++########################################
++##
++## Transition to systemd named content for /etc/hostname
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_filetrans_named_hostname',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
++')
++
++########################################
++##
++## Get the system status information from systemd_login
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_status',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system status;
++')
++
++########################################
++##
++## Send systemd_login a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_signull',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:process signull;
++')
++
++########################################
++##
++## Tell systemd_login to reboot the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_reboot',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system reboot;
++')
++
++########################################
++##
++## Tell systemd_login to halt the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_halt',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system halt;
++')
++
++########################################
++##
++## Tell systemd_login to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_undefined',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system undefined;
++')
++
++########################################
++##
++## Configure generic unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_config_generic_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_t:file read_file_perms;
++ allow $1 systemd_unit_file_t:service manage_service_perms;
++')
++
++########################################
++##
++## Configure power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_config_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:file read_file_perms;
++ allow $1 power_unit_file_t:service manage_service_perms;
++')
++
++########################################
++##
++## Start power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_start_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:service start;
++')
++
++########################################
++##
++## Status power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_status_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:service status;
++')
++
++#######################################
++##
++## Start power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_start_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_type:service start;
++')
++
++#######################################
++##
++## Start power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_status_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_type:service status;
++')
++
++########################################
++##
++## Send and receive messages from
++## systemd timedated over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_timedated',`
++ gen_require(`
++ type systemd_timedated_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_timedated_t:dbus send_msg;
++ allow systemd_timedated_t $1:dbus send_msg;
++ ps_process_pattern(systemd_timedated_t, $1)
++')
++
++########################################
++##
++## Send and receive messages from
++## systemd hostnamed over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_hostnamed',`
++ gen_require(`
++ type systemd_hostnamed_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_hostnamed_t:dbus send_msg;
++ allow systemd_hostnamed_t $1:dbus send_msg;
++ ps_process_pattern(systemd_hostnamed_t, $1)
++')
++
++########################################
++##
++## Send and receive messages from
++## systemd localed over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_localed',`
++ gen_require(`
++ type systemd_localed_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_localed_t:dbus send_msg;
++ allow systemd_localed_t $1:dbus send_msg;
++ ps_process_pattern(systemd_localed_t, $1)
++')
++
++########################################
++##
++## Dontaudit attempts to send dbus domains chat messages
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`systemd_dontaudit_dbus_chat',`
++ gen_require(`
++ attribute systemd_domain;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 systemd_domain:dbus send_msg;
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+new file mode 100644
+index 0000000..db531dc
+--- /dev/null
++++ b/policy/modules/system/systemd.te
+@@ -0,0 +1,707 @@
++policy_module(systemd, 1.0.0)
++
++#######################################
++#
++# Declarations
++#
++
++attribute systemd_unit_file_type;
++attribute systemd_domain;
++attribute systemctl_domain;
++
++systemd_domain_template(systemd_logger)
++systemd_domain_template(systemd_logind)
++
++# /run/systemd/sessions
++type systemd_logind_sessions_t;
++files_pid_file(systemd_logind_sessions_t)
++
++type systemd_logind_var_lib_t;
++files_type(systemd_logind_var_lib_t)
++
++# /run/systemd/{seats, users}
++type systemd_logind_var_run_t;
++files_pid_file(systemd_logind_var_run_t)
++
++type systemd_logind_inhibit_var_run_t;
++files_pid_file(systemd_logind_inhibit_var_run_t)
++
++type systemd_home_t;
++userdom_user_home_content(systemd_home_t)
++
++type random_seed_t;
++files_security_file(random_seed_t)
++files_mountpoint(random_seed_t)
++
++systemd_domain_template(systemd_networkd)
++
++type systemd_networkd_unit_file_t;
++systemd_unit_file(systemd_networkd_unit_file_t)
++
++type systemd_networkd_var_run_t;
++files_pid_file(systemd_networkd_var_run_t)
++
++# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
++# systemd components
++
++systemd_domain_template(systemd_passwd_agent)
++
++type systemd_passwd_var_run_t alias systemd_device_t;
++files_pid_file(systemd_passwd_var_run_t)
++
++# domain for systemd-tmpfiles component
++systemd_domain_template(systemd_tmpfiles)
++systemd_domain_template(systemd_notify)
++
++# type for systemd unit files
++type systemd_unit_file_t;
++systemd_unit_file(systemd_unit_file_t)
++
++type systemd_runtime_unit_file_t;
++systemd_unit_file(systemd_runtime_unit_file_t)
++
++type power_unit_file_t;
++systemd_unit_file(power_unit_file_t)
++
++type systemd_vconsole_unit_file_t;
++systemd_unit_file(systemd_vconsole_unit_file_t)
++
++# executable for systemctl
++type systemd_systemctl_exec_t;
++corecmd_executable_file(systemd_systemctl_exec_t)
++
++systemd_domain_template(systemd_localed)
++systemd_domain_template(systemd_hostnamed)
++
++type hostname_etc_t;
++files_config_file(hostname_etc_t)
++
++systemd_domain_template(systemd_timedated)
++typeattribute systemd_timedated_t systemd_domain;
++typealias systemd_timedated_t alias gnomeclock_t;
++
++systemd_domain_template(systemd_sysctl)
++
++#######################################
++#
++# Systemd_logind local policy
++#
++
++# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config sys_admin };
++allow systemd_logind_t self:capability2 block_suspend;
++allow systemd_logind_t self:process getcap;
++allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
++
++mls_file_read_all_levels(systemd_logind_t)
++mls_file_write_all_levels(systemd_logind_t)
++
++files_delete_tmpfs_files(systemd_logind_t)
++
++fs_mount_tmpfs(systemd_logind_t)
++fs_unmount_tmpfs(systemd_logind_t)
++fs_list_tmpfs(systemd_logind_t)
++fs_manage_fusefs_dirs(systemd_logind_t)
++fs_manage_fusefs_files(systemd_logind_t)
++
++manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
++manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
++init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
++
++manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
++manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
++init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
++init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
++files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
++
++manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++
++dev_getattr_all_chr_files(systemd_logind_t)
++dev_getattr_all_blk_files(systemd_logind_t)
++dev_rw_sysfs(systemd_logind_t)
++dev_rw_input_dev(systemd_logind_t)
++dev_rw_dri(systemd_logind_t)
++dev_setattr_all_chr_files(systemd_logind_t)
++dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
++dev_setattr_kvm_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
++dev_setattr_sound_dev(systemd_logind_t)
++dev_setattr_video_dev(systemd_logind_t)
++dev_write_kmsg(systemd_logind_t)
++
++domain_read_all_domains_state(systemd_logind_t)
++domain_signal_all_domains(systemd_logind_t)
++domain_signull_all_domains(systemd_logind_t)
++domain_kill_all_domains(systemd_logind_t)
++domain_destroy_all_semaphores(systemd_logind_t)
++
++# /etc/udev/udev.conf should probably have a private type if only for confined administration
++# /etc/nsswitch.conf
++
++# /sys/fs/cgroup/systemd/user
++fs_manage_cgroup_dirs(systemd_logind_t)
++# write getattr open setattr
++fs_manage_cgroup_files(systemd_logind_t)
++fs_getattr_tmpfs(systemd_logind_t)
++fs_read_tmpfs_symlinks(systemd_logind_t)
++fs_mount_tmpfs(systemd_logind_t)
++userdom_mounton_tmp_dirs(systemd_logind_t)
++
++storage_setattr_removable_dev(systemd_logind_t)
++storage_setattr_scsi_generic_dev(systemd_logind_t)
++
++term_use_unallocated_ttys(systemd_logind_t)
++
++init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
++
++init_status(systemd_logind_t)
++init_signal(systemd_logind_t)
++init_reboot(systemd_logind_t)
++init_halt(systemd_logind_t)
++init_undefined(systemd_logind_t)
++init_signal_script(systemd_logind_t)
++
++getty_systemctl(systemd_logind_t)
++
++systemd_config_generic_services(systemd_logind_t)
++
++# /run/user/.*
++# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
++auth_manage_var_auth(systemd_logind_t)
++auth_use_nsswitch(systemd_logind_t)
++
++authlogin_read_state(systemd_logind_t)
++
++init_dbus_chat(systemd_logind_t)
++init_dbus_chat_script(systemd_logind_t)
++init_read_script_state(systemd_logind_t)
++init_rw_stream_sockets(systemd_logind_t)
++
++logging_send_syslog_msg(systemd_logind_t)
++
++udev_read_db(systemd_logind_t)
++udev_manage_rules_files(systemd_logind_t)
++
++userdom_read_all_users_state(systemd_logind_t)
++userdom_use_user_ttys(systemd_logind_t)
++userdom_manage_tmp_role(system_r, systemd_logind_t)
++userdom_manage_tmpfs_role(system_r, systemd_logind_t)
++
++xserver_dbus_chat(systemd_logind_t)
++
++optional_policy(`
++ apache_read_tmp_files(systemd_logind_t)
++')
++
++optional_policy(`
++ cron_dbus_chat_crond(systemd_logind_t)
++ cron_read_state_crond(systemd_logind_t)
++')
++
++optional_policy(`
++ dbus_connect_system_bus(systemd_logind_t)
++ dbus_system_bus_client(systemd_logind_t)
++')
++
++optional_policy(`
++ devicekit_dbus_chat_power(systemd_logind_t)
++ devicekit_dbus_chat_disk(systemd_logind_t)
++')
++
++optional_policy(`
++ # we label /run/user/$USER/dconf as config_home_t
++ gnome_manage_home_config_dirs(systemd_logind_t)
++ gnome_manage_home_config(systemd_logind_t)
++ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
++ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(systemd_logind_t)
++')
++
++optional_policy(`
++ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
++ xserver_search_xdm_tmp_dirs(systemd_logind_t)
++')
++
++#######################################
++#
++# systemd-networkd local policy
++#
++
++allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:process { getcap setcap };
++
++allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
++allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
++allow systemd_networkd_t self:packet_socket create_socket_perms;
++allow systemd_networkd_t self:udp_socket create_socket_perms;
++
++manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
++manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
++manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
++
++kernel_dgram_send(systemd_networkd_t)
++
++dev_read_sysfs(systemd_networkd_t)
++
++auth_read_passwd(systemd_networkd_t)
++
++sysnet_filetrans_named_content(systemd_networkd_t)
++sysnet_manage_config(systemd_networkd_t)
++sysnet_manage_config_dirs(systemd_networkd_t)
++
++init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif")
++
++optional_policy(`
++ dbus_system_bus_client(systemd_networkd_t)
++ dbus_connect_system_bus(systemd_networkd_t)
++')
++
++optional_policy(`
++ udev_read_db(systemd_networkd_t)
++')
++
++#######################################
++#
++# Local policy
++#
++
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
++allow systemd_passwd_agent_t self:process { setsockcreate };
++allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
++
++domain_read_all_domains_state(systemd_passwd_agent_t)
++
++kernel_stream_connect(systemd_passwd_agent_t)
++
++dev_create_generic_dirs(systemd_passwd_agent_t)
++dev_read_generic_files(systemd_passwd_agent_t)
++dev_write_generic_sock_files(systemd_passwd_agent_t)
++dev_write_kmsg(systemd_passwd_agent_t)
++
++term_read_console(systemd_passwd_agent_t)
++
++auth_use_nsswitch(systemd_passwd_agent_t)
++
++init_create_pid_dirs(systemd_passwd_agent_t)
++init_rw_pipes(systemd_passwd_agent_t)
++init_read_utmp(systemd_passwd_agent_t)
++init_stream_connect(systemd_passwd_agent_t)
++
++logging_send_syslog_msg(systemd_passwd_agent_t)
++
++userdom_use_user_ptys(systemd_passwd_agent_t)
++userdom_use_user_ttys(systemd_passwd_agent_t)
++
++optional_policy(`
++ lvm_signull(systemd_passwd_agent_t)
++')
++
++optional_policy(`
++ plymouthd_stream_connect(systemd_passwd_agent_t)
++')
++
++#######################################
++#
++# Local policy
++#
++
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
++allow systemd_tmpfiles_t self:process { setfscreate };
++
++allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_network_state(systemd_tmpfiles_t)
++kernel_request_load_module(systemd_tmpfiles_t)
++kernel_relabelto_usermodehelper(systemd_tmpfiles_t)
++
++dev_write_kmsg(systemd_tmpfiles_t)
++dev_rw_sysfs(systemd_tmpfiles_t)
++dev_relabel_all_sysfs(systemd_tmpfiles_t)
++dev_relabel_cpu_online(systemd_tmpfiles_t)
++dev_read_cpu_online(systemd_tmpfiles_t)
++dev_manage_all_dev_nodes(systemd_tmpfiles_t)
++dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
++
++domain_obj_id_change_exemption(systemd_tmpfiles_t)
++
++# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
++fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
++fs_list_all(systemd_tmpfiles_t)
++
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
++files_list_lost_found(systemd_tmpfiles_t)
++
++mls_file_read_all_levels(systemd_tmpfiles_t)
++mls_file_write_all_levels(systemd_tmpfiles_t)
++mls_file_upgrade(systemd_tmpfiles_t)
++
++selinux_get_enforce_mode(systemd_tmpfiles_t)
++selinux_setcheckreqprot(systemd_tmpfiles_t)
++
++auth_manage_faillog(systemd_tmpfiles_t)
++auth_relabel_faillog(systemd_tmpfiles_t)
++auth_manage_var_auth(systemd_tmpfiles_t)
++auth_manage_login_records(systemd_tmpfiles_t)
++auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
++auth_relabel_login_records(systemd_tmpfiles_t)
++auth_setattr_login_records(systemd_tmpfiles_t)
++auth_use_nsswitch(systemd_tmpfiles_t)
++
++init_dgram_send(systemd_tmpfiles_t)
++init_rw_stream_sockets(systemd_tmpfiles_t)
++
++logging_create_devlog_dev(systemd_tmpfiles_t)
++logging_send_syslog_msg(systemd_tmpfiles_t)
++logging_setattr_all_log_dirs(systemd_tmpfiles_t)
++logging_relabel_all_log_dirs(systemd_tmpfiles_t)
++
++miscfiles_filetrans_named_content(systemd_tmpfiles_t)
++miscfiles_manage_man_pages(systemd_tmpfiles_t)
++miscfiles_relabel_man_pages(systemd_tmpfiles_t)
++miscfiles_delete_man_pages(systemd_tmpfiles_t)
++
++ifdef(`distro_redhat',`
++ userdom_list_user_home_content(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
++ userdom_delete_admin_home_files(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ apache_delete_sys_content_rw(systemd_tmpfiles_t)
++ apache_list_cache(systemd_tmpfiles_t)
++ apache_delete_cache_dirs(systemd_tmpfiles_t)
++ apache_delete_cache_files(systemd_tmpfiles_t)
++ apache_setattr_cache_dirs(systemd_tmpfiles_t)
++')
++
++
++optional_policy(`
++ auth_rw_login_records(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ # we have /run/user/$USER/dconf
++ gnome_delete_home_config(systemd_tmpfiles_t)
++ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
++ gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ lpd_manage_spool(systemd_tmpfiles_t)
++ lpd_relabel_spool(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ rpm_read_db(systemd_tmpfiles_t)
++ rpm_delete_db(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ sandbox_list(systemd_tmpfiles_t)
++ sandbox_delete_dirs(systemd_tmpfiles_t)
++ sandbox_delete_files(systemd_tmpfiles_t)
++ sandbox_delete_lnk_files(systemd_tmpfiles_t)
++ sandbox_delete_pipes(systemd_tmpfiles_t)
++ sandbox_delete_sock_files(systemd_tmpfiles_t)
++ sandbox_setattr_dirs(systemd_tmpfiles_t)
++')
++
++########################################
++#
++# systemd_notify local policy
++#
++allow systemd_notify_t self:capability chown;
++allow systemd_notify_t self:process { fork setfscreate setsockcreate };
++
++allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
++allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
++
++domain_use_interactive_fds(systemd_notify_t)
++
++fs_getattr_cgroup_files(systemd_notify_t)
++
++auth_use_nsswitch(systemd_notify_t)
++
++init_rw_stream_sockets(systemd_notify_t)
++
++optional_policy(`
++ rhcs_read_log_cluster(systemd_notify_t)
++')
++
++optional_policy(`
++ readahead_manage_pid_files(systemd_notify_t)
++')
++
++########################################
++#
++# systemd_logger local policy
++#
++
++allow systemd_logger_t self:capability { sys_admin chown kill };
++allow systemd_logger_t self:process { fork setfscreate setsockcreate };
++
++allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
++allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_use_fds(systemd_logger_t)
++
++dev_write_kmsg(systemd_logger_t)
++
++domain_use_interactive_fds(systemd_logger_t)
++
++# only needs write
++term_use_generic_ptys(systemd_logger_t)
++
++auth_use_nsswitch(systemd_logger_t)
++
++# /run/systemd/notify
++init_write_pid_socket(systemd_logger_t)
++
++logging_send_syslog_msg(systemd_logger_t)
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++
++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
++
++fs_list_cgroup_dirs(systemctl_domain)
++fs_read_cgroup_files(systemctl_domain)
++
++# needed by systemctl
++init_dgram_send(systemctl_domain)
++init_stream_connect(systemctl_domain)
++init_read_state(systemctl_domain)
++init_list_pid_dirs(systemctl_domain)
++init_use_fds(systemctl_domain)
++
++#######################################
++#
++# Localed policy
++#
++allow systemd_localed_t self:process setfscreate;
++allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
++allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_localed_t self:unix_dgram_socket create_socket_perms;
++
++dev_write_kmsg(systemd_localed_t)
++
++init_dbus_chat(systemd_localed_t)
++init_reload_services(systemd_localed_t)
++
++logging_stream_connect_syslog(systemd_localed_t)
++logging_send_syslog_msg(systemd_localed_t)
++
++allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
++
++miscfiles_manage_localization(systemd_localed_t)
++miscfiles_etc_filetrans_localization(systemd_localed_t)
++
++userdom_dbus_send_all_users(systemd_localed_t)
++
++xserver_manage_config(systemd_localed_t)
++
++optional_policy(`
++ dbus_connect_system_bus(systemd_localed_t)
++ dbus_system_bus_client(systemd_localed_t)
++')
++
++#######################################
++#
++# Hostnamed policy
++#
++allow systemd_hostnamed_t self:capability sys_admin;
++dontaudit systemd_hostnamed_t self:capability sys_ptrace;
++
++allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
++allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
++
++manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
++manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
++
++kernel_dgram_send(systemd_hostnamed_t)
++kernel_read_xen_state(systemd_hostnamed_t)
++
++dev_write_kmsg(systemd_hostnamed_t)
++dev_read_sysfs(systemd_hostnamed_t)
++
++init_status(systemd_hostnamed_t)
++init_stream_connect(systemd_hostnamed_t)
++
++logging_send_syslog_msg(systemd_hostnamed_t)
++
++userdom_read_all_users_state(systemd_hostnamed_t)
++userdom_dbus_send_all_users(systemd_hostnamed_t)
++
++optional_policy(`
++ dbus_system_bus_client(systemd_hostnamed_t)
++ dbus_connect_system_bus(systemd_hostnamed_t)
++')
++
++#######################################
++#
++# Timedated policy
++#
++allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
++allow systemd_timedated_t self:process { getattr getsched setfscreate };
++allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
++allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
++
++corecmd_exec_bin(systemd_timedated_t)
++corecmd_exec_shell(systemd_timedated_t)
++corecmd_dontaudit_access_check_bin(systemd_timedated_t)
++
++corenet_tcp_connect_time_port(systemd_timedated_t)
++
++dev_rw_realtime_clock(systemd_timedated_t)
++dev_write_kmsg(systemd_timedated_t)
++dev_read_sysfs(systemd_timedated_t)
++
++fs_getattr_xattr_fs(systemd_timedated_t)
++
++auth_use_nsswitch(systemd_timedated_t)
++
++init_dbus_chat(systemd_timedated_t)
++init_status(systemd_timedated_t)
++
++logging_send_syslog_msg(systemd_timedated_t)
++
++miscfiles_manage_localization(systemd_timedated_t)
++miscfiles_etc_filetrans_localization(systemd_timedated_t)
++
++userdom_read_all_users_state(systemd_timedated_t)
++
++optional_policy(`
++ chronyd_systemctl(systemd_timedated_t)
++')
++
++optional_policy(`
++ clock_manage_adjtime(systemd_timedated_t)
++ clock_filetrans_named_content(systemd_timedated_t)
++ clock_domtrans(systemd_timedated_t)
++')
++
++optional_policy(`
++ consolekit_dbus_chat(systemd_timedated_t)
++')
++
++optional_policy(`
++ consoletype_exec(systemd_timedated_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(systemd_timedated_t)
++ dbus_connect_system_bus(systemd_timedated_t)
++')
++
++optional_policy(`
++ gnome_manage_usr_config(systemd_timedated_t)
++ gnome_manage_home_config(systemd_timedated_t)
++ gnome_manage_home_config_dirs(systemd_timedated_t)
++')
++
++optional_policy(`
++ ntp_domtrans_ntpdate(systemd_timedated_t)
++ ntp_initrc_domtrans(systemd_timedated_t)
++ init_dontaudit_getattr_all_script_files(systemd_timedated_t)
++ init_dontaudit_getattr_exec(systemd_timedated_t)
++ ntp_systemctl(systemd_timedated_t)
++')
++
++optional_policy(`
++ policykit_domtrans_auth(systemd_timedated_t)
++ policykit_read_lib(systemd_timedated_t)
++ policykit_read_reload(systemd_timedated_t)
++')
++
++optional_policy(`
++ xserver_manage_config(systemd_timedated_t)
++ xserver_read_state_xdm(systemd_timedated_t)
++')
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++allow systemd_sysctl_t self:capability { net_admin sys_admin sys_rawio };
++allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
++kernel_dgram_send(systemd_sysctl_t)
++kernel_request_load_module(systemd_sysctl_t)
++kernel_rw_all_sysctls(systemd_sysctl_t)
++kernel_write_security_state(systemd_sysctl_t)
++
++files_read_system_conf_files(systemd_sysctl_t)
++
++dev_write_kmsg(systemd_sysctl_t)
++
++domain_use_interactive_fds(systemd_sysctl_t)
++
++init_stream_connect(systemd_sysctl_t)
++
++logging_send_syslog_msg(systemd_sysctl_t)
++
++########################################
++#
++# Common rules for systemd domains
++#
++allow systemd_domain self:process { setfscreate signal_perms };
++dontaudit systemd_domain self:capability net_admin;
++
++dev_read_urand(systemd_domain)
++
++fs_search_all(systemd_domain)
++
++files_read_etc_files(systemd_domain)
++files_read_etc_runtime_files(systemd_domain)
++files_read_usr_files(systemd_domain)
++
++init_search_pid_dirs(systemd_domain)
++init_start_transient_unit(systemd_domain)
++init_stop_transient_unit(systemd_domain)
++init_status_transient_unit(systemd_domain)
++init_reload_transient_unit(systemd_domain)
++init_read_state(systemd_domain)
++
++logging_stream_connect_syslog(systemd_domain)
++
++seutil_read_config(systemd_domain)
++seutil_read_file_contexts(systemd_domain)
++
++optional_policy(`
++ lvm_read_state(systemd_domain)
++')
++
++optional_policy(`
++ policykit_dbus_chat(systemd_domain)
++')
++
++read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
++read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index f41857e..49fd32e 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -1,6 +1,8 @@
+-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
++/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
+
+ /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+@@ -10,6 +12,7 @@
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -27,11 +30,23 @@ ifdef(`distro_redhat',`
+ ')
+
+ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+-
+-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+-
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+
+ ifdef(`distro_debian',`
+ /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
+diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
+index 9a1650d..d7e8a01 100644
+--- a/policy/modules/system/udev.if
++++ b/policy/modules/system/udev.if
+@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
+ ')
+
+ domtrans_pattern($1, udev_exec_t, udev_t)
++ allow $1 udev_t:process noatsecure;
+ ')
+
+ ########################################
+@@ -88,8 +89,7 @@ interface(`udev_read_state',`
+ ')
+
+ kernel_search_proc($1)
+- allow $1 udev_t:file read_file_perms;
+- allow $1 udev_t:lnk_file read_lnk_file_perms;
++ ps_process_pattern($1, udev_t)
+ ')
+
+ ########################################
+@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
+ #
+ interface(`udev_dontaudit_search_db',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+- dontaudit $1 udev_tbl_t:dir search_dir_perms;
++ dontaudit $1 udev_var_run_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',`
+ ##
+ #
+ interface(`udev_read_db',`
++ udev_read_pid_files($1)
++')
++
++########################################
++##
++## Allow process to modify list of devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_rw_db',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+- allow $1 udev_tbl_t:dir list_dir_perms;
++ files_search_pids($1)
++ dev_list_all_dev_nodes($1)
++ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
++')
+
+- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++########################################
++##
++## Allow process to modify relabelto udev database
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_relabelto_db',`
++ gen_require(`
++ type udev_var_run_t;
++ ')
+
+- dev_list_all_dev_nodes($1)
++ files_search_pids($1)
++ allow $1 udev_var_run_t:file relabelto_file_perms;
++')
+
+- files_search_etc($1)
++########################################
++##
++## Relabel the udev sock_file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_relabel_pid_sockfile',`
++ gen_require(`
++ type udev_var_run_t;
++ ')
+
+- udev_search_pids($1)
++ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow process to modify list of devices.
++## Create, read, write, and delete
++## udev pid files.
+ ##
+ ##
+ ##
+@@ -213,13 +258,16 @@ interface(`udev_read_db',`
+ ##
+ ##
+ #
+-interface(`udev_rw_db',`
++interface(`udev_read_pid_files',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tbl_t:file rw_file_perms;
++ files_search_pids($1)
++ allow $1 udev_var_run_t:dir list_dir_perms;
++ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+ ########################################
+@@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',`
+
+ ########################################
+ ##
+-## Read udev pid files.
++## Create, read, write, and delete
++## udev pid files.
+ ##
+ ##
+ ##
+@@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',`
+ ##
+ ##
+ #
+-interface(`udev_read_pid_files',`
++interface(`udev_manage_pid_files',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+- read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Create, read, write, and delete
+-## udev pid files.
++## Execute udev in the udev domain, and
++## allow the specified role the udev domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
++##
++#
++interface(`udev_run',`
++ gen_require(`
++ type udev_t;
++ ')
++
++ udev_domtrans($1)
++ role $2 types udev_t;
++')
++
++#######################################
++##
++## Allow caller to create kobject uevent socket for udev
+ ##
+ ##
+ ##
+@@ -291,13 +365,45 @@ interface(`udev_read_pid_files',`
+ ##
+ ##
+ #
+-interface(`udev_manage_pid_files',`
++interface(`udev_create_kobject_uevent_socket',`
+ gen_require(`
+- type udev_var_run_t;
++ type udev_t;
++ role system_r;
+ ')
+
+- files_search_pids($1)
+- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
++')
++
++########################################
++##
++## Create a domain for processes
++## which can be started by udev.
++##
++##
++##
++## Type to be used as a domain.
++##
++##
++##
++##
++## Type of the program to be used as an entry point to this domain.
++##
++##
++#
++interface(`udev_system_domain',`
++ gen_require(`
++ type udev_t;
++ role system_r;
++ ')
++
++ domain_type($1)
++ domain_entry_file($1, $2)
++
++ role system_r types $1;
++
++ domtrans_pattern(udev_t, $2, $1)
++
++ dontaudit $1 udev_t:unix_dgram_socket { read write };
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 39f185f..880b174 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
+ type udev_etc_t alias etc_udev_t;
+ files_config_file(udev_etc_t)
+
+-type udev_tbl_t alias udev_tdb_t;
+-files_type(udev_tbl_t)
+-
+ type udev_rules_t;
+ files_type(udev_rules_t)
+
+ type udev_var_run_t;
+ files_pid_file(udev_var_run_t)
++typealias udev_var_run_t alias udev_tbl_t;
+ init_daemon_run_dir(udev_var_run_t, "udev")
+
++type udev_tmp_t;
++files_tmp_file(udev_tmp_t)
++
+ ifdef(`enable_mcs',`
+ kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -37,10 +38,10 @@ ifdef(`enable_mcs',`
+ # Local policy
+ #
+
+-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
++allow udev_t self:capability2 { block_suspend compromise_kernel };
+ dontaudit udev_t self:capability sys_tty_config;
+-allow udev_t self:capability2 block_suspend;
+-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow udev_t self:process { execmem setfscreate };
+ allow udev_t self:fd use;
+ allow udev_t self:fifo_file rw_fifo_file_perms;
+@@ -54,6 +55,7 @@ allow udev_t self:unix_dgram_socket sendto;
+ allow udev_t self:unix_stream_socket connectto;
+ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow udev_t self:rawip_socket create_socket_perms;
++allow udev_t self:netlink_socket create_socket_perms;
+
+ allow udev_t udev_exec_t:file write;
+ can_exec(udev_t, udev_exec_t)
+@@ -64,31 +66,39 @@ can_exec(udev_t, udev_helper_exec_t)
+ # read udev config
+ allow udev_t udev_etc_t:file read_file_perms;
+
+-allow udev_t udev_tbl_t:file manage_file_perms;
+-dev_filetrans(udev_t, udev_tbl_t, file)
++allow udev_t udev_tmp_t:dir manage_dir_perms;
++allow udev_t udev_tmp_t:file manage_file_perms;
++files_tmp_filetrans(udev_t, udev_tmp_t, { file dir })
+
+ list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
+-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
+ manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
++allow udev_t udev_var_run_t:file mounton;
++allow udev_t udev_var_run_t:dir mounton;
++allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
+
++kernel_load_module(udev_t)
+ kernel_read_system_state(udev_t)
+ kernel_request_load_module(udev_t)
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
+ kernel_read_device_sysctls(udev_t)
+-kernel_read_hotplug_sysctls(udev_t)
+-kernel_read_modprobe_sysctls(udev_t)
++kernel_read_fs_sysctls(udev_t)
+ kernel_read_kernel_sysctls(udev_t)
+-kernel_rw_hotplug_sysctls(udev_t)
++kernel_rw_usermodehelper_state(udev_t)
+ kernel_rw_unix_dgram_sockets(udev_t)
+ kernel_dgram_send(udev_t)
+-kernel_signal(udev_t)
+ kernel_search_debugfs(udev_t)
++kernel_setsched(udev_t)
++kernel_stream_connect(udev_t)
++kernel_signal(udev_t)
+
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+ kernel_rw_net_sysctls(udev_t)
+@@ -99,6 +109,7 @@ corecmd_exec_all_executables(udev_t)
+
+ dev_rw_sysfs(udev_t)
+ dev_manage_all_dev_nodes(udev_t)
++dev_rw_generic_usb_dev(udev_t)
+ dev_rw_generic_files(udev_t)
+ dev_delete_generic_files(udev_t)
+ dev_search_usbfs(udev_t)
+@@ -107,23 +118,31 @@ dev_relabel_all_dev_nodes(udev_t)
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
+ dev_manage_generic_symlinks(udev_t)
++dev_filetrans_all_named_dev(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
+ files_read_usr_files(udev_t)
+ files_read_etc_runtime_files(udev_t)
+-files_read_etc_files(udev_t)
++files_read_kernel_modules(udev_t)
++files_read_system_conf_files(udev_t)
++
++
++# console_init manages files in /etc/sysconfig
++files_manage_etc_files(udev_t)
+ files_exec_etc_files(udev_t)
++files_exec_usr_files(udev_t)
+ files_dontaudit_search_isid_type_dirs(udev_t)
+ files_getattr_generic_locks(udev_t)
+ files_search_mnt(udev_t)
++files_list_tmp(udev_t)
+
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
+ fs_rw_anon_inodefs_files(udev_t)
+-
+-mcs_ptrace_all(udev_t)
++fs_list_auto_mountpoints(udev_t)
++fs_list_hugetlbfs(udev_t)
++fs_read_cgroup_files(udev_t)
+
+ mls_file_read_all_levels(udev_t)
+ mls_file_write_all_levels(udev_t)
+@@ -145,17 +164,20 @@ auth_use_nsswitch(udev_t)
+ init_read_utmp(udev_t)
+ init_dontaudit_write_utmp(udev_t)
+ init_getattr_initctl(udev_t)
++init_stream_connect(udev_t)
+
+ logging_search_logs(udev_t)
+ logging_send_syslog_msg(udev_t)
+ logging_send_audit_msgs(udev_t)
++logging_stream_connect_syslog(udev_t)
+
+-miscfiles_read_localization(udev_t)
+ miscfiles_read_hwdata(udev_t)
+
+ modutils_domtrans_insmod(udev_t)
+ # read modules.inputmap:
+ modutils_read_module_deps(udev_t)
++modutils_list_module_config(udev_t)
++modutils_read_module_config(udev_t)
+
+ seutil_read_config(udev_t)
+ seutil_read_default_contexts(udev_t)
+@@ -169,7 +191,11 @@ sysnet_read_dhcpc_pid(udev_t)
+ sysnet_delete_dhcpc_pid(udev_t)
+ sysnet_signal_dhcpc(udev_t)
+ sysnet_manage_config(udev_t)
+-sysnet_etc_filetrans_config(udev_t)
++sysnet_filetrans_named_content(udev_t)
++#sysnet_etc_filetrans_config(udev_t)
++
++systemd_login_read_pid_files(udev_t)
++systemd_getattr_unit_files(udev_t)
+
+ userdom_dontaudit_search_user_home_content(udev_t)
+
+@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
+ ')
+
+ ifdef(`distro_redhat',`
+- fs_manage_tmpfs_dirs(udev_t)
+- fs_manage_tmpfs_files(udev_t)
+- fs_manage_tmpfs_symlinks(udev_t)
+- fs_manage_tmpfs_sockets(udev_t)
+- fs_manage_tmpfs_blk_files(udev_t)
+- fs_manage_tmpfs_chr_files(udev_t)
+- fs_relabel_tmpfs_blk_file(udev_t)
+- fs_relabel_tmpfs_chr_file(udev_t)
++ fs_manage_hugetlbfs_dirs(udev_t)
+
+- term_search_ptys(udev_t)
++ term_use_generic_ptys(udev_t)
+
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(udev_t)
+@@ -242,6 +261,7 @@ optional_policy(`
+
+ optional_policy(`
+ cups_domtrans_config(udev_t)
++ cups_read_config(udev_t)
+ ')
+
+ optional_policy(`
+@@ -249,17 +269,31 @@ optional_policy(`
+ dbus_use_system_bus_fds(udev_t)
+
+ optional_policy(`
+- consolekit_dbus_chat(udev_t)
+- ')
++ systemd_dbus_chat_logind(udev_t)
++ ')
+ ')
+
+ optional_policy(`
+ devicekit_read_pid_files(udev_t)
+ devicekit_dgram_send(udev_t)
++ devicekit_domtrans_disk(udev_t)
++')
++
++optional_policy(`
++ gnome_read_home_config(udev_t)
++')
++
++optional_policy(`
++ gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
++ kdump_systemctl(udev_t)
+ ')
+
+ optional_policy(`
+ lvm_domtrans(udev_t)
++ lvm_dgram_send(udev_t)
+ ')
+
+ optional_policy(`
+@@ -289,6 +323,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(udev_t)
++')
++
++optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+ ')
+@@ -303,6 +341,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ radvd_read_pid_files(udev_t)
++')
++
++optional_policy(`
++ usbmuxd_domtrans(udev_t)
++ usbmuxd_stream_connect(udev_t)
++')
++
++optional_policy(`
+ unconfined_signal(udev_t)
+ ')
+
+@@ -315,6 +362,7 @@ optional_policy(`
+ kernel_read_xen_state(udev_t)
+ xen_manage_log(udev_t)
+ xen_read_image_files(udev_t)
++ xen_stream_connect_xenstore(udev_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
+index 0abaf84..8b34dbc 100644
+--- a/policy/modules/system/unconfined.fc
++++ b/policy/modules/system/unconfined.fc
+@@ -1,21 +1 @@
+ # Add programs here which should not be confined by SELinux
+-# e.g.:
+-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+-
+-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-
+-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-
+-ifdef(`distro_debian',`
+-/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-')
+-
+-ifdef(`distro_gentoo',`
+-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-')
+diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
+index 5ca20a9..7261f73 100644
+--- a/policy/modules/system/unconfined.if
++++ b/policy/modules/system/unconfined.if
+@@ -12,53 +12,57 @@
+ #
+ interface(`unconfined_domain_noaudit',`
+ gen_require(`
+- type unconfined_t;
+ class dbus all_dbus_perms;
+ class nscd all_nscd_perms;
+ class passwd all_passwd_perms;
+ ')
+
+- # Use most Linux capabilities
+- allow $1 self:capability ~sys_module;
+- allow $1 self:fifo_file manage_fifo_file_perms;
++ # Use any Linux capability.
++
++ allow $1 self:capability ~{ sys_module };
++ allow $1 self:capability2 ~{ mac_admin mac_override };
++ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+
+ # Transition to myself, to make get_ordered_context_list happy.
+- allow $1 self:process transition;
++ allow $1 self:process { dyntransition transition };
+
+ # Write access is for setting attributes under /proc/self/attr.
+ allow $1 self:file rw_file_perms;
++ allow $1 self:dir rw_dir_perms;
+
+ # Userland object managers
+- allow $1 self:nscd *;
+- allow $1 self:dbus *;
+- allow $1 self:passwd *;
+- allow $1 self:association *;
++ allow $1 self:nscd all_nscd_perms;
++ allow $1 self:dbus all_dbus_perms;
++ allow $1 self:passwd all_passwd_perms;
++ allow $1 self:association all_association_perms;
++ allow $1 self:socket_class_set create_socket_perms;
+
+ kernel_unconfined($1)
+ corenet_unconfined($1)
+ dev_unconfined($1)
+ domain_unconfined($1)
+- domain_dontaudit_read_all_domains_state($1)
+- domain_dontaudit_ptrace_all_domains($1)
+ files_unconfined($1)
+ fs_unconfined($1)
+ selinux_unconfined($1)
++ systemd_config_all_services($1)
++
++ domain_mmap_low($1)
+
+- tunable_policy(`allow_execheap',`
++ ubac_process_exempt($1)
++
++ tunable_policy(`selinuxuser_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+ ')
+
+- tunable_policy(`allow_execmem',`
++ tunable_policy(`deny_execmem',`',`
+ # Allow making anonymous memory executable, e.g.
+ # for runtime-code generation or executable stack.
+ allow $1 self:process execmem;
+ ')
+
+- tunable_policy(`allow_execstack',`
+- # Allow making the stack executable via mprotect;
+- # execstack implies execmem;
+- allow $1 self:process { execstack execmem };
++ tunable_policy(`selinuxuser_execstack',`
++ allow $1 self:process execstack;
+ # auditallow $1 self:process execstack;
+ ')
+
+@@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',`
+ ')
+
+ optional_policy(`
++ # Communicate via dbusd.
++ dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
+ ')
+
+@@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
+ ##
+ #
+ interface(`unconfined_domain',`
++ gen_require(`
++ attribute unconfined_services;
++ ')
++
+ unconfined_domain_noaudit($1)
+
+- tunable_policy(`allow_execheap',`
++ tunable_policy(`selinuxuser_execheap',`
+ auditallow $1 self:process execheap;
+ ')
+ ')
+@@ -149,7 +159,7 @@ interface(`unconfined_domain',`
+ ##
+ #
+ interface(`unconfined_alias_domain',`
+- refpolicywarn(`$0($1) has been deprecated.')
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+
+ ########################################
+@@ -175,361 +185,12 @@ interface(`unconfined_alias_domain',`
+ ##
+ #
+ interface(`unconfined_execmem_alias_program',`
+- refpolicywarn(`$0($1) has been deprecated.')
+-')
+-
+-########################################
+-##
+-## Transition to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`unconfined_domtrans',`
+- gen_require(`
+- type unconfined_t, unconfined_exec_t;
+- ')
+-
+- domtrans_pattern($1, unconfined_exec_t, unconfined_t)
+-')
+-
+-########################################
+-##
+-## Execute specified programs in the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-##
+-##
+-## The role to allow the unconfined domain.
+-##
+-##
+-#
+-interface(`unconfined_run',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- unconfined_domtrans($1)
+- role $2 types unconfined_t;
+-')
+-
+-########################################
+-##
+-## Transition to the unconfined domain by executing a shell.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`unconfined_shell_domtrans',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- corecmd_shell_domtrans($1, unconfined_t)
+- allow unconfined_t $1:fd use;
+- allow unconfined_t $1:fifo_file rw_file_perms;
+- allow unconfined_t $1:process sigchld;
+-')
+-
+-########################################
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain.
+-##
+-##
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain.
+-##
+-##
+-## This is a interface to support third party modules
+-## and its use is not allowed in upstream reference
+-## policy.
+-##
+-##
+-##
+-##
+-## Domain to execute in.
+-##
+-##
+-##
+-##
+-## Domain entry point file.
+-##
+-##
+-#
+-interface(`unconfined_domtrans_to',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- domtrans_pattern(unconfined_t,$2,$1)
+-')
+-
+-########################################
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain. Allow the specified domain the
+-## unconfined role and use of unconfined user terminals.
+-##
+-##
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain. Allow the specified domain the
+-## unconfined role and use of unconfined user terminals.
+-##
+-##
+-## This is a interface to support third party modules
+-## and its use is not allowed in upstream reference
+-## policy.
+-##
+-##
+-##
+-##
+-## Domain to execute in.
+-##
+-##
+-##
+-##
+-## Domain entry point file.
+-##
+-##
+-#
+-interface(`unconfined_run_to',`
+- gen_require(`
+- type unconfined_t;
+- role unconfined_r;
+- ')
+-
+- domtrans_pattern(unconfined_t,$2,$1)
+- role unconfined_r types $1;
+- userdom_use_user_terminals($1)
+-')
+-
+-########################################
+-##
+-## Inherit file descriptors from the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_use_fds',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:fd use;
+-')
+-
+-########################################
+-##
+-## Send a SIGCHLD signal to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_sigchld',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:process sigchld;
+-')
+-
+-########################################
+-##
+-## Send a SIGNULL signal to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_signull',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:process signull;
+-')
+-
+-########################################
+-##
+-## Send generic signals to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_signal',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:process signal;
+-')
+-
+-########################################
+-##
+-## Read unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_read_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+-')
+-
+-########################################
+-##
+-## Do not audit attempts to read unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`unconfined_dontaudit_read_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- dontaudit $1 unconfined_t:fifo_file read;
+-')
+-
+-########################################
+-##
+-## Read and write unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_rw_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+-')
+-
+-########################################
+-##
+-## Do not audit attempts to read and write
+-## unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`unconfined_dontaudit_rw_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+-')
+-
+-########################################
+-##
+-## Connect to the unconfined domain using
+-## a unix domain stream socket.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_stream_connect',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:unix_stream_socket connectto;
+-')
+-
+-########################################
+-##
+-## Do not audit attempts to read or write
+-## unconfined domain tcp sockets.
+-##
+-##
+-##
+-## Do not audit attempts to read or write
+-## unconfined domain tcp sockets.
+-##
+-##
+-## This interface was added due to a broken
+-## symptom in ldconfig.
+-##
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`unconfined_dontaudit_rw_tcp_sockets',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- dontaudit $1 unconfined_t:tcp_socket { read write };
+-')
+-
+-########################################
+-##
+-## Create keys for the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_create_keys',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:key create;
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+
+ ########################################
+ ##
+-## Send messages to the unconfined domain over dbus.
++## Connect to unconfined_server with a unix socket.
+ ##
+ ##
+ ##
+@@ -537,19 +198,19 @@ interface(`unconfined_create_keys',`
+ ##
+ ##
+ #
+-interface(`unconfined_dbus_send',`
++interface(`unconfined_server_stream_connect',`
+ gen_require(`
+- type unconfined_t;
+- class dbus send_msg;
++ type unconfined_service_t;
+ ')
+
+- allow $1 unconfined_t:dbus send_msg;
++ files_search_pids($1)
++ files_write_generic_pid_pipes($1)
++ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
+ ')
+
+ ########################################
+ ##
+-## Send and receive messages from
+-## unconfined_t over dbus.
++## Connect to unconfined_server with a unix socket.
+ ##
+ ##
+ ##
+@@ -557,20 +218,17 @@ interface(`unconfined_dbus_send',`
+ ##
+ ##
+ #
+-interface(`unconfined_dbus_chat',`
++interface(`unconfined_server_domtrans',`
+ gen_require(`
+- type unconfined_t;
+- class dbus send_msg;
++ type unconfined_service_t;
+ ')
+
+- allow $1 unconfined_t:dbus send_msg;
+- allow unconfined_t $1:dbus send_msg;
++ corecmd_bin_domtrans($1, unconfined_service_t)
+ ')
+
+ ########################################
+ ##
+-## Connect to the the unconfined DBUS
+-## for service (acquire_svc).
++## Allow caller domain to dbus chat unconfined_server.
+ ##
+ ##
+ ##
+@@ -578,11 +236,12 @@ interface(`unconfined_dbus_chat',`
+ ##
+ ##
+ #
+-interface(`unconfined_dbus_connect',`
++interface(`unconfined_server_dbus_chat',`
+ gen_require(`
+- type unconfined_t;
+- class dbus acquire_svc;
++ type unconfined_service_t;
++ class dbus send_msg;
+ ')
+
+- allow $1 unconfined_t:dbus acquire_svc;
++ allow $1 unconfined_service_t:dbus send_msg;
++ allow unconfined_service_t $1:dbus send_msg;
+ ')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 5fe902d..a349d18 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -1,207 +1,28 @@
+-policy_module(unconfined, 3.5.1)
++policy_module(unconfined, 3.5.0)
+
+ ########################################
+ #
+ # Declarations
+ #
++attribute unconfined_services;
+
+-# usage in this module of types created by these
+-# calls is not correct, however we dont currently
+-# have another method to add access to these types
+-userdom_base_user_template(unconfined)
+-userdom_manage_home_role(unconfined_r, unconfined_t)
+-userdom_manage_tmp_role(unconfined_r, unconfined_t)
+-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
++type unconfined_service_t;
++domain_type(unconfined_service_t)
++role system_r types unconfined_service_t;
+
+-type unconfined_exec_t;
+-init_system_domain(unconfined_t, unconfined_exec_t)
++unconfined_domain(unconfined_service_t)
+
+-type unconfined_execmem_t;
+-type unconfined_execmem_exec_t;
+-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+-role unconfined_r types unconfined_execmem_t;
++unconfined_stub_role()
+
+-########################################
+-#
+-# Local policy
+-#
+-
+-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+-
+-files_create_boot_flag(unconfined_t)
+-
+-mcs_killall(unconfined_t)
+-mcs_ptrace_all(unconfined_t)
+-
+-init_run_daemon(unconfined_t, unconfined_r)
+-
+-libs_run_ldconfig(unconfined_t, unconfined_r)
+-
+-logging_send_syslog_msg(unconfined_t)
+-logging_run_auditctl(unconfined_t, unconfined_r)
+-
+-mount_run_unconfined(unconfined_t, unconfined_r)
+-
+-seutil_run_setfiles(unconfined_t, unconfined_r)
+-seutil_run_semanage(unconfined_t, unconfined_r)
+-
+-unconfined_domain(unconfined_t)
+-
+-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+-
+-ifdef(`distro_gentoo',`
+- seutil_run_runinit(unconfined_t, unconfined_r)
+- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- ada_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- apache_run_helper(unconfined_t, unconfined_r)
+- apache_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- bind_run_ndc(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- bootloader_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- cron_unconfined_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- firstboot_run(unconfined_t, unconfined_r)
+-')
++role unconfined_r types unconfined_service_t;
+
+-optional_policy(`
+- ftp_run_ftpdctl(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- hadoop_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- inn_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- java_run_unconfined(unconfined_t, unconfined_r)
+-')
++corecmd_bin_entry_type(unconfined_service_t)
++corecmd_shell_entry_type(unconfined_service_t)
+
+ optional_policy(`
+- lpd_run_checkpc(unconfined_t, unconfined_r)
++ rpm_transition_script(unconfined_service_t, system_r)
+ ')
+
+ optional_policy(`
+- modutils_run_update_mods(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- mono_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- mta_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- oddjob_domtrans_mkhomedir(unconfined_t)
+-')
+-
+-optional_policy(`
+- portage_run(unconfined_t, unconfined_r)
+- portage_run_fetch(unconfined_t, unconfined_r)
+- portage_run_gcc_config(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- prelink_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- portmap_run_helper(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- postfix_run_map(unconfined_t, unconfined_r)
+- # cjp: this should probably be removed:
+- postfix_domtrans_master(unconfined_t)
+-')
+-
+-optional_policy(`
+- pyzor_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- # cjp: this should probably be removed:
+- rpc_domtrans_nfsd(unconfined_t)
+-')
+-
+-optional_policy(`
+- rtkit_scheduled(unconfined_t)
+-')
+-
+-optional_policy(`
+- rpm_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- samba_run_net(unconfined_t, unconfined_r)
+- samba_run_winbind_helper(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- spamassassin_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- sysnet_run_dhcpc(unconfined_t, unconfined_r)
+- sysnet_dbus_chat_dhcpc(unconfined_t)
+-')
+-
+-optional_policy(`
+- tzdata_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- unconfined_dbus_chat(unconfined_t)
+-')
+-
+-optional_policy(`
+- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- vpn_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- webalizer_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- wine_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- xserver_domtrans(unconfined_t)
+-')
+-
+-########################################
+-#
+-# Unconfined Execmem Local policy
+-#
+-
+-allow unconfined_execmem_t self:process { execstack execmem };
+-unconfined_domain_noaudit(unconfined_execmem_t)
+-
+-optional_policy(`
+- unconfined_dbus_chat(unconfined_execmem_t)
++ dbus_chat_system_bus(unconfined_service_t)
+ ')
+diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
+index db75976..1ee08ec 100644
+--- a/policy/modules/system/userdomain.fc
++++ b/policy/modules/system/userdomain.fc
+@@ -1,4 +1,36 @@
+ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
++HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+-
+ /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
++/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
++/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++/root/\.debug(/.*)? <>
++/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
++HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/\.gvfs/.* <>
++HOME_DIR/\.debug(/.*)? <>
++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
++
++/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++
++
++
++/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++
++/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
++/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
++
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 9dc60c6..05274ae 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
+ ')
+
+ attribute $1_file_type;
++ attribute $1_usertype;
+
+- type $1_t, userdomain;
++ type $1_t, userdomain, $1_usertype;
+ domain_type($1_t)
++ role $1_r;
+ corecmd_shell_entry_type($1_t)
+ corecmd_bin_entry_type($1_t)
+ domain_user_exemption_target($1_t)
+@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
+ term_user_pty($1_t, user_devpts_t)
+
+ term_user_tty($1_t, user_tty_device_t)
+-
+- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+- allow $1_t self:fd use;
+- allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
+- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
+- allow $1_t self:shm create_shm_perms;
+- allow $1_t self:sem create_sem_perms;
+- allow $1_t self:msgq create_msgq_perms;
+- allow $1_t self:msg { send receive };
+- allow $1_t self:context contains;
+- dontaudit $1_t self:socket create;
+-
+- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
+- term_create_pty($1_t, user_devpts_t)
++ term_dontaudit_getattr_generic_ptys($1_t)
++
++ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1_usertype $1_usertype:process ptrace;
++ ')
++ allow $1_usertype $1_usertype:fd use;
++ allow $1_usertype $1_t:key { create view read write search link setattr };
++
++ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
++ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
++ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
++ allow $1_usertype $1_usertype:shm create_shm_perms;
++ allow $1_usertype $1_usertype:sem create_sem_perms;
++ allow $1_usertype $1_usertype:msgq create_msgq_perms;
++ allow $1_usertype $1_usertype:msg { send receive };
++ allow $1_usertype $1_usertype:context contains;
++ dontaudit $1_usertype $1_usertype:socket create;
++
++ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
++ term_create_pty($1_usertype, user_devpts_t)
+ # avoid annoying messages on terminal hangup on role change
+- dontaudit $1_t user_devpts_t:chr_file ioctl;
++ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
+
+- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
++ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ # avoid annoying messages on terminal hangup on role change
+- dontaudit $1_t user_tty_device_t:chr_file ioctl;
+-
+- kernel_read_kernel_sysctls($1_t)
+- kernel_dontaudit_list_unlabeled($1_t)
+- kernel_dontaudit_getattr_unlabeled_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+-
+- dev_dontaudit_getattr_all_blk_files($1_t)
+- dev_dontaudit_getattr_all_chr_files($1_t)
++ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
++
++ application_exec_all($1_usertype)
++
++ kernel_read_kernel_sysctls($1_usertype)
++ kernel_read_all_sysctls($1_usertype)
++ kernel_dontaudit_list_unlabeled($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
++ kernel_dontaudit_list_proc($1_usertype)
++
++ dev_dontaudit_getattr_all_blk_files($1_usertype)
++ dev_dontaudit_getattr_all_chr_files($1_usertype)
++ dev_getattr_mtrr_dev($1_t)
+
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+- domain_dontaudit_read_all_domains_state($1_t)
+- domain_dontaudit_getattr_all_domains($1_t)
+- domain_dontaudit_getsession_all_domains($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_etc_runtime_files($1_t)
+- files_read_usr_files($1_t)
++ domain_dontaudit_read_all_domains_state($1_usertype)
++ domain_dontaudit_getattr_all_domains($1_usertype)
++ domain_dontaudit_getsession_all_domains($1_usertype)
++ dev_dontaudit_all_access_check($1_usertype)
++
++ files_read_etc_files($1_usertype)
++ files_list_mnt($1_usertype)
++ files_list_var($1_usertype)
++ files_read_mnt_files($1_usertype)
++ files_dontaudit_all_access_check($1_usertype)
++ files_read_etc_runtime_files($1_usertype)
++ files_read_usr_files($1_usertype)
++ files_read_usr_src_files($1_usertype)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+- files_list_world_readable($1_t)
+- files_read_world_readable_files($1_t)
+- files_read_world_readable_symlinks($1_t)
+- files_read_world_readable_pipes($1_t)
+- files_read_world_readable_sockets($1_t)
++ files_list_world_readable($1_usertype)
++ files_read_world_readable_files($1_usertype)
++ files_read_world_readable_symlinks($1_usertype)
++ files_read_world_readable_pipes($1_usertype)
++ files_read_world_readable_sockets($1_usertype)
+ # old broswer_domain():
+- files_dontaudit_list_non_security($1_t)
+- files_dontaudit_getattr_non_security_files($1_t)
+- files_dontaudit_getattr_non_security_symlinks($1_t)
+- files_dontaudit_getattr_non_security_pipes($1_t)
+- files_dontaudit_getattr_non_security_sockets($1_t)
++ files_dontaudit_getattr_all_dirs($1_usertype)
++ files_dontaudit_list_non_security($1_usertype)
++ files_dontaudit_getattr_all_files($1_usertype)
++ files_dontaudit_getattr_non_security_symlinks($1_usertype)
++ files_dontaudit_getattr_non_security_pipes($1_usertype)
++ files_dontaudit_getattr_non_security_sockets($1_usertype)
++ files_dontaudit_setattr_etc_runtime_files($1_usertype)
++
++ files_exec_usr_files($1_t)
++
++ fs_list_cgroup_dirs($1_usertype)
++ fs_dontaudit_rw_cgroup_files($1_usertype)
++
++ storage_rw_fuse($1_usertype)
++
++ auth_use_nsswitch($1_t)
++
++ init_stream_connect($1_usertype)
++ # The library functions always try to open read-write first,
++ # then fall back to read-only if it fails.
++ init_dontaudit_rw_utmp($1_usertype)
+
+- libs_exec_ld_so($1_t)
++ libs_exec_ld_so($1_usertype)
+
+- miscfiles_read_localization($1_t)
+ miscfiles_read_generic_certs($1_t)
+
+- sysnet_read_config($1_t)
++ miscfiles_read_all_certs($1_usertype)
++ miscfiles_read_public_files($1_usertype)
+
+- tunable_policy(`allow_execmem',`
++ systemd_dbus_chat_logind($1_usertype)
++ systemd_read_logind_sessions_files($1_usertype)
++ systemd_write_inhibit_pipes($1_usertype)
++ systemd_write_inherited_logind_sessions_pipes($1_usertype)
++ systemd_login_read_pid_files($1_usertype)
++
++ tunable_policy(`deny_execmem',`', `
+ # Allow loading DSOs that require executable stack.
+ allow $1_t self:process execmem;
+ ')
+
+- tunable_policy(`allow_execmem && allow_execstack',`
++ tunable_policy(`selinuxuser_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
++
++ optional_policy(`
++ abrt_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ fs_list_cgroup_dirs($1_usertype)
++ ')
++
++ optional_policy(`
++ ssh_rw_stream_sockets($1_usertype)
++ ssh_delete_tmp($1_t)
++ ssh_signal($1_t)
++ ')
+ ')
+
+ #######################################
+@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
+ type user_home_t, user_home_dir_t;
+ ')
+
++ role $1 types { user_home_t user_home_dir_t };
++
+ ##############################
+ #
+ # Domain access to home dir
+@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
+ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ files_list_home($2)
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_list_nfs($2)
+- fs_read_nfs_files($2)
+- fs_read_nfs_symlinks($2)
+- fs_read_nfs_named_sockets($2)
+- fs_read_nfs_named_pipes($2)
+- ',`
+- fs_dontaudit_list_nfs($2)
+- fs_dontaudit_read_nfs_files($2)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_list_cifs($2)
+- fs_read_cifs_files($2)
+- fs_read_cifs_symlinks($2)
+- fs_read_cifs_named_sockets($2)
+- fs_read_cifs_named_pipes($2)
+- ',`
+- fs_dontaudit_list_cifs($2)
+- fs_dontaudit_read_cifs_files($2)
+- ')
+ ')
+
+ #######################################
+@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
+ interface(`userdom_manage_home_role',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
++ attribute user_home_type;
+ ')
+
++ role $1 types { user_home_type user_home_dir_t };
++
+ ##############################
+ #
+ # Domain access to home dir
+@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',`
+ type_member $2 user_home_dir_t:dir user_home_dir_t;
+
+ # full control of the home directory
++ allow $2 user_home_t:dir mounton;
+ allow $2 user_home_t:file entrypoint;
+- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++
++ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
++ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
++ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ userdom_filetrans_home_content($2)
++
+ files_list_home($2)
+
+ # cjp: this should probably be removed:
+ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+
+ tunable_policy(`use_nfs_home_dirs',`
++ fs_mount_nfs($2)
++ fs_mounton_nfs($2)
+ fs_manage_nfs_dirs($2)
+ fs_manage_nfs_files($2)
+ fs_manage_nfs_symlinks($2)
+ fs_manage_nfs_named_sockets($2)
+ fs_manage_nfs_named_pipes($2)
+- ',`
+- fs_dontaudit_manage_nfs_dirs($2)
+- fs_dontaudit_manage_nfs_files($2)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
++ fs_mount_cifs($2)
++ fs_mounton_cifs($2)
+ fs_manage_cifs_dirs($2)
+ fs_manage_cifs_files($2)
+ fs_manage_cifs_symlinks($2)
+ fs_manage_cifs_named_sockets($2)
+ fs_manage_cifs_named_pipes($2)
+- ',`
+- fs_dontaudit_manage_cifs_dirs($2)
+- fs_dontaudit_manage_cifs_files($2)
+ ')
+ ')
+
+@@ -273,6 +315,82 @@ interface(`userdom_manage_home_role',`
+ ##
+ ## Manage user temporary files
+ ##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++#######################################
++##
++## Manage user temporary sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++#######################################
++##
++## Manage user temporary directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++#######################################
++##
++## Manage user temporary directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_mounton_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:dir mounton;
++')
++
++#######################################
++##
++## Manage user temporary files
++##
+ ##
+ ##
+ ## Role allowed access.
+@@ -287,17 +405,65 @@ interface(`userdom_manage_home_role',`
+ #
+ interface(`userdom_manage_tmp_role',`
+ gen_require(`
++ attribute user_tmp_type;
+ type user_tmp_t;
+ ')
+
++ role $1 types user_tmp_t;
++
+ files_poly_member_tmp($2, user_tmp_t)
+
+- manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
+- manage_files_pattern($2, user_tmp_t, user_tmp_t)
+- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
+- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
+- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
++ allow $2 user_tmp_type:dir mounton;
++ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
++ manage_files_pattern($2, user_tmp_type, user_tmp_type)
++ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
++ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
++ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+ files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++ fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
++')
++
++#######################################
++##
++## Dontaudit search of user bin dirs.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_search_user_bin_dirs',`
++ gen_require(`
++ type home_bin_t;
++ ')
++
++ dontaudit $1 home_bin_t:dir search_dir_perms;
++')
++
++#######################################
++##
++## Execute user bin files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_exec_user_bin_files',`
++ gen_require(`
++ attribute user_home_type;
++ type home_bin_t, user_home_dir_t;
++ ')
++
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
++ files_search_home($1)
+ ')
+
+ #######################################
+@@ -317,11 +483,31 @@ interface(`userdom_exec_user_tmp_files',`
+ ')
+
+ exec_files_pattern($1, user_tmp_t, user_tmp_t)
++ dontaudit $1 user_tmp_t:sock_file execute;
+ files_search_tmp($1)
+ ')
+
+ #######################################
+ ##
++## Manage user temporary file system files
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++')
++
++#######################################
++##
+ ## Role access for the user tmpfs type
+ ## that the user has full access.
+ ##
+@@ -347,60 +533,45 @@ interface(`userdom_exec_user_tmp_files',`
+ ##
+ #
+ interface(`userdom_manage_tmpfs_role',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
++ userdom_manage_tmp_role($1,$2)
+ ')
+
+ #######################################
+ ##
+-## The template allowing the user basic
++## The interface allowing the user basic
+ ## network permissions
+ ##
+-##
++##
+ ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## The user domain
+ ##
+ ##
+ ##
+ #
+-template(`userdom_basic_networking_template',`
+- gen_require(`
+- type $1_t;
+- ')
++interface(`userdom_basic_networking',`
+
+- allow $1_t self:tcp_socket create_stream_socket_perms;
+- allow $1_t self:udp_socket create_socket_perms;
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled($1_t)
+- corenet_all_recvfrom_netlabel($1_t)
+- corenet_tcp_sendrecv_generic_if($1_t)
+- corenet_udp_sendrecv_generic_if($1_t)
+- corenet_tcp_sendrecv_generic_node($1_t)
+- corenet_udp_sendrecv_generic_node($1_t)
+- corenet_tcp_sendrecv_all_ports($1_t)
+- corenet_udp_sendrecv_all_ports($1_t)
+- corenet_tcp_connect_all_ports($1_t)
+- corenet_sendrecv_all_client_packets($1_t)
+-
+- corenet_all_recvfrom_labeled($1_t, $1_t)
++ corenet_tcp_sendrecv_generic_if($1)
++ corenet_udp_sendrecv_generic_if($1)
++ corenet_tcp_sendrecv_generic_node($1)
++ corenet_udp_sendrecv_generic_node($1)
++ corenet_tcp_sendrecv_all_ports($1)
++ corenet_udp_sendrecv_all_ports($1)
++ corenet_tcp_connect_all_ports($1)
++ corenet_sendrecv_all_client_packets($1)
+
+ optional_policy(`
+- init_tcp_recvfrom_all_daemons($1_t)
+- init_udp_recvfrom_all_daemons($1_t)
++ init_tcp_recvfrom_all_daemons($1)
++ init_udp_recvfrom_all_daemons($1)
+ ')
+
+ optional_policy(`
+- ipsec_match_default_spd($1_t)
++ ipsec_match_default_spd($1)
+ ')
++
+ ')
+
+ #######################################
+@@ -431,6 +602,7 @@ template(`userdom_xwindows_client_template',`
+ dev_dontaudit_rw_dri($1_t)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
++ dev_rw_generic_usb_dev($1_t)
+
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+@@ -463,8 +635,8 @@ template(`userdom_change_password_template',`
+ ')
+
+ optional_policy(`
+- usermanage_run_chfn($1_t, $1_r)
+- usermanage_run_passwd($1_t, $1_r)
++ usermanage_run_chfn($1_t,$1_r)
++ usermanage_run_passwd($1_t,$1_r)
+ ')
+ ')
+
+@@ -491,51 +663,68 @@ template(`userdom_common_user_template',`
+ attribute unpriv_userdomain;
+ ')
+
+- userdom_basic_networking_template($1)
++ userdom_basic_networking($1_usertype)
++ corenet_all_recvfrom_netlabel($1_t)
+
+ ##############################
+ #
+ # User domain Local policy
+ #
++ allow $1_t self:packet_socket create_socket_perms;
+
+ # evolution and gnome-session try to create a netlink socket
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
++ allow $1_t self:socket create_socket_perms;
+
+- allow $1_t unpriv_userdomain:fd use;
++ allow $1_usertype unpriv_userdomain:fd use;
+
+ kernel_read_system_state($1_t)
+- kernel_read_network_state($1_t)
+- kernel_read_net_sysctls($1_t)
++ kernel_read_network_state($1_usertype)
++ kernel_read_software_raid_state($1_usertype)
++ kernel_read_net_sysctls($1_usertype)
+ # Very permissive allowing every domain to see every type:
+- kernel_get_sysvipc_info($1_t)
++ kernel_get_sysvipc_info($1_usertype)
+ # Find CDROM devices:
+- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
++ kernel_read_device_sysctls($1_usertype)
++ kernel_request_load_module($1_usertype)
+
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
++ corenet_udp_bind_generic_node($1_usertype)
++ corenet_udp_bind_generic_port($1_usertype)
+
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
++ dev_read_rand($1_usertype)
++ dev_write_sound($1_usertype)
++ dev_read_sound($1_usertype)
++ dev_read_sound_mixer($1_usertype)
++ dev_write_sound_mixer($1_usertype)
+
+- files_exec_etc_files($1_t)
+- files_search_locks($1_t)
++ files_exec_etc_files($1_usertype)
++ files_search_locks($1_usertype)
+ # Check to see if cdrom is mounted
+- files_search_mnt($1_t)
++ files_search_mnt($1_usertype)
+ # cjp: perhaps should cut back on file reads:
+- files_read_var_files($1_t)
+- files_read_var_symlinks($1_t)
+- files_read_generic_spool($1_t)
+- files_read_var_lib_files($1_t)
++ files_read_var_files($1_usertype)
++ files_read_var_symlinks($1_usertype)
++ files_read_generic_spool($1_usertype)
++ files_read_var_lib_files($1_usertype)
+ # Stat lost+found.
+- files_getattr_lost_found_dirs($1_t)
++ files_getattr_lost_found_dirs($1_usertype)
++ files_read_config_files($1_usertype)
++ fs_read_noxattr_fs_files($1_usertype)
++ fs_read_noxattr_fs_symlinks($1_usertype)
++ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
++
+
+- fs_rw_cgroup_files($1_t)
++ ifdef(`enabled_mls',`
++ init_rw_tcp_sockets($1_usertype)
++ ')
++
++ logging_send_syslog_msg($1_t)
++
++ selinux_get_enforce_mode($1_t)
+
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_t)
+@@ -546,93 +735,132 @@ template(`userdom_common_user_template',`
+ selinux_compute_user_contexts($1_t)
+
+ # for eject
+- storage_getattr_fixed_disk_dev($1_t)
++ storage_getattr_fixed_disk_dev($1_usertype)
+
+- auth_use_nsswitch($1_t)
+- auth_read_login_records($1_t)
+- auth_search_pam_console_data($1_t)
+- auth_run_pam($1_t, $1_r)
+- auth_run_utempter($1_t, $1_r)
++ auth_read_login_records($1_usertype)
++ auth_run_pam_timestamp($1_t,$1_r)
++ auth_run_utempter($1_t,$1_r)
++ auth_filetrans_admin_home_content($1_t)
+
+- init_read_utmp($1_t)
++ init_read_utmp($1_usertype)
+
+- seutil_read_file_contexts($1_t)
+- seutil_read_default_contexts($1_t)
+- seutil_run_newrole($1_t, $1_r)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
++ seutil_run_newrole($1_t,$1_r)
+ seutil_exec_checkpolicy($1_t)
+- seutil_exec_setfiles($1_t)
++ seutil_exec_setfiles($1_usertype)
+ # for when the network connection is killed
+ # this is needed when a login role can change
+ # to this one.
+ seutil_dontaudit_signal_newrole($1_t)
+
+- tunable_policy(`user_direct_mouse',`
+- dev_read_mouse($1_t)
+- ')
++ term_getattr_all_ttys($1_t)
+
+- tunable_policy(`user_ttyfile_stat',`
+- term_getattr_all_ttys($1_t)
++ optional_policy(`
++ # Allow graphical boot to check battery lifespan
++ apm_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
+- alsa_manage_home_files($1_t)
+- alsa_read_rw_config($1_t)
+- alsa_relabel_home_files($1_t)
++ chrome_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- # Allow graphical boot to check battery lifespan
+- apm_stream_connect($1_t)
++ canna_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- canna_stream_connect($1_t)
++ colord_read_lib_files($1_usertype)
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client($1_t)
++ dbus_system_bus_client($1_usertype)
++
++ allow $1_usertype $1_usertype:dbus send_msg;
++
++ optional_policy(`
++ avahi_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ firewalld_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ geoclue_dbus_chat($1_usertype)
++ ')
+
+ optional_policy(`
+- bluetooth_dbus_chat($1_t)
++ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
++ hal_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+- cups_dbus_chat_config($1_t)
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ memcached_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+- hal_dbus_chat($1_t)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
+ ')
+
+ optional_policy(`
+- networkmanager_dbus_chat($1_t)
++ policykit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+- policykit_dbus_chat($1_t)
++ vpn_dbus_chat($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
++ git_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
+- inn_read_config($1_t)
+- inn_read_news_lib($1_t)
+- inn_read_news_spool($1_t)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
+ ')
+
+ optional_policy(`
+- kerberos_manage_krb5_home_files($1_t)
+- kerberos_relabel_krb5_home_files($1_t)
+- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
++ ')
++
++ optional_policy(`
++ lircd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+@@ -642,23 +870,21 @@ template(`userdom_common_user_template',`
+ optional_policy(`
+ mpd_manage_user_data_content($1_t)
+ mpd_relabel_user_data_content($1_t)
++ mpd_stream_connect($1_t)
+ ')
+
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+- modutils_read_module_config($1_t)
++ modutils_read_module_config($1_usertype)
+ ')
+
+ optional_policy(`
+- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
+ ')
+
+ optional_policy(`
+- mysql_manage_mysqld_home_files($1_t)
+- mysql_relabel_mysqld_home_files($1_t)
+- mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
+-
+- tunable_policy(`allow_user_mysql_connect',`
++ tunable_policy(`selinuxuser_mysql_connect_enabled',`
+ mysql_stream_connect($1_t)
+ ')
+ ')
+@@ -671,7 +897,7 @@ template(`userdom_common_user_template',`
+
+ optional_policy(`
+ # to allow monitoring of pcmcia status
+- pcmcia_read_pid($1_t)
++ pcmcia_read_pid($1_usertype)
+ ')
+
+ optional_policy(`
+@@ -680,9 +906,9 @@ template(`userdom_common_user_template',`
+ ')
+
+ optional_policy(`
+- tunable_policy(`allow_user_postgresql_connect',`
+- postgresql_stream_connect($1_t)
+- postgresql_tcp_connect($1_t)
++ tunable_policy(`selinuxuser_postgresql_connect_enabled',`
++ postgresql_stream_connect($1_usertype)
++ postgresql_tcp_connect($1_usertype)
+ ')
+ ')
+
+@@ -693,32 +919,35 @@ template(`userdom_common_user_template',`
+ ')
+
+ optional_policy(`
+- resmgr_stream_connect($1_t)
++ resmgr_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ rpc_dontaudit_getattr_exports($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- rpc_dontaudit_getattr_exports($1_t)
+- rpc_manage_nfs_rw_content($1_t)
++ samba_stream_connect_winbind($1_usertype)
+ ')
+
+ optional_policy(`
+- samba_stream_connect_winbind($1_t)
++ sandbox_transition($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+- slrnpull_search_spool($1_t)
++ seunshare_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- usernetctl_run($1_t, $1_r)
++ slrnpull_search_spool($1_usertype)
+ ')
+
+ optional_policy(`
+- virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
+- virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
+- virt_home_filetrans_virt_content($1_t, dir, "isos")
+- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
+- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
++ thumb_role($1_r, $1_usertype)
+ ')
+ ')
+
+@@ -743,17 +972,32 @@ template(`userdom_common_user_template',`
+ template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
++ attribute login_userdomain;
+ ')
+
+ userdom_base_user_template($1)
+
++ typeattribute $1_t login_userdomain;
++
+ userdom_manage_home_role($1_r, $1_t)
+
+- userdom_manage_tmp_role($1_r, $1_t)
+- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
++ tunable_policy(`$1_exec_content',`
++ userdom_exec_user_tmp_files($1_usertype)
++ userdom_exec_user_home_content_files($1_usertype)
++ ')
++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
++ fs_exec_nfs_files($1_usertype)
++ ')
++
++ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
++ fs_exec_cifs_files($1_usertype)
++ ')
++ ')
+
+ userdom_change_password_template($1)
+
+@@ -761,83 +1005,107 @@ template(`userdom_login_user_template', `
+ #
+ # User domain Local policy
+ #
+-
+- allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
++ allow $1_t self:process ~{ ptrace execmem execstack execheap };
++
++ tunable_policy(`selinuxuser_use_ssh_chroot',`
++ allow $1_t self:capability { setuid setgid sys_chroot };
++ ')
+
+- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ domain_dyntrans_type($1_t)
+
+ allow $1_t self:context contains;
+
+- kernel_dontaudit_read_system_state($1_t)
++ kernel_dontaudit_read_system_state($1_usertype)
++ kernel_dontaudit_list_all_proc($1_usertype)
+
+- dev_read_sysfs($1_t)
+- dev_read_urand($1_t)
++ dev_read_sysfs($1_usertype)
++ dev_read_rand($1_usertype)
++ dev_read_urand($1_usertype)
+
+- domain_use_interactive_fds($1_t)
++ domain_use_interactive_fds($1_usertype)
+ # Command completion can fire hundreds of denials
+- domain_dontaudit_exec_all_entry_files($1_t)
++ domain_dontaudit_exec_all_entry_files($1_usertype)
+
+- files_dontaudit_list_default($1_t)
+- files_dontaudit_read_default_files($1_t)
++ files_dontaudit_list_default($1_usertype)
++ files_dontaudit_read_default_files($1_usertype)
+ # Stat lost+found.
+- files_getattr_lost_found_dirs($1_t)
++ files_getattr_lost_found_dirs($1_usertype)
+
+- fs_get_all_fs_quotas($1_t)
+- fs_getattr_all_fs($1_t)
+- fs_getattr_all_dirs($1_t)
+- fs_search_auto_mountpoints($1_t)
+- fs_list_cgroup_dirs($1_t)
+- fs_list_inotifyfs($1_t)
+- fs_rw_anon_inodefs_files($1_t)
+- fs_dontaudit_rw_cgroup_files($1_t)
++ fs_get_all_fs_quotas($1_usertype)
++ fs_getattr_all_fs($1_usertype)
++ fs_search_all($1_usertype)
++ fs_list_inotifyfs($1_usertype)
++ fs_rw_anon_inodefs_files($1_usertype)
+
++ auth_role($1_r, $1_t)
++ auth_create_cache($1_t)
++ auth_rw_cache($1_t)
++ auth_search_pam_console_data($1_t)
++ auth_dontaudit_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
+
+ application_exec_all($1_t)
+-
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_t)
++
+ # Stop warnings about access to /dev/console
+- init_dontaudit_use_fds($1_t)
+- init_dontaudit_use_script_fds($1_t)
++ init_dontaudit_use_fds($1_usertype)
++ init_dontaudit_use_script_fds($1_usertype)
+
+- libs_exec_lib_files($1_t)
++ libs_exec_lib_files($1_usertype)
+
+- logging_dontaudit_getattr_all_logs($1_t)
++ logging_dontaudit_getattr_all_logs($1_usertype)
+
+- miscfiles_read_man_pages($1_t)
+ # for running TeX programs
+- miscfiles_read_tetex_data($1_t)
+- miscfiles_exec_tetex_data($1_t)
++ miscfiles_read_tetex_data($1_usertype)
++ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
++ seutil_exec_setfiles($1_usertype)
++
++ optional_policy(`
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
++ ')
++
++ optional_policy(`
++ kerberos_use($1_usertype)
++ init_write_key($1_usertype)
++ ')
+
+- seutil_read_config($1_t)
++ optional_policy(`
++ mysql_filetrans_named_content($1_usertype)
++ ')
+
+ optional_policy(`
+- cups_read_config($1_t)
+- cups_stream_connect($1_t)
+- cups_stream_connect_ptal($1_t)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
+ ')
+
+ optional_policy(`
+- kerberos_use($1_t)
++ quota_dontaudit_getattr_db($1_usertype)
+ ')
+
+ optional_policy(`
+- mta_dontaudit_read_spool_symlinks($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
+ ')
+
+ optional_policy(`
+- quota_dontaudit_getattr_db($1_t)
++ oddjob_run_mkhomedir($1_t, $1_r)
+ ')
+
+ optional_policy(`
+- rpm_read_db($1_t)
+- rpm_dontaudit_manage_db($1_t)
++ wine_filetrans_named_content($1_usertype)
+ ')
++
+ ')
+
+ #######################################
+@@ -868,6 +1136,12 @@ template(`userdom_restricted_user_template',`
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+
++ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
++ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
++
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
++
+ ##############################
+ #
+ # Local policy
+@@ -907,53 +1181,137 @@ template(`userdom_restricted_xwindows_user_template',`
+ #
+ # Local policy
+ #
++ kernel_stream_connect($1_usertype)
+
+- auth_role($1_r, $1_t)
+- auth_search_pam_console_data($1_t)
+-
+- dev_read_sound($1_t)
+- dev_write_sound($1_t)
++ dev_read_sound($1_usertype)
++ dev_write_sound($1_usertype)
+ # gnome keyring wants to read this.
+- dev_dontaudit_read_rand($1_t)
++ dev_dontaudit_read_rand($1_usertype)
++ # temporarily allow since openoffice requires this
++ dev_read_rand($1_usertype)
+
+- logging_send_syslog_msg($1_t)
+- logging_dontaudit_send_audit_msgs($1_t)
++ dev_read_video_dev($1_usertype)
++ dev_write_video_dev($1_usertype)
++ dev_rw_wireless($1_usertype)
+
+- # Need to to this just so screensaver will work. Should be moved to screensaver domain
+- logging_send_audit_msgs($1_t)
+- selinux_get_enforce_mode($1_t)
++ libs_dontaudit_setattr_lib_files($1_usertype)
+
+- xserver_restricted_role($1_r, $1_t)
++ init_read_state($1_usertype)
++
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
++ dev_rw_usbfs($1_t)
++ dev_rw_generic_usb_dev($1_usertype)
++
++ fs_manage_noxattr_fs_files($1_usertype)
++ fs_manage_noxattr_fs_dirs($1_usertype)
++ fs_manage_dos_dirs($1_usertype)
++ fs_manage_dos_files($1_usertype)
++ storage_raw_read_removable_device($1_usertype)
++ storage_raw_write_removable_device($1_usertype)
++ ')
++
++ logging_send_syslog_msg($1_t)
++ logging_dontaudit_send_audit_msgs($1_t)
++
++ # Need to to this just so screensaver will work. Should be moved to screensaver domain
++ selinux_get_enforce_mode($1_t)
++ seutil_exec_restorecond($1_t)
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
++
++ xserver_restricted_role($1_r, $1_t)
++
++ optional_policy(`
++ alsa_read_rw_config($1_usertype)
++ ')
++
++ # cjp: needed by KDE apps
++ # bug: #682499
++ optional_policy(`
++ gnome_read_usr_config($1_usertype)
++ # cjp: telepathy F15 bugs
++ telepathy_role($1_r, $1_t, $1)
++ ')
+
+ optional_policy(`
+- alsa_read_rw_config($1_t)
++ obex_role($1_r, $1_t, $1)
+ ')
+
+ optional_policy(`
+- dbus_role_template($1, $1_r, $1_t)
+- dbus_system_bus_client($1_t)
++ dbus_role_template($1, $1_r, $1_usertype)
++ dbus_system_bus_client($1_usertype)
++ allow $1_usertype $1_usertype:dbus send_msg;
++
++ optional_policy(`
++ abrt_dbus_chat($1_usertype)
++ abrt_run_helper($1_usertype, $1_r)
++ ')
++
++ optional_policy(`
++ accountsd_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dontaudit_read_log($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
++ fprintd_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
++ realmd_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ gnome_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ wm_role_template($1, $1_r, $1_t)
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
++ policykit_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ pulseaudio_role($1_r, $1_usertype)
++ pulseaudio_filetrans_admin_home_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rtkit_scheduled($1_usertype)
++ ')
++
++ optional_policy(`
++ systemd_filetrans_home_content($1_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_t)
+ ')
++
++ optional_policy(`
++ udev_read_db($1_usertype)
++ ')
++
++ optional_policy(`
++ xserver_xdm_ioctl_log($1_t)
++ ')
+ ')
+
+ #######################################
+@@ -987,27 +1345,33 @@ template(`userdom_unpriv_user_template', `
+ #
+
+ # Inherit rules for ordinary users.
+- userdom_restricted_user_template($1)
++ userdom_restricted_xwindows_user_template($1)
+ userdom_common_user_template($1)
+
+ ##############################
+ #
+ # Local policy
+ #
++ allow $1_t self:capability { setgid chown fowner };
++
++ corecmd_exec_chroot($1_t)
+
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
++# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ # Need the following rule to allow users to run vpnc
+ corenet_tcp_bind_xserver_port($1_t)
++ corenet_tcp_bind_generic_node($1_usertype)
++
++ storage_rw_fuse($1_t)
+
+ files_exec_usr_files($1_t)
+- # cjp: why?
++ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
+
+ ifndef(`enable_mls',`
+ fs_exec_noxattr($1_t)
+
+- tunable_policy(`user_rw_noexattrfile',`
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ # Write floppies
+@@ -1018,23 +1382,63 @@ template(`userdom_unpriv_user_template', `
+ ')
+ ')
+
+- tunable_policy(`user_dmesg',`
+- kernel_read_ring_buffer($1_t)
+- ',`
+- kernel_dontaudit_read_ring_buffer($1_t)
+- ')
++ miscfiles_read_hwdata($1_usertype)
++
++ fs_mounton_fusefs($1_usertype)
+
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+- tunable_policy(`user_tcp_server',`
+- corenet_tcp_bind_generic_node($1_t)
+- corenet_tcp_bind_generic_port($1_t)
++
++ tunable_policy(`selinuxuser_share_music',`
++ corenet_tcp_bind_daap_port($1_usertype)
++ ')
++
++ tunable_policy(`selinuxuser_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_usertype)
++ ')
++
++ tunable_policy(`selinuxuser_udp_server',`
++ corenet_udp_bind_all_unreserved_ports($1_usertype)
++ ')
++ optional_policy(`
++ cdrecord_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ cron_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ games_manage_data_files($1_usertype)
++ ')
++
++ optional_policy(`
++ gpg_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ systemd_dbus_chat_timedated($1_t)
++ systemd_dbus_chat_hostnamed($1_t)
++ systemd_dbus_chat_localed($1_t)
++ ')
++
++ optional_policy(`
++ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
++ postfix_run_postdrop($1_t, $1_r)
++ postfix_search_spool($1_t)
+ ')
+
+ # Run pppd in pppd_t by default for user
+@@ -1043,7 +1447,9 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
++ vdagent_getattr_log($1_t)
++ vdagent_getattr_exec_files($1_t)
++ vdagent_stream_connect($1_t)
+ ')
+ ')
+
+@@ -1079,7 +1485,9 @@ template(`userdom_unpriv_user_template', `
+ template(`userdom_admin_user_template',`
+ gen_require(`
+ attribute admindomain;
+- class passwd { passwd chfn chsh rootok };
++ attribute confined_admindomain;
++
++ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
+ ##############################
+@@ -1095,6 +1503,7 @@ template(`userdom_admin_user_template',`
+ role system_r types $1_t;
+
+ typeattribute $1_t admindomain;
++ typeattribute $1_t confined_admindomain;
+
+ ifdef(`direct_sysadm_daemon',`
+ domain_system_change_exemption($1_t)
+@@ -1105,14 +1514,8 @@ template(`userdom_admin_user_template',`
+ # $1_t local policy
+ #
+
+- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+- allow $1_t self:process { setexec setfscreate };
+- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+- allow $1_t self:tun_socket create;
+- # Set password information for other users.
+- allow $1_t self:passwd { passwd chfn chsh };
+- # Skip authentication when pam_rootok is specified.
+- allow $1_t self:passwd rootok;
++ # Manipulate other users crontab.
++ allow $1_t self:passwd crontab;
+
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+@@ -1128,6 +1531,7 @@ template(`userdom_admin_user_template',`
+ kernel_sigstop_unlabeled($1_t)
+ kernel_signull_unlabeled($1_t)
+ kernel_sigchld_unlabeled($1_t)
++ kernel_signal($1_t)
+
+ corenet_tcp_bind_generic_port($1_t)
+ # allow setting up tunnels
+@@ -1145,10 +1549,15 @@ template(`userdom_admin_user_template',`
+ dev_rename_all_blk_files($1_t)
+ dev_rename_all_chr_files($1_t)
+ dev_create_generic_symlinks($1_t)
++ dev_rw_generic_usb_dev($1_t)
++ dev_rw_usbfs($1_t)
++ dev_read_kmsg($1_t)
++ dev_read_cpuid($1_t)
+
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
++ domain_getcap_all_domains($1_t)
+ domain_dontaudit_ptrace_all_domains($1_t)
+ # signal all domains:
+ domain_kill_all_domains($1_t)
+@@ -1159,29 +1568,40 @@ template(`userdom_admin_user_template',`
+ domain_sigchld_all_domains($1_t)
+ # for lsof
+ domain_getattr_all_sockets($1_t)
++ domain_dontaudit_getattr_all_sockets($1_t)
+
+ files_exec_usr_src_files($1_t)
+
+ fs_getattr_all_fs($1_t)
++ fs_getattr_all_files($1_t)
++ fs_list_all($1_t)
+ fs_set_all_quotas($1_t)
+ fs_exec_noxattr($1_t)
+
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
++ storage_dontaudit_read_fixed_disk($1_t)
+
+- term_use_all_terms($1_t)
++ term_use_all_inherited_terms($1_t)
++ term_use_unallocated_ttys($1_t)
+
+ auth_getattr_shadow($1_t)
+ # Manage almost all files
+- files_manage_non_auth_files($1_t)
++ files_manage_non_security_dirs($1_t)
++ files_manage_non_security_files($1_t)
+ # Relabel almost all files
+- files_relabel_non_auth_files($1_t)
++ files_relabel_non_security_files($1_t)
++
++ files_mounton_rootfs($1_t)
+
+ init_telinit($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+- modutils_domtrans_insmod($1_t)
++ optional_policy(`
++ modutils_domtrans_insmod($1_t)
++ modutils_domtrans_depmod($1_t)
++ ')
+
+ # The following rule is temporary until such time that a complete
+ # policy management infrastructure is in place so that an administrator
+@@ -1191,6 +1611,8 @@ template(`userdom_admin_user_template',`
+ # But presently necessary for installing the file_contexts file.
+ seutil_manage_bin_policy($1_t)
+
++ systemd_config_all_services($1_t)
++
+ userdom_manage_user_home_content_dirs($1_t)
+ userdom_manage_user_home_content_files($1_t)
+ userdom_manage_user_home_content_symlinks($1_t)
+@@ -1198,13 +1620,21 @@ template(`userdom_admin_user_template',`
+ userdom_manage_user_home_content_sockets($1_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
+
+- tunable_policy(`user_rw_noexattrfile',`
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
++ tunable_policy(`selinuxuser_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_t)
++ ')
++
++ tunable_policy(`selinuxuser_udp_server',`
++ corenet_udp_bind_all_unreserved_ports($1_t)
++ ')
++
+ optional_policy(`
+ postgresql_unconfined($1_t)
+ ')
+@@ -1240,7 +1670,7 @@ template(`userdom_admin_user_template',`
+ ##
+ ##
+ #
+-template(`userdom_security_admin_template',`
++template(`userdom_security_admin',`
+ allow $1 self:capability { dac_read_search dac_override };
+
+ corecmd_exec_shell($1)
+@@ -1250,6 +1680,8 @@ template(`userdom_security_admin_template',`
+ dev_relabel_all_dev_nodes($1)
+
+ files_create_boot_flag($1)
++ files_create_default_dir($1)
++ files_root_filetrans_default($1, dir)
+
+ # Necessary for managing /boot/efi
+ fs_manage_dos_files($1)
+@@ -1262,8 +1694,10 @@ template(`userdom_security_admin_template',`
+ selinux_set_enforce_mode($1)
+ selinux_set_all_booleans($1)
+ selinux_set_parameters($1)
++ selinux_read_policy($1)
++
++ files_relabel_all_files($1)
+
+- files_relabel_non_auth_files($1)
+ auth_relabel_shadow($1)
+
+ init_exec($1)
+@@ -1274,29 +1708,31 @@ template(`userdom_security_admin_template',`
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
+- seutil_run_checkpolicy($1, $2)
+- seutil_run_loadpolicy($1, $2)
+- seutil_run_semanage($1, $2)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
++ seutil_manage_login_config($1)
++ seutil_run_checkpolicy($1,$2)
++ seutil_run_loadpolicy($1,$2)
++ seutil_run_semanage($1,$2)
++ seutil_run_setsebool($1,$2)
+ seutil_run_setfiles($1, $2)
+
+ optional_policy(`
+- aide_run($1, $2)
++ aide_run($1,$2)
+ ')
+
+ optional_policy(`
+ consoletype_exec($1)
+ ')
+
+- optional_policy(`
+- dmesg_exec($1)
+- ')
+-
+- optional_policy(`
+- ipsec_run_setkey($1, $2)
++ optional_policy(`
++ ipsec_run_setkey($1,$2)
+ ')
+
+ optional_policy(`
+- netlabel_run_mgmt($1, $2)
++ netlabel_run_mgmt($1,$2)
+ ')
+
+ optional_policy(`
+@@ -1357,14 +1793,17 @@ interface(`userdom_user_home_content',`
+ gen_require(`
+ attribute user_home_content_type;
+ type user_home_t;
++ attribute user_home_type;
+ ')
+
+ typeattribute $1 user_home_content_type;
+
+ allow $1 user_home_t:filesystem associate;
+ files_type($1)
+- files_poly_member($1)
+ ubac_constrained($1)
++
++ files_poly_member($1)
++ typeattribute $1 user_home_type;
+ ')
+
+ ########################################
+@@ -1397,12 +1836,51 @@ interface(`userdom_user_tmp_file',`
+ ##
+ #
+ interface(`userdom_user_tmpfs_file',`
+- files_tmpfs_file($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
++ userdom_user_tmp_file($1)
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by administrative users.
++##
++##
++##
++## Type to be used as a file in the
++## generic temporary directory.
++##
++##
++#
++interface(`userdom_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ typeattribute $1 user_tmp_type;
++
++ files_tmp_file($1)
+ ubac_constrained($1)
+ ')
+
+ ########################################
+ ##
++## Make the specified type usable in a
++## generic tmpfs_t directory.
++##
++##
++##
++## Type to be used as a file in the
++## generic temporary directory.
++##
++##
++#
++interface(`userdom_user_tmpfs_content',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
++ userdom_user_tmp_content($1)
++')
++
++########################################
++##
+ ## Allow domain to attach to TUN devices created by administrative users.
+ ##
+ ##
+@@ -1509,11 +1987,31 @@ interface(`userdom_search_user_home_dirs',`
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ files_search_home($1)
+ ')
+
+ ########################################
+ ##
++## Search user tmp directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_search_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to search user home directories.
+ ##
+ ##
+@@ -1555,6 +2053,14 @@ interface(`userdom_list_user_home_dirs',`
+
+ allow $1 user_home_dir_t:dir list_dir_perms;
+ files_search_home($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ ')
+ ')
+
+ ########################################
+@@ -1570,9 +2076,11 @@ interface(`userdom_list_user_home_dirs',`
+ interface(`userdom_dontaudit_list_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
++ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -1613,6 +2121,24 @@ interface(`userdom_manage_user_home_dirs',`
+
+ ########################################
+ ##
++## Create user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_dontaudit_manage_user_home_dirs',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ dontaudit $1 user_home_dir_t:dir manage_dir_perms;
++')
++
++########################################
++##
+ ## Relabel to user home directories.
+ ##
+ ##
+@@ -1629,6 +2155,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+ allow $1 user_home_dir_t:dir relabelto;
+ ')
+
++
++########################################
++##
++## Relabel to user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_relabelto_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file relabelto;
++')
++########################################
++##
++## Relabel user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_relabel_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file relabel_file_perms;
++')
++
+ ########################################
+ ##
+ ## Create directories in the home dir root with
+@@ -1708,6 +2270,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ')
+
+ dontaudit $1 user_home_t:dir search_dir_perms;
++ fs_dontaudit_list_nfs($1)
++ fs_dontaudit_list_cifs($1)
+ ')
+
+ ########################################
+@@ -1741,10 +2305,12 @@ interface(`userdom_list_all_user_home_content',`
+ #
+ interface(`userdom_list_user_home_content',`
+ gen_require(`
+- type user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+- allow $1 user_home_t:dir list_dir_perms;
++ files_list_home($1)
++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -1769,7 +2335,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+
+ ########################################
+ ##
+-## Delete all user home content directories.
++## Delete directories in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -1777,19 +2343,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_all_user_home_content_dirs',`
++interface(`userdom_delete_user_home_content_dirs',`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_t:dir delete_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete directories in a user home subdirectory.
++## Delete all directories in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -1797,55 +2361,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_user_home_content_dirs',`
++interface(`userdom_delete_all_user_home_content_dirs',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
+ ')
+
+- allow $1 user_home_t:dir delete_dir_perms;
++ allow $1 user_home_type:dir delete_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Set attributes of all user home content directories.
++## Set the attributes of user home files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`userdom_setattr_all_user_home_content_dirs',`
++interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
+- attribute user_home_content_type;
++ type user_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 user_home_content_type:dir setattr_dir_perms;
++ allow $1 user_home_t:file setattr;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to set the
+-## attributes of user home files.
++## Set the attributes of user tmp files.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`userdom_dontaudit_setattr_user_home_content_files',`
++interface(`userdom_setattr_user_tmp_files',`
+ gen_require(`
+- type user_home_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_home_t:file setattr_file_perms;
++ allow $1 user_tmp_t:file setattr;
+ ')
+
+ ########################################
+ ##
+-## Mmap user home files.
++## Create a user tmp sockets.
+ ##
+ ##
+ ##
+@@ -1853,18 +2417,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_mmap_user_home_content_files',`
+- gen_require(`
+- type user_home_dir_t, user_home_t;
+- ')
+-
+- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++interface(`userdom_create_user_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 user_tmp_t:dir list_dir_perms;
++ create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Read user home files.
++## Dontaudit getattr on user tmp sockets.
+ ##
+ ##
+ ##
+@@ -1872,41 +2437,178 @@ interface(`userdom_mmap_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_read_user_home_content_files',`
+- gen_require(`
+- type user_home_dir_t, user_home_t;
+- ')
+-
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read user home files.
++## Relabel user tmp files.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`userdom_dontaudit_read_user_home_content_files',`
++interface(`userdom_relabel_user_tmp_files',`
+ gen_require(`
+- type user_home_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
++ allow $1 user_tmp_t:file relabel_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to append user home files.
++## Relabel user tmp files.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_relabel_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:dir relabel_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to set the
++## attributes of user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_setattr_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ dontaudit $1 user_home_t:file setattr_file_perms;
++')
++
++########################################
++##
++## Set the attributes of all user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_setattr_all_user_home_content_dirs',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir setattr_dir_perms;
++')
++
++########################################
++##
++## Mmap user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_mmap_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ files_search_home($1)
++')
++
++########################################
++##
++## Read user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
++ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ files_search_home($1)
++')
++
++########################################
++##
++## Do not audit attempts to getattr user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_getattr_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to read user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ type user_home_dir_t;
++ ')
++
++ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to append user home files.
++##
++##
++##
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1938,7 +2640,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+
+ ########################################
+ ##
+-## Delete all user home content files.
++## Delete files in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -1946,10 +2648,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_all_user_home_content_files',`
++interface(`userdom_delete_user_home_content_files',`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
+ ')
+
+ userdom_search_user_home_content($1)
+@@ -1958,7 +2659,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+
+ ########################################
+ ##
+-## Delete files in a user home subdirectory.
++## Delete all files in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -1966,12 +2667,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file delete_file_perms;
++')
++
++########################################
++##
++## Delete sock files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_home_content_sock_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+- allow $1 user_home_t:file delete_file_perms;
++ allow $1 user_home_t:sock_file delete_file_perms;
++')
++
++########################################
++##
++## Delete all sock files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_sock_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:sock_file delete_file_perms;
++')
++
++########################################
++##
++## Delete all files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+
+ ########################################
+@@ -2007,8 +2762,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -2024,21 +2778,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+ files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
+ ########################################
+ ##
+ ## Do not audit attempts to execute user home files.
+@@ -2120,7 +2868,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+
+ ########################################
+ ##
+-## Delete all user home content symbolic links.
++## Delete symbolic links in a user home directory.
+ ##
+ ##
+ ##
+@@ -2128,19 +2876,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_all_user_home_content_symlinks',`
++interface(`userdom_delete_user_home_content_symlinks',`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_t:lnk_file delete_lnk_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete symbolic links in a user home directory.
++## Delete all symbolic links in a user home directory.
+ ##
+ ##
+ ##
+@@ -2148,12 +2894,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_symlinks',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
+ ')
+
+- allow $1 user_home_t:lnk_file delete_lnk_file_perms;
++ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -2388,18 +3134,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ ##
+ ##
+ #
++interface(`userdom_getattr_user_tmp_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Read user temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+ interface(`userdom_read_user_tmp_files',`
+ gen_require(`
+- type user_tmp_t;
++ attribute user_tmp_type;
+ ')
+
+- read_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_tmp_t:dir list_dir_perms;
++ read_files_pattern($1, user_tmp_type, user_tmp_type)
++ allow $1 user_tmp_type:dir list_dir_perms;
+ files_search_tmp($1)
+ ')
+
+ ########################################
+ ##
++## Read user temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_append_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++ allow $1 user_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read users
+ ## temporary files.
+ ##
+@@ -2414,7 +3196,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:file read_file_perms;
++ dontaudit $1 user_tmp_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2455,6 +3237,25 @@ interface(`userdom_rw_user_tmp_files',`
+ rw_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+ ')
++########################################
++##
++## Read and write user temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_user_tmp_sock_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:dir list_dir_perms;
++ allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
++ files_search_tmp($1)
++')
+
+ ########################################
+ ##
+@@ -2538,7 +3339,7 @@ interface(`userdom_manage_user_tmp_files',`
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary symbolic links.
++## temporary files.
+ ##
+ ##
+ ##
+@@ -2546,19 +3347,19 @@ interface(`userdom_manage_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_symlinks',`
++interface(`userdom_filetrans_named_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
+ files_search_tmp($1)
+ ')
+
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary named pipes.
++## temporary symbolic links.
+ ##
+ ##
+ ##
+@@ -2566,19 +3367,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_pipes',`
++interface(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+ ')
+
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary named sockets.
++## temporary named pipes.
+ ##
+ ##
+ ##
+@@ -2586,18 +3387,59 @@ interface(`userdom_manage_user_tmp_pipes',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_sockets',`
++interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp($1)
+ ')
+
++
+ ########################################
+ ##
+-## Create objects in a user temporary directory
++## Create, read, write, and delete user
++## temporary named pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_pipes',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary named sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create objects in a user temporary directory
+ ## with an automatic type transition to
+ ## a specified private type.
+ ##
+@@ -2661,6 +3503,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ files_tmp_filetrans($1, user_tmp_t, $2, $3)
+ ')
+
++#######################################
++##
++## Getattr user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_getattr_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
++ userdom_getattr_user_tmp_files($1)
++')
++
+ ########################################
+ ##
+ ## Read user tmpfs files.
+@@ -2672,18 +3529,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ##
+ #
+ interface(`userdom_read_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
++ userdom_read_user_tmp_files($1)
+ ')
+
+ ########################################
+ ##
+-## Read user tmpfs files.
++## Read/Write user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2692,19 +3544,13 @@ interface(`userdom_read_user_tmpfs_files',`
+ ##
+ #
+ interface(`userdom_rw_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
++ userdom_rw_user_tmp_files($1)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete user tmpfs files.
++## Manage user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2713,13 +3559,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ##
+ #
+ interface(`userdom_manage_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.')
++ userdom_manage_user_tmp_files($1)
++')
++
++########################################
++##
++## Read/Write inherited user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
++ userdom_rw_inherited_user_tmp_files($1)
++')
++
++########################################
++##
++## Execute user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_execute_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
++ userdom_execute_user_tmp_files($1)
++')
++
++########################################
++##
++## Execute user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_execute_user_tmp_files',`
+ gen_require(`
+- type user_tmpfs_t;
++ type user_tmp_t;
+ ')
+
+- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ allow $1 user_tmp_t:file execute;
+ ')
+
+ ########################################
+@@ -2814,6 +3703,24 @@ interface(`userdom_use_user_ttys',`
+
+ ########################################
+ ##
++## Read and write a inherited user domain tty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_inherited_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
+ ## Read and write a user domain pty.
+ ##
+ ##
+@@ -2832,22 +3739,34 @@ interface(`userdom_use_user_ptys',`
+
+ ########################################
+ ##
+-## Read and write a user TTYs and PTYs.
++## Read and write a inherited user domain pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_inherited_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
++## Read and write a inherited user TTYs and PTYs.
+ ##
+ ##
+ ##
+-## Allow the specified domain to read and write user
++## Allow the specified domain to read and write inherited user
+ ## TTYs and PTYs. This will allow the domain to
+ ## interact with the user via the terminal. Typically
+ ## all interactive applications will require this
+ ## access.
+ ##
+-##
+-## However, this also allows the applications to spy
+-## on user sessions or inject information into the
+-## user session. Thus, this access should likely
+-## not be allowed for non-interactive domains.
+-##
+ ##
+ ##
+ ##
+@@ -2856,14 +3775,33 @@ interface(`userdom_use_user_ptys',`
+ ##
+ ##
+ #
+-interface(`userdom_use_user_terminals',`
++interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file rw_term_perms;
+- allow $1 user_devpts_t:chr_file rw_term_perms;
+- term_list_ptys($1)
++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++#######################################
++##
++## Allow attempts to read and write
++## a user domain tty and pty.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_use_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file rw_term_perms;
++ allow $1 user_devpts_t:chr_file rw_term_perms;
+ ')
+
+ ########################################
+@@ -2882,8 +3820,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++
++########################################
++##
++## Get attributes of user domain tty and pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_getattr_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
+ ')
+
+ ########################################
+@@ -2955,69 +3912,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+-########################################
++#####################################
+ ##
+-## Execute an Xserver session in all unprivileged user domains. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
++## Allow domain dyntrans to unpriv userdomain.
+ ##
+ ##
+-##
+-## Domain allowed to transition.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
+
+- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
++ allow $1 unpriv_userdomain:process dyntransition;
+ ')
+
+-#######################################
++####################################
+ ##
+-## Read and write unpriviledged user SysV sempaphores.
++## Allow domain dyntrans to admin userdomain.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`userdom_rw_unpriv_user_semaphores',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_admin_users',`
++ gen_require(`
++ attribute admindomain;
++ ')
+
+- allow $1 unpriv_userdomain:sem rw_sem_perms;
++ allow $1 admindomain:process dyntransition;
+ ')
+
+ ########################################
+ ##
+-## Manage unpriviledged user SysV sempaphores.
++## Execute an Xserver session in all unprivileged user domains. This
++## is an explicit transition, requiring the
++## caller to use setexeccon().
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`userdom_manage_unpriv_user_semaphores',`
++interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:sem create_sem_perms;
++ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++ allow unpriv_userdomain $1:fd use;
++ allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+-#######################################
++########################################
+ ##
+-## Read and write unpriviledged user SysV shared
+-## memory segments.
++## Manage unpriviledged user SysV sempaphores.
+ ##
+ ##
+ ##
+@@ -3025,12 +3981,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ ##
+ ##
+ #
+-interface(`userdom_rw_unpriv_user_shared_mem',`
++interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:shm rw_shm_perms;
++ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
+ ########################################
+@@ -3094,7 +4050,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+
+ domain_entry_file_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+@@ -3110,29 +4066,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+ #
+ interface(`userdom_search_user_home_content',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+-')
+-
+-########################################
+-##
+-## Send signull to unprivileged user domains.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`userdom_signull_unpriv_users',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+-
+- allow $1 unpriv_userdomain:process signull;
++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -3214,7 +4154,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+ type user_devpts_t;
+ ')
+
+- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to open user ptys.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_open_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ dontaudit $1 user_devpts_t:chr_file open;
+ ')
+
+ ########################################
+@@ -3269,12 +4227,13 @@ interface(`userdom_write_user_tmp_files',`
+ type user_tmp_t;
+ ')
+
+- allow $1 user_tmp_t:file write_file_perms;
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
++## Do not audit attempts to write users
++## temporary files.
+ ##
+ ##
+ ##
+@@ -3282,46 +4241,122 @@ interface(`userdom_write_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to delete users
++## temporary files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Allow domain to read/write inherited users
++## fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_pipes',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to use user ttys.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_use_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Read the process state of all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_all_users_state',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
++ kernel_search_proc($1)
++')
++
++########################################
++##
++## Get the attributes of all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_getattr_all_users',`
++ gen_require(`
++ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process getattr;
+@@ -3382,6 +4417,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process signal;
+ ')
+
++#######################################
++##
++## Send signull to all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_signull_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process signull;
++')
++
++########################################
++##
++## Send kill signals to all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_kill_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process sigkill;
++')
++
+ ########################################
+ ##
+ ## Send a SIGCHLD signal to all user domains.
+@@ -3402,6 +4473,60 @@ interface(`userdom_sigchld_all_users',`
+
+ ########################################
+ ##
++## Read keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key read;
++')
++
++########################################
++##
++## Write keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key write;
++')
++
++########################################
++##
++## Read and write keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key { read view write };
++')
++
++########################################
++##
+ ## Create keys for all user domains.
+ ##
+ ##
+@@ -3435,4 +4560,1686 @@ interface(`userdom_dbus_send_all_users',`
+ ')
+
+ allow $1 userdomain:dbus send_msg;
++ ps_process_pattern($1, userdomain)
++')
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_set_rlimitnh',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process rlimitinh;
++')
++
++########################################
++##
++## Define this type as a Allow apps to set rlimits on userdomain
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`userdom_unpriv_usertype',`
++ gen_require(`
++ attribute unpriv_userdomain, userdomain;
++ attribute $1_usertype;
++ ')
++ typeattribute $2 $1_usertype;
++ typeattribute $2 unpriv_userdomain;
++ typeattribute $2 userdomain;
++
++ auth_use_nsswitch($2)
++ ubac_constrained($2)
++')
++
++#######################################
++##
++## Define this type as a Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`userdom_unpriv_type',`
++ gen_require(`
++ attribute unpriv_userdomain, userdomain;
++ ')
++ typeattribute $1 unpriv_userdomain;
++ typeattribute $1 userdomain;
++
++ auth_use_nsswitch($1)
++ ubac_constrained($1)
++')
++
++########################################
++##
++## Connect to users over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_stream_connect',`
++ gen_require(`
++ type user_tmp_t;
++ attribute userdomain;
++ ')
++
++ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
++')
++
++########################################
++##
++## Ptrace user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_ptrace_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 userdomain:process ptrace;
++ ')
++')
++
++########################################
++##
++## dontaudit Search /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_search_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 admin_home_t:dir search_dir_perms;
++')
++
++########################################
++##
++## dontaudit list /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_list_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 admin_home_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Allow domain to list /root
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_list_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
++ allow $1 admin_home_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Allow Search /root
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_search_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
++ allow $1 admin_home_t:dir search_dir_perms;
++')
++
++########################################
++##
++## RW unpriviledged user SysV sempaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
++
++########################################
++##
++## Send a message to unpriv users over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_dgram_send',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
++')
++
++######################################
++##
++## Send a message to users over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_users_dgram_send',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_dgram_socket sendto;
++')
++
++#######################################
++##
++## Allow execmod on files in homedirectory
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_execmod_user_home_files',`
++ gen_require(`
++ type user_home_type;
++ ')
++
++ allow $1 user_home_type:file execmod;
++')
++
++########################################
++##
++## Read admin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_read_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
++ read_files_pattern($1, admin_home_t, admin_home_t)
++')
++
++########################################
++##
++## Delete admin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_delete_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
++ allow $1 admin_home_t:file delete_file_perms;
++')
++
++########################################
++##
++## Execute admin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_exec_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
++ exec_files_pattern($1, admin_home_t, admin_home_t)
++')
++
++########################################
++##
++## Append files inherited
++## in the /root directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_inherit_append_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:file { getattr append };
++')
++
++
++#######################################
++##
++## Manage all files/directories in the homedir
++##
++##
++##
++## The user domain
++##
++##
++##
++#
++interface(`userdom_manage_user_home_content',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++
++')
++
++######################################
++##
++## Manage all dirs in the homedir
++##
++##
++##
++## The user domain
++##
++##
++#
++interface(`userdom_manage_all_user_home_type_dirs',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++')
++
++######################################
++##
++## Manage all files in the homedir
++##
++##
++##
++## The user domain
++##
++##
++#
++interface(`userdom_manage_all_user_home_type_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++')
++
++########################################
++##
++## Create objects in a user home directory
++## with an automatic type transition to
++## the user home file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++#
++interface(`userdom_user_home_dir_filetrans_pattern',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ type_transition $1 user_home_dir_t:$2 user_home_t;
++')
++
++########################################
++##
++## Create objects in the /root directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`userdom_admin_home_dir_filetrans',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
++ filetrans_pattern($1, admin_home_t, $2, $3, $4)
++')
++
++########################################
++##
++## Send signull to unprivileged user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_signull_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:process signull;
++')
++
++########################################
++##
++## Write all users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++##
++## Manage keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key manage_key_perms;
++')
++
++
++########################################
++##
++## Do not audit attempts to read and write
++## userdomain stream.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_rw_stream',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Read and write userdomain stream.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_stream',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unserdomain datagram socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_rw_dgram_socket',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ dontaudit $1 userdomain:unix_dgram_socket { read write };
++')
++
++########################################
++##
++## Append files
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_append_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ append_files_pattern($1, user_home_t, user_home_t)
++ allow $1 user_home_dir_t:dir search_dir_perms;
++ files_search_home($1)
++')
++
++########################################
++##
++## Read files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file { getattr read };
++')
++
++########################################
++##
++## Dontaudit Read files inherited from the admin home dir.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_inherited_admin_home_files',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Dontaudit append files inherited from the admin home dir.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_append_inherited_admin_home_file',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Read/Write files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Append files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_inherit_append_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file { getattr append };
++')
++
++########################################
++##
++## Append files inherited
++## in a user tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_inherit_append_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file { getattr append };
++')
++
++######################################
++##
++## Read audio files in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_read_home_audio_files',`
++ gen_require(`
++ type audio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 audio_home_t:dir list_dir_perms;
++ read_files_pattern($1, audio_home_t, audio_home_t)
++ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
++')
++
++######################################
++##
++## Manage texlive content in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_home_texlive',`
++ gen_require(`
++ type texlive_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
++ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
++ manage_files_pattern($1, texlive_home_t, texlive_home_t)
++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++')
++
++########################################
++##
++## Do not audit attempts to write all user home content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:file write_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to write all user tmp content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ dontaudit $1 user_tmp_type:file write_inherited_file_perms;
++')
++
++########################################
++##
++## Manage all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ manage_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## List all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_list_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ list_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_var($1)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Manage all user tmpfs content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_user_tmpfs_content',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')
++ userdom_manage_all_user_tmp_content($1)
++')
++
++########################################
++##
++## Delete all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ delete_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ # /var/tmp
++ files_search_var($1)
++ files_delete_tmp_dir_entry($1)
++')
++
++########################################
++##
++## Read system SSL certificates in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_home_certs',`
++ gen_require(`
++ attribute userdom_home_reader_certs_type;
++ ')
++
++ typeattribute $1 userdom_home_reader_certs_type;
++')
++
++########################################
++##
++## Manage system SSL certificates in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ allow $1 home_cert_t:dir list_dir_perms;
++ manage_dirs_pattern($1, home_cert_t, home_cert_t)
++ manage_files_pattern($1, home_cert_t, home_cert_t)
++ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
++
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++')
++
++#######################################
++##
++## Dontaudit Write system SSL certificates in the users homedir.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ dontaudit $1 home_cert_t:file write;
++')
++
++########################################
++##
++## dontaudit Search getatrr /root files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_getattr_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file getattr;
++')
++
++########################################
++##
++## dontaudit read /root lnk files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_admin_home_lnk_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read;
++')
++
++########################################
++##
++## dontaudit read /root files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 admin_home_t:file read_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_chr_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_blk_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Dontaudit attempt to set attributes on user temporary directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_setattr_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:dir setattr;
++')
++
++########################################
++##
++## Dontaudit attempt to set attributes on user temporary file system files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_setattr_user_tmpfs',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
++')
++
++########################################
++##
++## Read all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/write all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Write all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file write;
++')
++
++########################################
++##
++## Write all inherited users home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_home_sock_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:sock_file write;
++')
++
++########################################
++##
++## Delete all users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file delete_file_perms;
++')
++
++########################################
++##
++## Delete user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
++ userdom_delete_user_tmpfs_files($1)
++')
++
++########################################
++##
++## Read/Write unpriviledged user SysV shared
++## memory segments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_unpriv_user_shared_mem',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:shm rw_shm_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search user
++## temporary directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_search_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Execute a file in a user home directory
++## in the specified domain.
++##
++##
++##
++## Execute a file in a user home directory
++## in the specified domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`userdom_domtrans_user_home',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ read_lnk_files_pattern($1, user_home_t, user_home_t)
++ domain_transition_pattern($1, user_home_t, $2)
++ type_transition $1 user_home_t:process $2;
++')
++
++########################################
++##
++## Execute a file in a user tmp directory
++## in the specified domain.
++##
++##
++##
++## Execute a file in a user tmp directory
++## in the specified domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`userdom_domtrans_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ domain_transition_pattern($1, user_tmp_t, $2)
++ type_transition $1 user_tmp_t:process $2;
++')
++
++########################################
++##
++## Do not audit attempts to read all user home content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read all user tmp content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ dontaudit $1 user_tmp_type:file read_file_perms;
++')
++
++#######################################
++##
++## Read and write unpriviledged user SysV sempaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_unpriv_user_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
++
++########################################
++##
++## Transition to userdom named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_filetrans_home_content',`
++ gen_require(`
++ attribute userdom_filetrans_type;
++ ')
++
++ typeattribute $1 userdom_filetrans_type;
++')
++
++########################################
++##
++## Make the specified type able to read content in user home dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_home_reader',`
++ gen_require(`
++ attribute userdom_home_reader_type;
++ ')
++
++ typeattribute $1 userdom_home_reader_type;
++')
++
++
++########################################
++##
++## Make the specified type able to manage content in user home dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_home_manager',`
++ gen_require(`
++ attribute userdom_home_manager_type;
++ ')
++
++ typeattribute $1 userdom_home_manager_type;
++')
++
++########################################
++##
++## Create objects in the temporary filesystem directory
++## with an automatic type transition to
++## the user temporary filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`userdom_tmpfs_filetrans',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
++')
++
++
++#######################################
++##
++## Create objects in the temporary filesystem directory
++## with an automatic type transition to
++## the user temporary filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`userdom_tmpfs_filetrans_to',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
++')
++
++######################################
++##
++## File name transition for generic home content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_filetrans_generic_home_content',`
++ gen_require(`
++ type home_bin_t;
++ type audio_home_t;
++ type home_cert_t;
++ type user_tmp_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
++')
++
++########################################
++##
++## Allow caller to transition to any userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_transition',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process transition;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## access on user content files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_access_check_user_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:dir_file_class_set audit_access;
++')
++
++#######################################
++##
++## The template containing the most basic rules common to confined admin.
++##
++##
++##
++## The template containing the most basic rules common to all users.
++##
++##
++## This template creates a user domain, types, and
++## rules for the user's tty and pty.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++#
++template(`userdom_confined_admin_template',`
++
++ gen_require(`
++ attribute confined_admindomain;
++ attribute userdomain;
++ type user_devpts_t, user_tty_device_t;
++ class context contains;
++ ')
++
++ type $1_t, userdomain, confined_admindomain;
++ role $1_r;
++ role $1_r types $1_t;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ ubac_constrained($1_t)
++
++ auth_use_nsswitch($1_t)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
++
++ tunable_policy(`$1_exec_content',`
++ userdom_exec_user_tmp_files($1_t)
++ userdom_exec_user_home_content_files($1_t)
++ ')
++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
++ fs_exec_nfs_files($1_t)
++ ')
++
++ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
++ fs_exec_cifs_files($1_t)
++ ')
++ ')
++')
++
++########################################
++##
++## Allow user to run as a secadm
++##
++##
++##
++## Create objects in a user home directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role of the object to create.
++##
++##
++#
++template(`userdom_security_admin_template',`
++ allow $1 self:capability { dac_read_search dac_override };
++
++ corecmd_exec_shell($1)
++
++ domain_obj_id_change_exemption($1)
++
++ dev_relabel_all_dev_nodes($1)
++
++ files_create_boot_flag($1)
++ files_create_default_dir($1)
++ files_root_filetrans_default($1, dir)
++
++ # Necessary for managing /boot/efi
++ fs_manage_dos_files($1)
++
++ mls_process_read_up($1)
++ mls_file_read_all_levels($1)
++ mls_file_upgrade($1)
++ mls_file_downgrade($1)
++
++ selinux_set_enforce_mode($1)
++ selinux_set_all_booleans($1)
++ selinux_set_parameters($1)
++ selinux_read_policy($1)
++
++ files_relabel_all_files($1)
++
++ auth_relabel_shadow($1)
++
++ init_exec($1)
++
++ logging_send_syslog_msg($1)
++ logging_read_audit_log($1)
++ logging_read_generic_logs($1)
++ logging_read_audit_config($1)
++
++ seutil_manage_bin_policy($1)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
++ seutil_manage_login_config($1)
++ seutil_run_checkpolicy($1,$2)
++ seutil_run_loadpolicy($1,$2)
++ seutil_run_semanage($1,$2)
++ seutil_run_setsebool($1,$2)
++ seutil_run_setfiles($1, $2)
++
++ optional_policy(`
++ aide_run($1,$2)
++ ')
++
++ optional_policy(`
++ consoletype_exec($1)
++ ')
++
++ optional_policy(`
++ ipsec_run_setkey($1,$2)
++ ')
++
++ optional_policy(`
++ netlabel_run_mgmt($1,$2)
++ ')
++
++ optional_policy(`
++ samhain_run($1, $2)
++ ')
+ ')
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index f4ac38d..7f49cde 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
+
+ ##
+ ##
+-## Allow users to connect to mysql
++## Allow users to connect to the local mysql server
+ ##
+ ##
+-gen_tunable(allow_user_mysql_connect, false)
++gen_tunable(selinuxuser_mysql_connect_enabled, false)
+
+ ##
+ ##
+ ## Allow users to connect to PostgreSQL
+ ##
+ ##
+-gen_tunable(allow_user_postgresql_connect, false)
++gen_tunable(selinuxuser_postgresql_connect_enabled, false)
+
+ ##
+ ##
+-## Allow regular users direct mouse access
+-##
+-##
+-gen_tunable(user_direct_mouse, false)
+-
+-##
+-##
+-## Allow users to read system messages.
++## Allow user to r/w files on filesystems
++## that do not have extended attributes (FAT, CDROM, FLOPPY)
+ ##
+ ##
+-gen_tunable(user_dmesg, false)
++gen_tunable(selinuxuser_rw_noexattrfile, false)
+
+ ##
+ ##
+-## Allow user to r/w files on filesystems
+-## that do not have extended attributes (FAT, CDROM, FLOPPY)
++## Allow user music sharing
+ ##
+ ##
+-gen_tunable(user_rw_noexattrfile, false)
++gen_tunable(selinuxuser_share_music, false)
+
+ ##
+ ##
+-## Allow w to display everyone
++## Allow user to use ssh chroot environment.
+ ##
+ ##
+-gen_tunable(user_ttyfile_stat, false)
++gen_tunable(selinuxuser_use_ssh_chroot, false)
+
+ attribute admindomain;
++attribute login_userdomain;
++attribute confined_admindomain;
+
+ # all user domains
+ attribute userdomain;
+@@ -58,6 +53,24 @@ attribute unpriv_userdomain;
+
+ attribute user_home_content_type;
+
++attribute userdom_home_reader_certs_type;
++attribute userdom_home_reader_type;
++attribute userdom_home_manager_type;
++attribute userdom_filetrans_type;
++
++# unprivileged user domains
++attribute user_home_type;
++attribute user_tmp_type;
++attribute user_tmpfs_type;
++
++type admin_home_t;
++files_type(admin_home_t)
++files_associate_tmp(admin_home_t)
++fs_associate_tmpfs(admin_home_t)
++files_mountpoint(admin_home_t)
++files_poly_member(admin_home_t)
++files_poly_parent(admin_home_t)
++
+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
+ fs_associate_tmpfs(user_home_dir_t)
+ files_type(user_home_dir_t)
+@@ -70,26 +83,394 @@ ubac_constrained(user_home_dir_t)
+
+ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
++typeattribute user_home_t user_home_type;
+ userdom_user_home_content(user_home_t)
+ fs_associate_tmpfs(user_home_t)
+ files_associate_tmp(user_home_t)
++files_poly_member(user_home_t)
+ files_poly_parent(user_home_t)
+ files_mountpoint(user_home_t)
++ubac_constrained(user_home_t)
+
+ type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
+ dev_node(user_devpts_t)
+ files_type(user_devpts_t)
+ ubac_constrained(user_devpts_t)
+
+-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
++type user_tmp_t, user_tmp_type, user_tmpfs_type;
++typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
++typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
++typealias user_tmp_t alias xdm_tmp_t;
++typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+ files_tmp_file(user_tmp_t)
++files_tmpfs_file(user_tmp_t)
+ userdom_user_home_content(user_tmp_t)
+-
+-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+-files_tmpfs_file(user_tmpfs_t)
+-userdom_user_home_content(user_tmpfs_t)
++files_poly_parent(user_tmp_t)
++files_mountpoint(user_tmp_t)
+
+ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+ dev_node(user_tty_device_t)
+ ubac_constrained(user_tty_device_t)
++
++type audio_home_t;
++userdom_user_home_content(audio_home_t)
++ubac_constrained(audio_home_t)
++
++type texlive_home_t;
++userdom_user_home_content(texlive_home_t)
++ubac_constrained(texlive_home_t)
++
++type home_bin_t;
++userdom_user_home_content(home_bin_t)
++ubac_constrained(home_bin_t)
++
++type home_cert_t;
++miscfiles_cert_type(home_cert_t)
++userdom_user_home_content(home_cert_t)
++ubac_constrained(home_cert_t)
++
++tunable_policy(`login_console_enabled',`
++ term_use_console(userdomain)
++')
++
++allow userdomain userdomain:process signull;
++allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
++
++# Nautilus causes this avc
++domain_dontaudit_access_check(unpriv_userdomain)
++dontaudit unpriv_userdomain self:dir setattr;
++allow unpriv_userdomain self:key manage_key_perms;
++
++mount_dontaudit_write_mount_pid(unpriv_userdomain)
++
++optional_policy(`
++ alsa_read_rw_config(unpriv_userdomain)
++ alsa_manage_home_files(unpriv_userdomain)
++ alsa_relabel_home_files(unpriv_userdomain)
++')
++
++optional_policy(`
++ gssproxy_stream_connect(userdomain)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
++ locallogin_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
++ pcscd_stream_connect(userdomain)
++')
++
++optional_policy(`
++ ssh_filetrans_home_content(userdomain)
++ ssh_rw_tcp_sockets(userdomain)
++')
++
++optional_policy(`
++ telepathy_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
++ xserver_filetrans_home_content(userdomain)
++')
++
++# rules for types which can read home certs
++allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
++read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
++read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
++userdom_search_user_home_content(userdom_home_reader_certs_type)
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
++ fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(userdom_home_reader_type)
++ fs_read_nfs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_type)
++ fs_read_ecryptfs_symlinks(userdom_home_reader_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(userdom_home_manager_type)
++ fs_manage_nfs_dirs(userdom_home_manager_type)
++ fs_manage_nfs_files(userdom_home_manager_type)
++ fs_manage_nfs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(userdom_home_manager_type)
++ fs_manage_cifs_files(userdom_home_manager_type)
++ fs_manage_cifs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(userdom_home_manager_type)
++ fs_manage_fusefs_files(userdom_home_manager_type)
++ fs_manage_fusefs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++ fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
++')
++
++# vi /etc/mtab can cause an avc trying to relabel to self.
++dontaudit userdomain self:file relabelto;
++
++userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file })
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
++
++optional_policy(`
++ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++ #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
++')
++
++optional_policy(`
++ alsa_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ apache_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ auth_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ cvs_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ gpg_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ irc_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ kerberos_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ mozilla_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ mta_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ spamassassin_filetrans_home_content(userdom_filetrans_type)
++ spamassassin_filetrans_admin_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(userdom_filetrans_type)
++ ssh_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ telepathy_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ thumb_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ tvtime_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ virt_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ xserver_filetrans_home_content(userdom_filetrans_type)
++ xserver_filetrans_admin_home_content(userdom_filetrans_type)
++')
++
++############################################################
++# Local Policy Confined Admin
++#
++gen_require(`
++ class context contains;
++ class passwd { passwd chfn chsh rootok };
++')
++
++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
++allow confined_admindomain self:capability2 { block_suspend syslog };
++allow confined_admindomain self:process { setexec setfscreate };
++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
++allow confined_admindomain self:tun_socket create_socket_perms;
++allow confined_admindomain self:packet_socket create_socket_perms;
++
++# Set password information for other users.
++allow confined_admindomain self:passwd { passwd chfn chsh };
++# Skip authentication when pam_rootok is specified.
++allow confined_admindomain self:passwd rootok;
++
++corecmd_shell_entry_type(confined_admindomain)
++corecmd_bin_entry_type(confined_admindomain)
++
++term_user_pty(confined_admindomain, user_devpts_t)
++term_user_tty(confined_admindomain, user_tty_device_t)
++term_dontaudit_getattr_generic_ptys(confined_admindomain)
++
++allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++tunable_policy(`deny_ptrace',`',`
++ allow confined_admindomain self:process ptrace;
++')
++allow confined_admindomain self:fd use;
++allow confined_admindomain self:key manage_key_perms;
++
++allow confined_admindomain self:fifo_file rw_fifo_file_perms;
++allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto };
++allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow confined_admindomain self:shm create_shm_perms;
++allow confined_admindomain self:sem create_sem_perms;
++allow confined_admindomain self:msgq create_msgq_perms;
++allow confined_admindomain self:msg { send receive };
++allow confined_admindomain self:context contains;
++dontaudit confined_admindomain self:socket create;
++
++allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
++term_create_pty(confined_admindomain, user_devpts_t)
++# avoid annoying messages on terminal hangup on role change
++dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
++
++allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
++# avoid annoying messages on terminal hangup on role change
++dontaudit confined_admindomain user_tty_device_t:chr_file ioctl;
++
++application_exec_all(confined_admindomain)
++
++kernel_read_kernel_sysctls(confined_admindomain)
++kernel_read_all_sysctls(confined_admindomain)
++kernel_dontaudit_list_unlabeled(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_files(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain)
++kernel_dontaudit_list_proc(confined_admindomain)
++
++dev_dontaudit_getattr_all_blk_files(confined_admindomain)
++dev_dontaudit_getattr_all_chr_files(confined_admindomain)
++dev_getattr_mtrr_dev(confined_admindomain)
++
++# When the user domain runs ps, there will be a number of access
++# denials when ps tries to search /proc. Do not audit these denials.
++domain_dontaudit_read_all_domains_state(confined_admindomain)
++domain_dontaudit_getattr_all_domains(confined_admindomain)
++domain_dontaudit_getsession_all_domains(confined_admindomain)
++dev_dontaudit_all_access_check(confined_admindomain)
++
++files_read_etc_files(confined_admindomain)
++files_list_mnt(confined_admindomain)
++files_list_var(confined_admindomain)
++files_read_mnt_files(confined_admindomain)
++files_dontaudit_all_access_check(confined_admindomain)
++files_read_etc_runtime_files(confined_admindomain)
++files_read_usr_files(confined_admindomain)
++files_read_usr_src_files(confined_admindomain)
++# Read directories and files with the readable_t type.
++# This type is a general type for "world"-readable files.
++files_list_world_readable(confined_admindomain)
++files_read_world_readable_files(confined_admindomain)
++files_read_world_readable_symlinks(confined_admindomain)
++files_read_world_readable_pipes(confined_admindomain)
++files_read_world_readable_sockets(confined_admindomain)
++# old broswer_domain():
++files_dontaudit_getattr_all_dirs(confined_admindomain)
++files_dontaudit_list_non_security(confined_admindomain)
++files_dontaudit_getattr_all_files(confined_admindomain)
++files_dontaudit_getattr_non_security_symlinks(confined_admindomain)
++files_dontaudit_getattr_non_security_pipes(confined_admindomain)
++files_dontaudit_getattr_non_security_sockets(confined_admindomain)
++files_dontaudit_setattr_etc_runtime_files(confined_admindomain)
++
++files_exec_usr_files(confined_admindomain)
++
++fs_list_cgroup_dirs(confined_admindomain)
++fs_dontaudit_rw_cgroup_files(confined_admindomain)
++
++storage_rw_fuse(confined_admindomain)
++
++init_stream_connect(confined_admindomain)
++# The library functions always try to open read-write first,
++# then fall back to read-only if it fails.
++init_dontaudit_rw_utmp(confined_admindomain)
++
++libs_exec_ld_so(confined_admindomain)
++
++miscfiles_read_generic_certs(confined_admindomain)
++
++miscfiles_read_all_certs(confined_admindomain)
++miscfiles_read_public_files(confined_admindomain)
++
++systemd_dbus_chat_logind(confined_admindomain)
++systemd_read_logind_sessions_files(confined_admindomain)
++systemd_write_inhibit_pipes(confined_admindomain)
++systemd_write_inherited_logind_sessions_pipes(confined_admindomain)
++systemd_login_read_pid_files(confined_admindomain)
++tunable_policy(`deny_execmem',`', `
++ # Allow loading DSOs that require executable stack.
++ allow confined_admindomain self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ # Allow making the stack executable via mprotect.
++ allow confined_admindomain self:process execstack;
++')
++
++optional_policy(`
++ fs_list_cgroup_dirs(confined_admindomain)
++')
++
++optional_policy(`
++ ssh_rw_stream_sockets(confined_admindomain)
++ ssh_delete_tmp(confined_admindomain)
++ ssh_signal(confined_admindomain)
++')
+diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
+index e79d545..101086d 100644
+--- a/policy/support/misc_patterns.spt
++++ b/policy/support/misc_patterns.spt
+@@ -4,7 +4,7 @@
+ define(`domain_transition_pattern',`
+ allow $1 $2:file { getattr open read execute };
+ allow $1 $3:process transition;
+- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
++# dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+ ')
+
+ # compatibility:
+@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
+ domain_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+- allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+ ')
+
+@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
+ domain_auto_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+- allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+ ')
+
+diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
+index 6e91317..8fc985f 100644
+--- a/policy/support/obj_perm_sets.spt
++++ b/policy/support/obj_perm_sets.spt
+@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+-
++define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+ #
+ # Datagram socket classes.
+@@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
+ #
+ # Permissions for using sockets.
+ #
+-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
++define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
+
+ #
+ # Permissions for creating and using sockets.
+@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+ #
+ define(`getattr_file_perms',`{ getattr }')
+ define(`setattr_file_perms',`{ setattr }')
+-define(`read_file_perms',`{ getattr open read lock ioctl }')
++define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
++define(`read_file_perms',`{ open read_inherited_file_perms }')
+ define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+ define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+-define(`append_file_perms',`{ getattr open append lock ioctl }')
+-define(`write_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
++define(`append_inherited_file_perms',`{ getattr append }')
++define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
++define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
++define(`write_file_perms',`{ open write_inherited_file_perms }')
++define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_file_perms',`{ open rw_inherited_file_perms }')
+ define(`create_file_perms',`{ getattr create open }')
+ define(`rename_file_perms',`{ getattr rename }')
+ define(`delete_file_perms',`{ getattr unlink }')
+@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+ define(`create_lnk_file_perms',`{ create getattr }')
+ define(`rename_lnk_file_perms',`{ getattr rename }')
+ define(`delete_lnk_file_perms',`{ getattr unlink }')
+-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
++define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
+ define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
+ define(`create_fifo_file_perms',`{ getattr create open }')
+ define(`rename_fifo_file_perms',`{ getattr rename }')
+ define(`delete_fifo_file_perms',`{ getattr unlink }')
+@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
+ define(`setattr_sock_file_perms',`{ setattr }')
+ define(`read_sock_file_perms',`{ getattr open read }')
+ define(`write_sock_file_perms',`{ getattr write open append }')
+-define(`rw_sock_file_perms',`{ getattr open read write append }')
+-define(`create_sock_file_perms',`{ getattr create open }')
++define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
++define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
++define(`create_sock_file_perms',`{ getattr setattr create open }')
+ define(`rename_sock_file_perms',`{ getattr rename }')
+ define(`delete_sock_file_perms',`{ getattr unlink }')
+ define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
+@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
+ define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+ define(`create_blk_file_perms',`{ getattr create }')
+ define(`rename_blk_file_perms',`{ getattr rename }')
+ define(`delete_blk_file_perms',`{ getattr unlink }')
+@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
+ define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+ define(`create_chr_file_perms',`{ getattr create }')
+ define(`rename_chr_file_perms',`{ getattr rename }')
+ define(`delete_chr_file_perms',`{ getattr unlink }')
+@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+ #
+ # Use (read and write) terminals
+ #
+-define(`rw_term_perms', `{ getattr open read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
++define(`rw_term_perms', `{ rw_inherited_term_perms open }')
+
+ #
+ # Sockets
+@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+ # Keys
+ #
+ define(`manage_key_perms', `{ create link read search setattr view write } ')
++
++#
++# Service
++#
++define(`manage_service_perms', `{ start stop status reload enable disable } ')
+diff --git a/policy/users b/policy/users
+index c4ebc7e..30d6d7a 100644
+--- a/policy/users
++++ b/policy/users
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # SELinux user identity for a Linux user. If you do not want to
+ # permit any access to such users, then remove this entry.
+ #
+-gen_user(user_u, user, user_r, s0, s0)
+-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-
+-# Until order dependence is fixed for users:
+-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+ #
+ # The following users correspond to Unix identities.
+@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
+ # role should use the staff_r role instead of the user_r role when
+ # not in the sysadm_r.
+ #
+-ifdef(`direct_sysadm_daemon',`
+- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-',`
+- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-')
++gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --git a/support/Makefile.devel b/support/Makefile.devel
+index b96e9b3..ff7340f 100644
+--- a/support/Makefile.devel
++++ b/support/Makefile.devel
+@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint
+ # set default build options if missing
+ TYPE ?= standard
+ DIRECT_INITRC ?= n
+-POLY ?= n
+ QUIET ?= y
+
+ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
diff --git a/SOURCES/policy-rhel-7.1-contrib.patch b/SOURCES/policy-rhel-7.1-contrib.patch
new file mode 100644
index 00000000..f6d3159e
--- /dev/null
+++ b/SOURCES/policy-rhel-7.1-contrib.patch
@@ -0,0 +1,113486 @@
+diff --git a/abrt.fc b/abrt.fc
+index 1a93dc5..f2b26f5 100644
+--- a/abrt.fc
++++ b/abrt.fc
+@@ -1,31 +1,46 @@
+-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
++/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
++/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
++
++/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
++/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
++
++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+
+-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
++/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++
++/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
++
++/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0)
++
++/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
++
++/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+diff --git a/abrt.if b/abrt.if
+index 058d908..1e92177 100644
+--- a/abrt.if
++++ b/abrt.if
+@@ -1,4 +1,26 @@
+-## Automated bug-reporting tool.
++## ABRT - automated bug-reporting tool
++
++######################################
++##
++## Creates types and rules for a basic
++## ABRT daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`abrt_basic_types_template',`
++ gen_require(`
++ attribute abrt_domain;
++ ')
++
++ type $1_t, abrt_domain;
++ type $1_exec_t;
++
++ kernel_read_system_state($1_t)
++')
+
+ ######################################
+ ##
+@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+
+ ########################################
+ ##
+-## Send null signals to abrt.
++## Send a null signal to abrt.
+ ##
+ ##
+ ##
+@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+
+ ########################################
+ ##
+-## Read process state of abrt.
++## Allow the domain to read abrt state files in /proc.
+ ##
+ ##
+ ##
+@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+ type abrt_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+ ')
+
+ ########################################
+ ##
+-## Connect to abrt over an unix stream socket.
++## Connect to abrt over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+
+ #####################################
+ ##
+-## Execute abrt-helper in the abrt
+-## helper domain.
++## Execute abrt-helper in the abrt-helper domain.
+ ##
+ ##
+ ##
+@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+ type abrt_helper_t, abrt_helper_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+ ')
+
+ ########################################
+ ##
+-## Execute abrt helper in the abrt
+-## helper domain, and allow the
+-## specified role the abrt helper domain.
++## Execute abrt helper in the abrt_helper domain, and
++## allow the specified role the abrt_helper domain.
+ ##
+ ##
+ ##
+@@ -163,8 +183,26 @@ interface(`abrt_run_helper',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## abrt cache files.
++## Read abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_read_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++##
++## Append abrt cache
+ ##
+ ##
+ ##
+@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+ ##
+ ##
+ #
+-interface(`abrt_cache_manage',`
+- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
+- abrt_manage_cache($1)
++interface(`abrt_append_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## abrt cache content.
++## Read/Write inherited abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_inherited_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Manage abrt cache
+ ##
+ ##
+ ##
+@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
+ type abrt_var_cache_t;
+ ')
+
+- files_search_var($1)
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
+
+ ####################################
+ ##
+-## Read abrt configuration files.
++## Read abrt configuration file.
+ ##
+ ##
+ ##
+@@ -218,9 +277,29 @@ interface(`abrt_read_config',`
+ read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+ ')
+
++####################################
++##
++## Dontaudit read abrt configuration file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_dontaudit_read_config',`
++ gen_require(`
++ type abrt_etc_t;
++ ')
++
++ files_search_etc($1)
++ dontaudit $1 abrt_etc_t:dir list_dir_perms;
++ dontaudit $1 abrt_etc_t:file read_file_perms;
++')
++
+ ######################################
+ ##
+-## Read abrt log files.
++## Read abrt logs.
+ ##
+ ##
+ ##
+@@ -258,8 +337,7 @@ interface(`abrt_read_pid_files',`
+
+ ######################################
+ ##
+-## Create, read, write, and delete
+-## abrt PID files.
++## Create, read, write, and delete abrt PID files.
+ ##
+ ##
+ ##
+@@ -276,10 +354,52 @@ interface(`abrt_manage_pid_files',`
+ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+ ')
+
++########################################
++##
++## Read and write abrt fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_fifo_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Execute abrt server in the abrt domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`abrt_systemctl',`
++ gen_require(`
++ type abrt_t;
++ type abrt_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 abrt_unit_file_t:file manage_file_perms;
++ allow $1 abrt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, abrt_t)
++')
++
+ #####################################
+ ##
+-## All of the rules required to
+-## administrate an abrt environment,
++## All of the rules required to administrate
++## an abrt environment
+ ##
+ ##
+ ##
+@@ -288,39 +408,174 @@ interface(`abrt_manage_pid_files',`
+ ##
+ ##
+ ##
+-## Role allowed access.
++## The role to be allowed to manage the abrt domain.
+ ##
+ ##
+ ##
+ #
+ interface(`abrt_admin',`
+ gen_require(`
+- attribute abrt_domain;
+- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
+- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
+- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
++ type abrt_t, abrt_etc_t;
++ type abrt_var_cache_t, abrt_var_log_t;
++ type abrt_var_run_t, abrt_tmp_t;
++ type abrt_initrc_exec_t;
++ type abrt_unit_file_t;
+ ')
+
+- allow $1 abrt_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, abrt_domain)
++ allow $1 abrt_t:process { signal_perms };
++ ps_process_pattern($1, abrt_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 abrt_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 abrt_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, abrt_etc_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, abrt_var_log_t)
+
+- files_search_var($1)
+- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
++ files_list_var($1)
++ admin_pattern($1, abrt_var_cache_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, abrt_var_run_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
++
++ abrt_systemctl($1)
++ admin_pattern($1, abrt_unit_file_t)
++ allow $1 abrt_unit_file_t:service all_service_perms;
++')
++
++####################################
++##
++## Execute abrt-retrace in the abrt-retrace domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`abrt_domtrans_retrace_worker',`
++ gen_require(`
++ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
++')
++
++######################################
++##
++## Manage abrt retrace server cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_manage_spool_retrace',`
++ gen_require(`
++ type abrt_retrace_spool_t;
++ ')
++
++ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++')
++
++#####################################
++##
++## Read abrt retrace server cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_read_spool_retrace',`
++ gen_require(`
++ type abrt_retrace_spool_t;
++ ')
++
++ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ ')
++
++
++#####################################
++##
++## Read abrt retrace server cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_read_cache_retrace',`
++ gen_require(`
++ type abrt_retrace_cache_t;
++ ')
++
++ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++')
++
++########################################
++##
++## Do not audit attempts to write abrt sock files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`abrt_dontaudit_write_sock_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ dontaudit $1 abrt_t:sock_file write;
++')
++
++########################################
++##
++## Transition to abrt named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_filetrans_named_content',`
++ gen_require(`
++ type abrt_tmp_t;
++ type abrt_etc_t;
++ type abrt_var_cache_t;
++ type abrt_var_run_t;
++ ')
++
++ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
++ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
++ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
++')
++
+diff --git a/abrt.te b/abrt.te
+index eb50f07..34371ae 100644
+--- a/abrt.te
++++ b/abrt.te
+@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
+ #
+
+ ##
+-##
+-## Determine whether ABRT can modify
+-## public files used for public file
+-## transfer services.
+-##
++##
++## Allow ABRT to modify public files
++## used for public file transfer services.
++##
+ ##
+ gen_tunable(abrt_anon_write, false)
+
+@@ -37,87 +36,98 @@ attribute abrt_domain;
+ attribute_role abrt_helper_roles;
+ roleattribute system_r abrt_helper_roles;
+
+-type abrt_t, abrt_domain;
+-type abrt_exec_t;
++abrt_basic_types_template(abrt)
+ init_daemon_domain(abrt_t, abrt_exec_t)
+
+ type abrt_initrc_exec_t;
+ init_script_file(abrt_initrc_exec_t)
+
++type abrt_unit_file_t;
++systemd_unit_file(abrt_unit_file_t)
++
+ type abrt_etc_t;
+ files_config_file(abrt_etc_t)
+
+ type abrt_var_log_t;
+ logging_log_file(abrt_var_log_t)
+
++type abrt_var_lib_t;
++files_type(abrt_var_lib_t)
++
+ type abrt_tmp_t;
+ files_tmp_file(abrt_tmp_t)
+
+ type abrt_var_cache_t;
+ files_type(abrt_var_cache_t)
++files_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_content(abrt_var_cache_t)
+
+ type abrt_var_run_t;
+ files_pid_file(abrt_var_run_t)
+
+-type abrt_dump_oops_t, abrt_domain;
+-type abrt_dump_oops_exec_t;
++abrt_basic_types_template(abrt_dump_oops)
+ init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
+-type abrt_handle_event_t, abrt_domain;
+-type abrt_handle_event_exec_t;
+-domain_type(abrt_handle_event_t)
+-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
++abrt_basic_types_template(abrt_handle_event)
++application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
+ role system_r types abrt_handle_event_t;
+
+-type abrt_helper_t, abrt_domain;
+-type abrt_helper_exec_t;
++# type needed to allow all domains
++# to handle /var/cache/abrt
++# type needed to allow all domains
++# to handle /var/cache/abrt
++abrt_basic_types_template(abrt_helper)
+ application_domain(abrt_helper_t, abrt_helper_exec_t)
+ role abrt_helper_roles types abrt_helper_t;
+
+-type abrt_retrace_coredump_t, abrt_domain;
+-type abrt_retrace_coredump_exec_t;
+-domain_type(abrt_retrace_coredump_t)
+-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+-role system_r types abrt_retrace_coredump_t;
+-
+-type abrt_retrace_worker_t, abrt_domain;
+-type abrt_retrace_worker_exec_t;
+-domain_type(abrt_retrace_worker_t)
+-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++abrt_basic_types_template(abrt_retrace_worker)
++application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+ role system_r types abrt_retrace_worker_t;
+
++abrt_basic_types_template(abrt_retrace_coredump)
++application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
++role system_r types abrt_retrace_coredump_t;
++
+ type abrt_retrace_cache_t;
+ files_type(abrt_retrace_cache_t)
+
+ type abrt_retrace_spool_t;
+-files_type(abrt_retrace_spool_t)
++files_spool_file(abrt_retrace_spool_t)
+
+-type abrt_watch_log_t, abrt_domain;
+-type abrt_watch_log_exec_t;
++abrt_basic_types_template(abrt_watch_log)
+ init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+
+-type abrt_upload_watch_t, abrt_domain;
+-type abrt_upload_watch_exec_t;
++abrt_basic_types_template(abrt_upload_watch)
+ init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
++type abrt_upload_watch_tmp_t;
++files_tmp_file(abrt_upload_watch_tmp_t)
++
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+ ')
+
+ ########################################
+ #
+-# Local policy
++# abrt local policy
+ #
+
+-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-dontaudit abrt_t self:capability sys_rawio;
++allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
++dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
+ allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
++
+ allow abrt_t self:fifo_file rw_fifo_file_perms;
+-allow abrt_t self:tcp_socket { accept listen };
++allow abrt_t self:tcp_socket create_stream_socket_perms;
++allow abrt_t self:udp_socket create_socket_perms;
++allow abrt_t self:unix_dgram_socket create_socket_perms;
++allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow abrt_t abrt_etc_t:dir list_dir_perms;
++# abrt etc files
++list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+ rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
++# log file
+ manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
+ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+
+@@ -125,48 +135,55 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
++can_exec(abrt_t, abrt_tmp_t)
+
++# abrt var/cache files
+ manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+ files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
++files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
+
++# abrt pid files
+ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
+
+-can_exec(abrt_t, abrt_tmp_t)
++manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+
+ kernel_read_ring_buffer(abrt_t)
+-kernel_read_system_state(abrt_t)
++kernel_read_network_state(abrt_t)
++kernel_read_software_raid_state(abrt_t)
+ kernel_request_load_module(abrt_t)
++kernel_rw_usermodehelper_state(abrt_t)
+ kernel_rw_kernel_sysctl(abrt_t)
++kernel_rw_usermodehelper_state(abrt_t)
+
+ corecmd_exec_bin(abrt_t)
+ corecmd_exec_shell(abrt_t)
+ corecmd_read_all_executables(abrt_t)
+
+ corenet_all_recvfrom_netlabel(abrt_t)
+-corenet_all_recvfrom_unlabeled(abrt_t)
+ corenet_tcp_sendrecv_generic_if(abrt_t)
+ corenet_tcp_sendrecv_generic_node(abrt_t)
+-corenet_tcp_sendrecv_all_ports(abrt_t)
++corenet_tcp_sendrecv_generic_port(abrt_t)
+ corenet_tcp_bind_generic_node(abrt_t)
+-
+-corenet_sendrecv_all_client_packets(abrt_t)
+ corenet_tcp_connect_http_port(abrt_t)
+ corenet_tcp_connect_ftp_port(abrt_t)
+ corenet_tcp_connect_all_ports(abrt_t)
++corenet_sendrecv_http_client_packets(abrt_t)
+
+ dev_getattr_all_chr_files(abrt_t)
+ dev_getattr_all_blk_files(abrt_t)
+ dev_read_rand(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+-dev_dontaudit_read_raw_memory(abrt_t)
++dev_read_raw_memory(abrt_t)
+
+ domain_getattr_all_domains(abrt_t)
+ domain_read_all_domains_state(abrt_t)
+@@ -176,29 +193,43 @@ files_getattr_all_files(abrt_t)
+ files_read_config_files(abrt_t)
+ files_read_etc_runtime_files(abrt_t)
+ files_read_var_symlinks(abrt_t)
+-files_read_usr_files(abrt_t)
++files_read_var_lib_files(abrt_t)
++files_read_generic_tmp_files(abrt_t)
+ files_read_kernel_modules(abrt_t)
++files_dontaudit_list_default(abrt_t)
+ files_dontaudit_read_default_files(abrt_t)
+ files_dontaudit_read_all_symlinks(abrt_t)
+ files_dontaudit_getattr_all_sockets(abrt_t)
+ files_list_mnt(abrt_t)
++fs_list_all(abrt_t)
+
++fs_list_inotifyfs(abrt_t)
+ fs_getattr_all_fs(abrt_t)
+ fs_getattr_all_dirs(abrt_t)
+-fs_list_inotifyfs(abrt_t)
+ fs_read_fusefs_files(abrt_t)
+ fs_read_noxattr_fs_files(abrt_t)
+ fs_read_nfs_files(abrt_t)
+ fs_read_nfs_symlinks(abrt_t)
+ fs_search_all(abrt_t)
+
+-auth_use_nsswitch(abrt_t)
++storage_dontaudit_read_fixed_disk(abrt_t)
+
+ logging_read_generic_logs(abrt_t)
++logging_send_syslog_msg(abrt_t)
++logging_stream_connect_syslog(abrt_t)
++logging_read_syslog_pid(abrt_t)
++
++auth_use_nsswitch(abrt_t)
+
++init_read_utmp(abrt_t)
++
++miscfiles_read_generic_certs(abrt_t)
+ miscfiles_read_public_files(abrt_t)
++miscfiles_dontaudit_access_check_cert(abrt_t)
++miscfiles_dontaudit_write_generic_cert_files(abrt_t)
+
+ userdom_dontaudit_read_user_home_content_files(abrt_t)
++userdom_dontaudit_read_admin_home_files(abrt_t)
+
+ tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+@@ -206,15 +237,11 @@ tunable_policy(`abrt_anon_write',`
+
+ optional_policy(`
+ apache_list_modules(abrt_t)
+- apache_read_module_files(abrt_t)
++ apache_read_modules(abrt_t)
+ ')
+
+ optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+-
+- optional_policy(`
+- policykit_dbus_chat(abrt_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -222,6 +249,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kdump_read_crash(abrt_t)
++')
++
++optional_policy(`
++ mcelog_read_log(abrt_t)
++')
++
++optional_policy(`
++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
++ mozilla_plugin_read_rw_files(abrt_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+@@ -234,6 +275,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ puppet_read_lib(abrt_t)
++')
++
++# to install debuginfo packages
++optional_policy(`
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
+@@ -243,6 +289,7 @@ optional_policy(`
+ rpm_signull(abrt_t)
+ ')
+
++# to run mailx plugin
+ optional_policy(`
+ sendmail_domtrans(abrt_t)
+ ')
+@@ -253,9 +300,21 @@ optional_policy(`
+ sosreport_delete_tmp_files(abrt_t)
+ ')
+
++optional_policy(`
++ sssd_stream_connect(abrt_t)
++')
++
++optional_policy(`
++ xserver_read_log(abrt_t)
++')
++
++optional_policy(`
++ udev_read_db(abrt_t)
++')
++
+ #######################################
+ #
+-# Handle-event local policy
++# abrt-handle-event local policy
+ #
+
+ allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
+@@ -266,9 +325,13 @@ tunable_policy(`abrt_handle_event',`
+ can_exec(abrt_t, abrt_handle_event_exec_t)
+ ')
+
++optional_policy(`
++ unconfined_domain(abrt_handle_event_t)
++')
++
+ ########################################
+ #
+-# Helper local policy
++# abrt--helper local policy
+ #
+
+ allow abrt_helper_t self:capability { chown setgid sys_nice };
+@@ -281,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
+
+ read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -289,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t)
+
+ domain_read_all_domains_state(abrt_helper_t)
+
++files_dontaudit_all_non_security_leaks(abrt_helper_t)
++
+ fs_list_inotifyfs(abrt_helper_t)
+ fs_getattr_all_fs(abrt_helper_t)
+
+ auth_use_nsswitch(abrt_helper_t)
+
++logging_send_syslog_msg(abrt_helper_t)
++
+ term_dontaudit_use_all_ttys(abrt_helper_t)
+ term_dontaudit_use_all_ptys(abrt_helper_t)
+
+ ifdef(`hide_broken_symptoms',`
++ domain_dontaudit_leaks(abrt_helper_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+ userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ dev_dontaudit_read_all_blk_files(abrt_helper_t)
+@@ -305,11 +374,25 @@ ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
++
++ optional_policy(`
++ rpm_dontaudit_leaks(abrt_helper_t)
++ ')
++')
++
++ifdef(`hide_broken_symptoms',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow abrt_t self:capability sys_resource;
++ allow abrt_t domain:file write;
++ allow abrt_t domain:process setrlimit;
+ ')
+
+ #######################################
+ #
+-# Retrace coredump policy
++# abrt retrace coredump policy
+ #
+
+ allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
+@@ -327,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+
+ dev_read_urand(abrt_retrace_coredump_t)
+
+-files_read_usr_files(abrt_retrace_coredump_t)
++
++logging_send_syslog_msg(abrt_retrace_coredump_t)
+
+ sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
++# to install debuginfo packages
+ optional_policy(`
+ rpm_exec(abrt_retrace_coredump_t)
+ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
+@@ -343,10 +428,11 @@ optional_policy(`
+
+ #######################################
+ #
+-# Retrace worker policy
++# abrt retrace worker policy
+ #
+
+-allow abrt_retrace_worker_t self:capability setuid;
++allow abrt_retrace_worker_t self:capability { setuid };
++
+ allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
+
+ domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
+@@ -365,38 +451,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+
+ dev_read_urand(abrt_retrace_worker_t)
+
+-files_read_usr_files(abrt_retrace_worker_t)
++
++logging_send_syslog_msg(abrt_retrace_worker_t)
+
+ sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
++optional_policy(`
++ mock_domtrans(abrt_retrace_worker_t)
++ mock_manage_lib_files(abrt_t)
++')
++
+ ########################################
+ #
+-# Dump oops local policy
++# abrt_dump_oops local policy
+ #
+
+ allow abrt_dump_oops_t self:capability dac_override;
+ allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
+-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
+
+ files_search_spool(abrt_dump_oops_t)
+ manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
++
++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
++manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
+
+ read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
+ read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
++kernel_read_debugfs(abrt_dump_oops_t)
+ kernel_read_kernel_sysctls(abrt_dump_oops_t)
+ kernel_read_ring_buffer(abrt_dump_oops_t)
+
++dev_read_urand(abrt_dump_oops_t)
++dev_read_rand(abrt_dump_oops_t)
++
+ domain_use_interactive_fds(abrt_dump_oops_t)
+
++fs_getattr_all_fs(abrt_dump_oops_t)
+ fs_list_inotifyfs(abrt_dump_oops_t)
++fs_list_pstorefs(abrt_dump_oops_t)
+
+ logging_read_generic_logs(abrt_dump_oops_t)
++logging_read_syslog_pid(abrt_dump_oops_t)
++logging_send_syslog_msg(abrt_dump_oops_t)
+
+ #######################################
+ #
+@@ -404,7 +508,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+ #
+
+ allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
+-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
+
+ read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
+
+@@ -413,16 +517,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+ corecmd_exec_bin(abrt_watch_log_t)
+
+ logging_read_all_logs(abrt_watch_log_t)
++logging_send_syslog_msg(abrt_watch_log_t)
++
++tunable_policy(`abrt_upload_watch_anon_write',`
++ miscfiles_manage_public_files(abrt_upload_watch_t)
++')
+
+ #######################################
+ #
+ # Upload watch local policy
+ #
+
++allow abrt_upload_watch_t self:capability { dac_override chown };
++
++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
++
++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
++
++manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
++
+ corecmd_exec_bin(abrt_upload_watch_t)
+
++dev_read_urand(abrt_upload_watch_t)
++
++files_search_spool(abrt_upload_watch_t)
++
++auth_read_passwd(abrt_upload_watch_t)
++
+ tunable_policy(`abrt_upload_watch_anon_write',`
+- miscfiles_manage_public_files(abrt_upload_watch_t)
++ miscfiles_manage_public_files(abrt_upload_watch_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(abrt_upload_watch_t)
+ ')
+
+ #######################################
+@@ -430,10 +560,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+ # Global local policy
+ #
+
+-kernel_read_system_state(abrt_domain)
++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
+
+ files_read_etc_files(abrt_domain)
+-
+-logging_send_syslog_msg(abrt_domain)
+-
+-miscfiles_read_localization(abrt_domain)
+diff --git a/accountsd.fc b/accountsd.fc
+index f9d8d7a..0682710 100644
+--- a/accountsd.fc
++++ b/accountsd.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
++
+ /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+ /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+diff --git a/accountsd.if b/accountsd.if
+index bd5ec9a..554177c 100644
+--- a/accountsd.if
++++ b/accountsd.if
+@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+-##
++#
++interface(`accountsd_systemctl',`
++ gen_require(`
++ type accountsd_t;
++ type accountsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 accountsd_unit_file_t:file read_file_perms;
++ allow $1 accountsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, accountsd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an accountsd environment
++##
++##
+ ##
+-## Role allowed access.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`accountsd_admin',`
+ gen_require(`
+ type accountsd_t;
++ type accountsd_unit_file_t;
+ ')
+
+- allow $1 accountsd_t:process { ptrace signal_perms };
++ allow $1 accountsd_t:process signal_perms;
+ ps_process_pattern($1, accountsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 accountsd_t:process ptrace;
++ ')
++
+ accountsd_manage_lib_files($1)
++
++ accountsd_systemctl($1)
++ admin_pattern($1, accountsd_unit_file_t)
++ allow $1 accountsd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/accountsd.te b/accountsd.te
+index 3593510..b6a0f70 100644
+--- a/accountsd.te
++++ b/accountsd.te
+@@ -4,6 +4,10 @@ gen_require(`
+ class passwd all_passwd_perms;
+ ')
+
++gen_require(`
++ class passwd { passwd chfn chsh rootok crontab };
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -11,11 +15,15 @@ gen_require(`
+
+ type accountsd_t;
+ type accountsd_exec_t;
+-dbus_system_domain(accountsd_t, accountsd_exec_t)
++init_daemon_domain(accountsd_t, accountsd_exec_t)
++role system_r types accountsd_t;
+
+ type accountsd_var_lib_t;
+ files_type(accountsd_var_lib_t)
+
++type accountsd_unit_file_t;
++systemd_unit_file(accountsd_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
+ dev_read_sysfs(accountsd_t)
+
+ files_read_mnt_files(accountsd_t)
+-files_read_usr_files(accountsd_t)
+
+ fs_getattr_xattr_fs(accountsd_t)
+ fs_list_inotifyfs(accountsd_t)
+@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
+ auth_read_login_records(accountsd_t)
+ auth_read_shadow(accountsd_t)
+
+-miscfiles_read_localization(accountsd_t)
++init_dbus_chat(accountsd_t)
+
+ logging_list_logs(accountsd_t)
+ logging_send_syslog_msg(accountsd_t)
+@@ -66,9 +73,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_domain(accountsd_t, accountsd_exec_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+ ')
+
+ optional_policy(`
+ xserver_read_xdm_tmp_files(accountsd_t)
++ xserver_read_state_xdm(accountsd_t)
++ xserver_dbus_chat_xdm(accountsd_t)
++ xserver_manage_xdm_etc_files(accountsd_t)
+ ')
+diff --git a/acct.if b/acct.if
+index 81280d0..bc4038b 100644
+--- a/acct.if
++++ b/acct.if
+@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
+
+ ########################################
+ ##
++## Dontaudit Attempts to list acct_data directory
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`acct_dontaudit_list_data',`
++ gen_require(`
++ type acct_data_t;
++ ')
++
++ dontaudit $1 acct_data_t:dir list_dir_perms;
++')
++
++#######################################
++##
+ ## All of the rules required to
+ ## administrate an acct environment.
+ ##
+@@ -103,9 +121,13 @@ interface(`acct_admin',`
+ type acct_t, acct_initrc_exec_t, acct_data_t;
+ ')
+
+- allow $1 acct_t:process { ptrace signal_perms };
++ allow $1 acct_t:process { signal_perms };
+ ps_process_pattern($1, acct_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 acct_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, acct_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 acct_initrc_exec_t system_r;
+diff --git a/acct.te b/acct.te
+index 8b9ad83..f4f2486 100644
+--- a/acct.te
++++ b/acct.te
+@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
+ dev_read_sysfs(acct_t)
+ dev_read_urand(acct_t)
+
+-domain_use_interactive_fds(acct_t)
+-
+ fs_search_auto_mountpoints(acct_t)
+ fs_getattr_xattr_fs(acct_t)
+
+@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
+ term_dontaudit_use_generic_ptys(acct_t)
+
+ files_read_etc_runtime_files(acct_t)
+-files_list_usr(acct_t)
+
+ auth_use_nsswitch(acct_t)
+
+@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
+
+ logging_send_syslog_msg(acct_t)
+
+-miscfiles_read_localization(acct_t)
+-
+ userdom_dontaudit_search_user_home_dirs(acct_t)
+ userdom_dontaudit_use_unpriv_user_fds(acct_t)
+
+diff --git a/ada.te b/ada.te
+index 8d42c97..2377f8f 100644
+--- a/ada.te
++++ b/ada.te
+@@ -20,7 +20,7 @@ role ada_roles types ada_t;
+
+ allow ada_t self:process { execstack execmem };
+
+-userdom_use_user_terminals(ada_t)
++userdom_use_inherited_user_terminals(ada_t)
+
+ optional_policy(`
+ unconfined_domain(ada_t)
+diff --git a/afs.if b/afs.if
+index 3b41be6..97d99f9 100644
+--- a/afs.if
++++ b/afs.if
+@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
+
+ ########################################
+ ##
++## Read AFS config data
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`afs_read_config',`
++ gen_require(`
++ type afs_config_t;
++ ')
++
++ read_files_pattern($1, afs_config_t, afs_config_t)
++')
++
++########################################
++##
+ ## Read and write afs cache files.
+ ##
+ ##
+@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
+ interface(`afs_admin',`
+ gen_require(`
+ attribute afs_domain;
+- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
++ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+ type afs_ka_db_t, afs_vl_db_t, afs_config_t;
+ type afs_logfile_t, afs_cache_t, afs_files_t;
+ ')
+
+- allow $1 afs_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, afs_domain)
++ allow $1 afs_t:process signal_perms;
++ ps_process_pattern($1, afs_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 afs_t:process ptrace;
++ ')
+
+ afs_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+diff --git a/afs.te b/afs.te
+index 90ce637..2e9f5d9 100644
+--- a/afs.te
++++ b/afs.te
+@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
+
+ kernel_rw_afs_state(afs_t)
+
++corenet_all_recvfrom_netlabel(afs_t)
++corenet_tcp_sendrecv_generic_if(afs_t)
++corenet_udp_sendrecv_generic_if(afs_t)
++corenet_tcp_sendrecv_generic_node(afs_t)
++corenet_udp_sendrecv_generic_node(afs_t)
++corenet_tcp_sendrecv_all_ports(afs_t)
++corenet_udp_sendrecv_all_ports(afs_t)
++corenet_udp_bind_generic_node(afs_t)
++
+ files_mounton_mnt(afs_t)
+-files_read_usr_files(afs_t)
+ files_rw_etc_runtime_files(afs_t)
+
+ fs_getattr_xattr_fs(afs_t)
+@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
+
+ logging_send_syslog_msg(afs_t)
+
++sysnet_dns_name_resolve(afs_t)
++
++ifdef(`hide_broken_symptoms',`
++ kernel_rw_unlabeled_files(afs_t)
++')
++
+ ########################################
+ #
+ # AFS bossserver local policy
+@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+
+ kernel_read_kernel_sysctls(afs_bosserver_t)
+
+-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+ corenet_all_recvfrom_netlabel(afs_bosserver_t)
+ corenet_udp_sendrecv_generic_if(afs_bosserver_t)
+ corenet_udp_sendrecv_generic_node(afs_bosserver_t)
+@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+ corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
+
+ files_list_home(afs_bosserver_t)
+-files_read_usr_files(afs_bosserver_t)
+
+ seutil_read_config(afs_bosserver_t)
+
+@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
+ allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
+ allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+ manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+
+@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
+
+ corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+ corenet_all_recvfrom_netlabel(afs_fsserver_t)
++corenet_tcp_bind_generic_node(afs_fsserver_t)
++corenet_udp_bind_generic_node(afs_fsserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+ corenet_udp_sendrecv_generic_if(afs_fsserver_t)
+ corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
+ corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+-corenet_tcp_bind_generic_node(afs_fsserver_t)
+-corenet_udp_bind_generic_node(afs_fsserver_t)
++corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
++corenet_udp_sendrecv_all_ports(afs_fsserver_t)
+
+ corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+ corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+
+ files_read_etc_runtime_files(afs_fsserver_t)
+ files_list_home(afs_fsserver_t)
+-files_read_usr_files(afs_fsserver_t)
+ files_list_pids(afs_fsserver_t)
+ files_dontaudit_search_mnt(afs_fsserver_t)
+
+@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+
+ kernel_read_kernel_sysctls(afs_kaserver_t)
+
+-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+ corenet_all_recvfrom_netlabel(afs_kaserver_t)
+ corenet_udp_sendrecv_generic_if(afs_kaserver_t)
+ corenet_udp_sendrecv_generic_node(afs_kaserver_t)
+@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
+ corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
+
+ files_list_home(afs_kaserver_t)
+-files_read_usr_files(afs_kaserver_t)
+
+ seutil_read_config(afs_kaserver_t)
+
+@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
+ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+ allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
+-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+
+ manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
+ filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
+
+-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+ corenet_all_recvfrom_netlabel(afs_ptserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
+ corenet_udp_sendrecv_generic_if(afs_ptserver_t)
+@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
+ corenet_udp_bind_afs_pt_port(afs_ptserver_t)
+ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+
++sysnet_read_config(afs_ptserver_t)
++
+ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+
+ ########################################
+@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+ allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
+-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+
+ manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
+ filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
+
+-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+ corenet_all_recvfrom_netlabel(afs_vlserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
+ corenet_udp_sendrecv_generic_if(afs_vlserver_t)
+@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+
+ allow afs_domain self:udp_socket create_socket_perms;
+
+-files_read_etc_files(afs_domain)
+-
+-miscfiles_read_localization(afs_domain)
++read_files_pattern(afs_domain, afs_config_t, afs_config_t)
++allow afs_domain afs_config_t:dir list_dir_perms;
+
+ sysnet_read_config(afs_domain)
++
+diff --git a/aiccu.if b/aiccu.if
+index 3b5dcb9..fbe187f 100644
+--- a/aiccu.if
++++ b/aiccu.if
+@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
+ type aiccu_var_run_t;
+ ')
+
+- allow $1 aiccu_t:process { ptrace signal_perms };
++ allow $1 aiccu_t:process signal_perms;
+ ps_process_pattern($1, aiccu_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aiccu_t:process ptrace;
++ ')
++
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+diff --git a/aiccu.te b/aiccu.te
+index 5d2b90e..7374df0 100644
+--- a/aiccu.te
++++ b/aiccu.te
+@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
+ corenet_tcp_bind_generic_node(aiccu_t)
+ corenet_tcp_sendrecv_generic_if(aiccu_t)
+ corenet_tcp_sendrecv_generic_node(aiccu_t)
+-
+ corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+ corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+ corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t)
+ dev_read_rand(aiccu_t)
+ dev_read_urand(aiccu_t)
+
+-files_read_etc_files(aiccu_t)
++
++auth_read_passwd(aiccu_t)
+
+ logging_send_syslog_msg(aiccu_t)
+
+-miscfiles_read_localization(aiccu_t)
++optional_policy(`
++ gnome_dontaudit_search_config(aiccu_t)
++')
+
+ optional_policy(`
+ modutils_domtrans_insmod(aiccu_t)
+ ')
+
+ optional_policy(`
++ pcscd_stream_connect(aiccu_t)
++')
++
++optional_policy(`
+ sysnet_dns_name_resolve(aiccu_t)
+ sysnet_domtrans_ifconfig(aiccu_t)
+ ')
+diff --git a/aide.if b/aide.if
+index 01cbb67..94a4a24 100644
+--- a/aide.if
++++ b/aide.if
+@@ -67,9 +67,13 @@ interface(`aide_admin',`
+ type aide_t, aide_db_t, aide_log_t;
+ ')
+
+- allow $1 aide_t:process { ptrace signal_perms };
++ allow $1 aide_t:process signal_perms;
+ ps_process_pattern($1, aide_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aide_t:process ptrace;
++ ')
++
+ aide_run($1, $2)
+
+ files_list_etc($1)
+diff --git a/aide.te b/aide.te
+index 03831e6..94a723f 100644
+--- a/aide.te
++++ b/aide.te
+@@ -10,6 +10,7 @@ attribute_role aide_roles;
+ type aide_t;
+ type aide_exec_t;
+ application_domain(aide_t, aide_exec_t)
++cron_system_entry(aide_t, aide_exec_t)
+ role aide_roles types aide_t;
+
+ type aide_log_t;
+@@ -23,22 +24,34 @@ files_type(aide_db_t)
+ # Local policy
+ #
+
+-allow aide_t self:capability { dac_override fowner };
++allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
++allow aide_t self:process signal;
+
+ manage_files_pattern(aide_t, aide_db_t, aide_db_t)
++files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
+
+-create_files_pattern(aide_t, aide_log_t, aide_log_t)
+-append_files_pattern(aide_t, aide_log_t, aide_log_t)
+-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
++manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+ logging_log_filetrans(aide_t, aide_log_t, file)
+
++dev_read_rand(aide_t)
++dev_read_urand(aide_t)
++
+ files_read_all_files(aide_t)
+ files_read_all_symlinks(aide_t)
++files_getattr_all_pipes(aide_t)
++files_getattr_all_sockets(aide_t)
++
++mls_file_read_to_clearance(aide_t)
++mls_file_write_to_clearance(aide_t)
+
+ logging_send_audit_msgs(aide_t)
+ logging_send_syslog_msg(aide_t)
+
+-userdom_use_user_terminals(aide_t)
++userdom_use_inherited_user_terminals(aide_t)
++
++optional_policy(`
++ prelink_domtrans(aide_t)
++')
+
+ optional_policy(`
+ seutil_use_newrole_fds(aide_t)
+diff --git a/aisexec.if b/aisexec.if
+index a2997fa..861cebd 100644
+--- a/aisexec.if
++++ b/aisexec.if
+@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
+ type aisexec_initrc_exec_t;
+ ')
+
+- allow $1 aisexec_t:process { ptrace signal_perms };
++ allow $1 aisexec_t:process signal_perms;
+ ps_process_pattern($1, aisexec_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aisexec_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 aisexec_initrc_exec_t system_r;
+diff --git a/aisexec.te b/aisexec.te
+index 4e4f063..808e067 100644
+--- a/aisexec.te
++++ b/aisexec.te
+@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+ kernel_read_system_state(aisexec_t)
+
+ corecmd_exec_bin(aisexec_t)
++corecmd_exec_shell(aisexec_t)
+
+ corenet_all_recvfrom_unlabeled(aisexec_t)
+ corenet_all_recvfrom_netlabel(aisexec_t)
+@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
+
+ logging_send_syslog_msg(aisexec_t)
+
+-miscfiles_read_localization(aisexec_t)
+-
+ userdom_rw_unpriv_user_semaphores(aisexec_t)
+ userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
+@@ -105,6 +104,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ corosync_domtrans(aisexec_t)
++')
++
++optional_policy(`
++ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
+ rhcs_rw_fenced_semaphores(aisexec_t)
+diff --git a/ajaxterm.fc b/ajaxterm.fc
+new file mode 100644
+index 0000000..aeb1888
+--- /dev/null
++++ b/ajaxterm.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
++
++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
++
++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
+diff --git a/ajaxterm.if b/ajaxterm.if
+new file mode 100644
+index 0000000..7abe946
+--- /dev/null
++++ b/ajaxterm.if
+@@ -0,0 +1,90 @@
++## policy for ajaxterm
++
++########################################
++##
++## Execute a domain transition to run ajaxterm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_domtrans',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_exec_t;
++ ')
++
++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
++')
++
++########################################
++##
++## Execute ajaxterm server in the ajaxterm domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ajaxterm_initrc_domtrans',`
++ gen_require(`
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
++')
++
++#######################################
++##
++## Read and write the ajaxterm pty type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_rw_ptys',`
++ gen_require(`
++ type ajaxterm_devpts_t;
++ ')
++
++ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ajaxterm environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ajaxterm_admin',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_initrc_exec_t;
++ ')
++
++ allow $1 ajaxterm_t:process signal_perms;
++ ps_process_pattern($1, ajaxterm_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ajaxterm_t:process ptrace;
++ ')
++
++ ajaxterm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ajaxterm_initrc_exec_t system_r;
++ allow $2 system_r;
++')
+diff --git a/ajaxterm.te b/ajaxterm.te
+new file mode 100644
+index 0000000..a95a4ad
+--- /dev/null
++++ b/ajaxterm.te
+@@ -0,0 +1,60 @@
++policy_module(ajaxterm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ajaxterm_t;
++type ajaxterm_exec_t;
++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
++
++type ajaxterm_initrc_exec_t;
++init_script_file(ajaxterm_initrc_exec_t)
++
++type ajaxterm_var_run_t;
++files_pid_file(ajaxterm_var_run_t)
++
++type ajaxterm_devpts_t;
++term_login_pty(ajaxterm_devpts_t)
++
++########################################
++#
++# ajaxterm local policy
++#
++allow ajaxterm_t self:capability setuid;
++allow ajaxterm_t self:process { setpgid signal };
++allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
++allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
++
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
++term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
++
++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
++
++kernel_read_system_state(ajaxterm_t)
++
++corecmd_exec_bin(ajaxterm_t)
++
++corenet_tcp_bind_generic_node(ajaxterm_t)
++corenet_tcp_bind_oa_system_port(ajaxterm_t)
++
++dev_read_urand(ajaxterm_t)
++
++domain_use_interactive_fds(ajaxterm_t)
++
++
++sysnet_dns_name_resolve(ajaxterm_t)
++
++#######################################
++#
++# SSH component local policy
++#
++
++optional_policy(`
++ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
++')
++
+diff --git a/alsa.fc b/alsa.fc
+index 33d9d31..58bf182 100644
+--- a/alsa.fc
++++ b/alsa.fc
+@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
+ /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+ /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
++/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
++
++/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
++
++/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
++
++/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
+diff --git a/alsa.if b/alsa.if
+index ca8d8cf..053a30a 100644
+--- a/alsa.if
++++ b/alsa.if
+@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file manage_file_perms;
++ alsa_filetrans_home_content($1)
+ ')
+
+ ########################################
+@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
+
+ ########################################
+ ##
+-## Create objects in user home
+-## directories with the generic alsa
+-## home type.
++## Read Alsa lib files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`alsa_read_lib',`
++ gen_require(`
++ type alsa_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
++')
++
++########################################
++##
++## Transition to alsa named content
++##
++##
+ ##
+-## Class of the object being created.
++## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`alsa_filetrans_home_content',`
++ gen_require(`
++ type alsa_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
++')
++
++########################################
++##
++## Transition to alsa named content
++##
++##
+ ##
+-## The name of the object being created.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`alsa_home_filetrans_alsa_home',`
++interface(`alsa_filetrans_named_content',`
+ gen_require(`
+ type alsa_home_t;
++ type alsa_etc_rw_t;
++ type alsa_var_lib_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
++ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
++ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
++ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
+ ')
+
+ ########################################
+ ##
+-## Read Alsa lib files.
++## Execute alsa server in the alsa domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`alsa_read_lib',`
++interface(`alsa_systemctl',`
+ gen_require(`
+- type alsa_var_lib_t;
++ type alsa_t;
++ type alsa_unit_file_t;
+ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 alsa_unit_file_t:file read_file_perms;
++ allow $1 alsa_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, alsa_t)
+ ')
+
+ #########################################
+diff --git a/alsa.te b/alsa.te
+index 4b153f1..a799cd3 100644
+--- a/alsa.te
++++ b/alsa.te
+@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
+ type alsa_etc_rw_t;
+ files_config_file(alsa_etc_rw_t)
+
++type alsa_lock_t;
++files_lock_file(alsa_lock_t)
++
+ type alsa_tmp_t;
+ files_tmp_file(alsa_tmp_t)
+
+@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
+ type alsa_var_lib_t;
+ files_type(alsa_var_lib_t)
+
++type alsa_var_run_t;
++files_pid_file(alsa_var_run_t)
++
+ type alsa_home_t;
+ userdom_user_home_content(alsa_home_t)
+
++type alsa_unit_file_t;
++systemd_unit_file(alsa_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+-dontaudit alsa_t self:capability sys_admin;
++allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
++dontaudit alsa_t self:capability { sys_tty_config sys_admin };
++allow alsa_t self:process { getsched setsched signal_perms };
+ allow alsa_t self:sem create_sem_perms;
+ allow alsa_t self:shm create_shm_perms;
+ allow alsa_t self:unix_stream_socket { accept listen };
+@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+
+ can_exec(alsa_t, alsa_exec_t)
+
++manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
++files_lock_filetrans(alsa_t, alsa_lock_t, file)
++
+ manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
+ manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+ manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+
++manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
++manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
++manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
++files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
++
+ kernel_read_system_state(alsa_t)
++kernel_signal(alsa_t)
+
+ corecmd_exec_bin(alsa_t)
+
+@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
+ dev_read_urand(alsa_t)
+ dev_write_sound(alsa_t)
+
+-files_read_usr_files(alsa_t)
+ files_search_var_lib(alsa_t)
+
+ term_dontaudit_use_console(alsa_t)
+@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
+
+ logging_send_syslog_msg(alsa_t)
+
+-miscfiles_read_localization(alsa_t)
+-
+ userdom_manage_unpriv_user_semaphores(alsa_t)
+ userdom_manage_unpriv_user_shared_mem(alsa_t)
+ userdom_search_user_home_dirs(alsa_t)
+diff --git a/amanda.fc b/amanda.fc
+index 7f4dfbc..e5c9f45 100644
+--- a/amanda.fc
++++ b/amanda.fc
+@@ -1,5 +1,6 @@
+ /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
++/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+ /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+ /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+ # empty m4 string so the index macro is not invoked
+@@ -13,6 +14,8 @@
+ /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+ /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
++
+ /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+ /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
+diff --git a/amanda.te b/amanda.te
+index 519051c..f5784a5 100644
+--- a/amanda.te
++++ b/amanda.te
+@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
+ roleattribute system_r amanda_recover_roles;
+
+ type amanda_t;
++type amanda_exec_t;
+ type amanda_inetd_exec_t;
+-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
++application_executable_file(amanda_exec_t)
++init_daemon_domain(amanda_t, amanda_inetd_exec_t)
++role system_r types amanda_t;
+
+-type amanda_exec_t;
+-domain_entry_file(amanda_t, amanda_exec_t)
++type amanda_unit_file_t;
++systemd_unit_file(amanda_unit_file_t)
+
+ type amanda_log_t;
+ logging_log_file(amanda_log_t)
+@@ -60,7 +63,7 @@ optional_policy(`
+ #
+
+ allow amanda_t self:capability { chown dac_override setuid kill };
+-allow amanda_t self:process { setpgid signal };
++allow amanda_t self:process { getsched setsched setpgid signal };
+ allow amanda_t self:fifo_file rw_fifo_file_perms;
+ allow amanda_t self:unix_stream_socket { accept listen };
+ allow amanda_t self:tcp_socket { accept listen };
+@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+
+ manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
++manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+
+ allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+ corecmd_exec_shell(amanda_t)
+ corecmd_exec_bin(amanda_t)
+
+-corenet_all_recvfrom_unlabeled(amanda_t)
+ corenet_all_recvfrom_netlabel(amanda_t)
+ corenet_tcp_sendrecv_generic_if(amanda_t)
+ corenet_tcp_sendrecv_generic_node(amanda_t)
+ corenet_tcp_sendrecv_all_ports(amanda_t)
+ corenet_tcp_bind_generic_node(amanda_t)
+
++corenet_tcp_bind_amanda_port(amanda_t)
++corenet_udp_bind_amanda_port(amanda_t)
++
+ corenet_sendrecv_all_server_packets(amanda_t)
+ corenet_tcp_bind_all_rpc_ports(amanda_t)
+ corenet_tcp_bind_generic_port(amanda_t)
+@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+
+ dev_getattr_all_blk_files(amanda_t)
+ dev_getattr_all_chr_files(amanda_t)
++dev_read_urand(amanda_t)
+
+ files_read_etc_runtime_files(amanda_t)
+ files_list_all(amanda_t)
+@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
+ corecmd_exec_shell(amanda_recover_t)
+ corecmd_exec_bin(amanda_recover_t)
+
+-corenet_all_recvfrom_unlabeled(amanda_recover_t)
+ corenet_all_recvfrom_netlabel(amanda_recover_t)
+ corenet_tcp_sendrecv_generic_if(amanda_recover_t)
+ corenet_udp_sendrecv_generic_if(amanda_recover_t)
+@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
+
+ auth_use_nsswitch(amanda_recover_t)
+
+-fstools_domtrans(amanda_t)
+-fstools_signal(amanda_t)
+-
+ logging_search_logs(amanda_recover_t)
+
+-miscfiles_read_localization(amanda_recover_t)
+-
+-userdom_use_user_terminals(amanda_recover_t)
++userdom_use_inherited_user_terminals(amanda_recover_t)
+ userdom_search_user_home_content(amanda_recover_t)
++
++optional_policy(`
++ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
++')
++
++optional_policy(`
++ fstools_domtrans(amanda_t)
++ fstools_signal(amanda_t)
++')
+diff --git a/amavis.fc b/amavis.fc
+index 17689a7..8aa6849 100644
+--- a/amavis.fc
++++ b/amavis.fc
+@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
+ /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+ ')
+
+-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+-
+ /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+
+ /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+diff --git a/amavis.if b/amavis.if
+index 60d4f8c..18ef077 100644
+--- a/amavis.if
++++ b/amavis.if
+@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
+
+ files_search_spool($1)
+ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
++ allow $1 amavis_spool_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
+
+ ########################################
+ ##
++## Read and write amavis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`amavis_rw_lib_files',`
++ gen_require(`
++ type amavis_var_lib_t;
++ ')
++
++ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
++ allow $1 amavis_var_lib_t:dir list_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## amavis lib files.
+ ##
+@@ -234,9 +255,13 @@ interface(`amavis_admin',`
+ type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
+ ')
+
+- allow $1 amavis_t:process { ptrace signal_perms };
++ allow $1 amavis_t:process signal_perms;
+ ps_process_pattern($1, amavis_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 amavis_t:process ptrace;
++ ')
++
+ amavis_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 amavis_initrc_exec_t system_r;
+diff --git a/amavis.te b/amavis.te
+index 91fa72a..0b1afd6 100644
+--- a/amavis.te
++++ b/amavis.te
+@@ -39,7 +39,7 @@ type amavis_quarantine_t;
+ files_type(amavis_quarantine_t)
+
+ type amavis_spool_t;
+-files_type(amavis_spool_t)
++files_spool_file(amavis_spool_t)
+
+ ########################################
+ #
+@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+ manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+
++# tmp files
++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
+
+ manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+ manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
+ corecmd_exec_bin(amavis_t)
+ corecmd_exec_shell(amavis_t)
+
+-corenet_all_recvfrom_unlabeled(amavis_t)
+ corenet_all_recvfrom_netlabel(amavis_t)
+ corenet_tcp_sendrecv_generic_if(amavis_t)
+ corenet_udp_sendrecv_generic_if(amavis_t)
+@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+
+ corenet_sendrecv_razor_client_packets(amavis_t)
+ corenet_tcp_connect_razor_port(amavis_t)
++corenet_tcp_connect_agentx_port(amavis_t)
+
+ dev_read_rand(amavis_t)
+ dev_read_sysfs(amavis_t)
+@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
+ domain_dontaudit_read_all_domains_state(amavis_t)
+
+ files_read_etc_runtime_files(amavis_t)
+-files_read_usr_files(amavis_t)
+ files_search_spool(amavis_t)
+
+ fs_getattr_xattr_fs(amavis_t)
+@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
+
+ logging_send_syslog_msg(amavis_t)
+
+-miscfiles_read_localization(amavis_t)
++miscfiles_read_generic_certs(amavis_t)
++
++sysnet_use_ldap(amavis_t)
+
+ userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+ tunable_policy(`amavis_use_jit',`
+- allow amavis_t self:process execmem;
++ allow amavis_t self:process execmem;
+ ',`
+- dontaudit amavis_t self:process execmem;
++ dontaudit amavis_t self:process execmem;
++')
++
++optional_policy(`
++ antivirus_domain_template(amavis_t)
+ ')
+
+ optional_policy(`
+@@ -173,6 +181,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nslcd_stream_connect(amavis_t)
++')
++
++optional_policy(`
+ postfix_read_config(amavis_t)
+ postfix_list_spool(amavis_t)
+ ')
+diff --git a/amtu.te b/amtu.te
+index 16d0d66..60abfd0 100644
+--- a/amtu.te
++++ b/amtu.te
+@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
+
+ files_manage_boot_files(amtu_t)
+ files_read_etc_runtime_files(amtu_t)
+-files_read_etc_files(amtu_t)
+
+ logging_send_audit_msgs(amtu_t)
+
+-userdom_use_user_terminals(amtu_t)
++userdom_use_inherited_user_terminals(amtu_t)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid(amtu_t)
+diff --git a/anaconda.fc b/anaconda.fc
+index b098089..37d428c 100644
+--- a/anaconda.fc
++++ b/anaconda.fc
+@@ -1 +1,12 @@
+ # No file context specifications.
++
++/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
++/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
++/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
+diff --git a/anaconda.if b/anaconda.if
+index 14a61b7..76d9329 100644
+--- a/anaconda.if
++++ b/anaconda.if
+@@ -1 +1,132 @@
+ ## Anaconda installer.
++
++########################################
++##
++## Execute a domain transition to run install.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`anaconda_domtrans_install',`
++ gen_require(`
++ type install_t, install_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, install_exec_t, install_t)
++')
++
++########################################
++##
++## Execute install in the install
++## domain, and allow the specified
++## role the install domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`anaconda_run_install',`
++ gen_require(`
++ type install_t;
++ type install_exec_t;
++ attribute_role install_roles;
++ ')
++
++ anaconda_domtrans_install($1)
++ roleattribute $2 install_roles;
++ role_transition $2 install_exec_t system_r;
++
++ optional_policy(`
++ rpm_transition_script(install_t, $2)
++ ')
++')
++
++########################################
++##
++## Execute preupgrade in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`anaconda_exec_preupgrade',`
++ gen_require(`
++ type preupgrade_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, preupgrade_exec_t)
++')
++
++########################################
++##
++## Execute a domain transition to run preupgrade.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`anaconda_domtrans_preupgrade',`
++ gen_require(`
++ type preupgrade_t, preupgrade_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
++')
++
++########################################
++##
++## Read preupgrade lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`anaconda_read_lib_files_preupgrade',`
++ gen_require(`
++ type preupgrade_data_t;
++ ')
++
++ read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Manage preupgrade lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`anaconda_manage_lib_files_preupgrade',`
++ gen_require(`
++ type preupgrade_data_t;
++ ')
++
++ manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ files_search_var_lib($1)
++')
+diff --git a/anaconda.te b/anaconda.te
+index aa44abf..84c95ed 100644
+--- a/anaconda.te
++++ b/anaconda.te
+@@ -4,6 +4,10 @@ gen_require(`
+ class passwd all_passwd_perms;
+ ')
+
++gen_require(`
++ class passwd { passwd chfn chsh rootok crontab };
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
+ domain_obj_id_change_exemption(anaconda_t)
+ role system_r types anaconda_t;
+
++attribute_role install_roles;
++roleattribute system_r install_roles;
++
++type install_t;
++type install_exec_t;
++application_domain(install_t, install_exec_t)
++role install_roles types install_t;
++
++type preupgrade_t;
++type preupgrade_exec_t;
++application_domain(preupgrade_t, preupgrade_exec_t)
++role system_r types preupgrade_t;
++
++type preupgrade_data_t;
++files_type(preupgrade_data_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
+ modutils_domtrans_depmod(anaconda_t)
+
+ seutil_domtrans_semanage(anaconda_t)
++seutil_domtrans_setsebool(anaconda_t)
+
+-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(anaconda_t)
+
+ optional_policy(`
+ rpm_domtrans(anaconda_t)
+@@ -53,3 +74,46 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain_noaudit(anaconda_t)
+ ')
++
++########################################
++#
++# Local policy
++#
++
++allow install_t self:capability2 mac_admin;
++
++systemd_dbus_chat_localed(install_t)
++
++tunable_policy(`deny_ptrace',`',`
++ domain_ptrace_all_domains(install_t)
++')
++
++optional_policy(`
++ mount_run(install_t, install_roles)
++')
++
++optional_policy(`
++ networkmanager_dbus_chat(install_t)
++')
++
++optional_policy(`
++ seutil_run_setfiles_mac(install_t, install_roles)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(install_t)
++')
++
++
++########################################
++#
++# Local policy
++#
++
++manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++
++optional_policy(`
++ unconfined_domain_noaudit(preupgrade_t)
++')
+diff --git a/antivirus.fc b/antivirus.fc
+new file mode 100644
+index 0000000..219f32d
+--- /dev/null
++++ b/antivirus.fc
+@@ -0,0 +1,44 @@
++/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
++/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
++
++/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0)
++
++/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++
++/usr/sbin/amavi -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++
++/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0)
++
++/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++
++/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++
++/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
++/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0)
++/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
++/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
++/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0)
++
++/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0)
++/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
++
++/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
++/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
++/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
++
+diff --git a/antivirus.if b/antivirus.if
+new file mode 100644
+index 0000000..36251b9
+--- /dev/null
++++ b/antivirus.if
+@@ -0,0 +1,325 @@
++## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan
++
++######################################
++##
++## Creates types and rules for a basic
++## antivirus domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++interface(`antivirus_domain_template',`
++ gen_require(`
++ attribute antivirus_domain;
++ ')
++
++ typeattribute $1 antivirus_domain;
++
++ kernel_read_system_state($1)
++')
++
++#######################################
++##
++## Execute a domain transition to run antivirus program.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`antivirus_domtrans',`
++ gen_require(`
++ type antivirus_t, antivirus_exec_t;
++ ')
++
++ domtrans_pattern($1, antivirus_exec_t, antivirus_t)
++')
++
++#######################################
++##
++## Execute antivirus program without a transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_exec',`
++ gen_require(`
++ type antivirus_exec_t;
++ ')
++
++ can_exec($1, antivirus_exec_t)
++')
++
++#######################################
++##
++## Connect to run antivirus program.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_stream_connect',`
++ gen_require(`
++ type antivirus_t, antivirus_db_t, antivirus_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
++ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
++')
++
++#######################################
++##
++## Allow the specified domain to append
++## to antivirus log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_append_log',`
++ gen_require(`
++ type antivirus_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 antivirus_log_t:dir list_dir_perms;
++ append_files_pattern($1, antivirus_log_t, antivirus_log_t)
++')
++
++#######################################
++##
++## Read antivirus configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_read_config',`
++ gen_require(`
++ type antivirus_conf_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 antivirus_conf_t:file read_file_perms;
++')
++
++#######################################
++##
++## Search antivirus db content directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_search_db',`
++ gen_require(`
++ type antivirus_db_t;
++ ')
++
++ files_search_var_lib($1)
++ files_search_spool($1)
++ allow $1 antivirus_db_t:dir search_dir_perms;
++')
++
++######################################
++##
++## Read antivirus db content directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_read_db',`
++ gen_require(`
++ type antivirus_db_t;
++ ')
++
++ files_search_var_lib($1)
++ files_search_spool($1)
++ read_files_pattern($1, antivirus_db_t, antivirus_db_t)
++ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
++')
++
++#####################################
++##
++## Read and write antivirus db content directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_rw_db',`
++ gen_require(`
++ type antivirus_db_t;
++ ')
++
++ files_search_var_lib($1)
++ files_search_spool($1)
++ write_files_pattern($1, antivirus_db_t, antivirus_db_t)
++')
++
++####################################
++##
++## Manage antivirus db content directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_manage_db',`
++ gen_require(`
++ type antivirus_db_t;
++ ')
++
++ files_search_var_lib($1)
++ files_search_spool($1)
++ manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
++ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
++')
++
++#######################################
++##
++## Manage antivirus pid content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_manage_pid',`
++ gen_require(`
++ type antivirus_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
++ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
++')
++
++######################################
++##
++## Read antivirus state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`antivirus_read_state_clamd',`
++ gen_require(`
++ type antivirus_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, antivirus_t)
++')
++
++######################################
++##
++## Execute antivirus server in the antivirus domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`antivirus_systemctl',`
++ gen_require(`
++ type antivirus_t;
++ type antivirus_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 antivirus_unit_file_t:file read_file_perms;
++ allow $1 antivirus_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, antivirus_t)
++')
++
++#######################################
++##
++## All of the rules required to administrate
++## an antivirus programs environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the clamav domain.
++##
++##
++##
++#
++interface(`antivirus_admin',`
++ gen_require(`
++ attribute antivirus_domain;
++ type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
++ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
++ type antivirus_initrc_exec_t, antivirus_unit_file_t;
++ ')
++
++ allow $1 antivirus_t:process signal_perms;
++ ps_process_pattern($1, antivirus_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 antivirus_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 antivirus_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ antivirus_systemctl($1)
++ admin_pattern($1, antivirus_unit_file_t)
++ allow $1 antivirus_unit_file_t:service all_service_perms;
++
++ files_list_etc($1)
++ admin_pattern($1, antivirus_conf_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, antivirus_db_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, antivirus_log_t)
++
++ files_list_pids($1)
++ admin_pattern($1, antivirus_var_run_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, antivirus_tmp_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/antivirus.te b/antivirus.te
+new file mode 100644
+index 0000000..cb58319
+--- /dev/null
++++ b/antivirus.te
+@@ -0,0 +1,270 @@
++policy_module(antivirus, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow antivirus programs to read non security files on a system
++##
++##
++gen_tunable(antivirus_can_scan_system, false)
++
++##
++##
++## Determine whether can antivirus programs use JIT compiler.
++##
++##
++gen_tunable(antivirus_use_jit, false)
++
++attribute antivirus_domain;
++
++type antivirus_t;
++type antivirus_exec_t;
++typeattribute antivirus_t antivirus_domain;
++typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
++typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
++init_daemon_domain(antivirus_t, antivirus_exec_t)
++
++type antivirus_initrc_exec_t;
++typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
++init_script_file(antivirus_initrc_exec_t)
++
++type antivirus_unit_file_t;
++typealias antivirus_unit_file_t alias { clamd_unit_file_t };
++systemd_unit_file(antivirus_unit_file_t)
++
++type antivirus_conf_t;
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
++files_config_file(antivirus_conf_t)
++
++type antivirus_var_run_t;
++typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
++files_pid_file(antivirus_var_run_t)
++
++type antivirus_log_t;
++typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
++logging_log_file(antivirus_log_t)
++
++type antivirus_db_t;
++typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
++files_type(antivirus_db_t)
++
++type antivirus_home_t;
++userdom_user_home_content(antivirus_home_t)
++
++type antivirus_tmp_t;
++typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
++files_tmp_file(antivirus_tmp_t)
++
++########################################
++#
++# antivirus domain local policy
++#
++
++allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin };
++dontaudit antivirus_domain self:capability sys_tty_config;
++allow antivirus_domain self:process signal_perms;
++
++allow antivirus_domain self:fifo_file rw_fifo_file_perms;
++allow antivirus_domain self:unix_stream_socket { accept connectto listen };
++allow antivirus_domain self:tcp_socket { listen accept };
++
++allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
++read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
++read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
++
++manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++
++manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
++manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
++manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
++manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
++
++manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
++manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
++manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
++files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
++
++manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
++manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
++manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
++logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
++
++manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
++manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
++manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
++files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
++
++can_exec(antivirus_domain, antivirus_exec_t)
++
++kernel_read_network_state(antivirus_domain)
++kernel_read_all_sysctls(antivirus_domain)
++
++corecmd_exec_bin(antivirus_domain)
++corecmd_exec_shell(antivirus_domain)
++
++corenet_all_recvfrom_netlabel(antivirus_t)
++corenet_tcp_sendrecv_generic_if(antivirus_t)
++corenet_udp_sendrecv_generic_if(antivirus_t)
++corenet_tcp_sendrecv_generic_node(antivirus_domain)
++corenet_udp_sendrecv_generic_node(antivirus_domain)
++corenet_tcp_sendrecv_all_ports(antivirus_domain)
++corenet_udp_sendrecv_all_ports(antivirus_domain)
++corenet_tcp_bind_generic_node(antivirus_domain)
++corenet_udp_bind_generic_node(antivirus_domain)
++
++corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
++corenet_tcp_connect_amavisd_send_port(antivirus_domain)
++
++corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
++corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
++
++corenet_sendrecv_generic_server_packets(antivirus_domain)
++corenet_udp_bind_generic_port(antivirus_domain)
++corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
++
++corenet_sendrecv_razor_client_packets(antivirus_domain)
++corenet_tcp_connect_razor_port(antivirus_domain)
++corenet_tcp_connect_agentx_port(antivirus_domain)
++
++corenet_tcp_connect_clamd_port(antivirus_domain)
++
++corenet_sendrecv_clamd_server_packets(antivirus_domain)
++corenet_tcp_bind_clamd_port(antivirus_domain)
++
++corenet_sendrecv_http_client_packets(antivirus_domain)
++corenet_tcp_connect_http_port(antivirus_domain)
++corenet_tcp_sendrecv_http_port(antivirus_domain)
++
++corenet_sendrecv_http_cache_client_packets(antivirus_domain)
++corenet_tcp_connect_http_cache_port(antivirus_domain)
++corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
++
++#support for MySQL/PostgreSQL
++corenet_tcp_connect_mysqld_port(antivirus_domain)
++corenet_tcp_connect_postgresql_port(antivirus_domain)
++
++corenet_sendrecv_snmp_client_packets(antivirus_domain)
++corenet_tcp_connect_snmp_port(antivirus_domain)
++
++corenet_sendrecv_squid_client_packets(antivirus_domain)
++corenet_tcp_connect_squid_port(antivirus_domain)
++corenet_tcp_sendrecv_squid_port(antivirus_domain)
++
++dev_read_rand(antivirus_domain)
++dev_read_sysfs(antivirus_domain)
++dev_read_urand(antivirus_domain)
++
++domain_dontaudit_read_all_domains_state(antivirus_domain)
++
++files_dontaudit_read_security_files(antivirus_domain)
++files_read_etc_runtime_files(antivirus_domain)
++files_search_spool(antivirus_domain)
++
++fs_getattr_xattr_fs(antivirus_domain)
++
++auth_use_nsswitch(antivirus_t)
++auth_dontaudit_read_shadow(antivirus_domain)
++
++init_read_state(antivirus_domain)
++init_read_utmp(antivirus_domain)
++init_stream_connect_script(antivirus_domain)
++init_dontaudit_write_utmp(antivirus_domain)
++
++logging_send_syslog_msg(antivirus_t)
++
++miscfiles_read_generic_certs(antivirus_domain)
++
++sysnet_use_ldap(antivirus_domain)
++
++userdom_stream_connect(antivirus_domain)
++userdom_dontaudit_search_user_home_dirs(antivirus_domain)
++
++tunable_policy(`antivirus_can_scan_system',`
++ files_read_non_security_files(antivirus_domain)
++ files_getattr_all_pipes(antivirus_domain)
++ files_getattr_all_sockets(antivirus_domain)
++ dev_getattr_all_blk_files(antivirus_domain)
++ dev_getattr_all_chr_files(antivirus_domain)
++')
++
++tunable_policy(`antivirus_use_jit',`
++ allow antivirus_domain self:process execmem;
++ allow antivirus_domain self:process execmem;
++',`
++ dontaudit antivirus_domain self:process execmem;
++ dontaudit antivirus_domain self:process execmem;
++')
++
++optional_policy(`
++ apache_read_sys_content(antivirus_domain)
++')
++
++optional_policy(`
++ antivirus_systemctl(antivirus_domain)
++')
++
++optional_policy(`
++ cron_system_entry(antivirus_t, antivirus_exec_t)
++ cron_use_fds(antivirus_domain)
++ cron_use_system_job_fds(antivirus_domain)
++ cron_rw_pipes(antivirus_domain)
++')
++
++optional_policy(`
++ dcc_domtrans_client(antivirus_domain)
++ dcc_stream_connect_dccifd(antivirus_domain)
++')
++
++optional_policy(`
++ exim_read_spool_files(antivirus_domain)
++')
++
++optional_policy(`
++ mta_read_config(antivirus_domain)
++ mta_read_queue(antivirus_domain)
++ mta_send_mail(antivirus_domain)
++')
++
++optional_policy(`
++ nslcd_stream_connect(antivirus_domain)
++')
++
++optional_policy(`
++ mysql_stream_connect(antivirus_domain)
++ corenet_tcp_connect_mysqld_port(antivirus_domain)
++')
++
++optional_policy(`
++ postfix_read_config(antivirus_domain)
++ postfix_list_spool(antivirus_domain)
++')
++
++optional_policy(`
++ pyzor_domtrans(antivirus_domain)
++ pyzor_signal(antivirus_domain)
++')
++
++optional_policy(`
++ razor_domtrans(antivirus_domain)
++')
++
++optional_policy(`
++ snmp_manage_var_lib_dirs(antivirus_domain)
++ snmp_manage_var_lib_files(antivirus_domain)
++ snmp_stream_connect(antivirus_domain)
++')
++
++optional_policy(`
++ spamd_stream_connect(clamd_t)
++ spamassassin_exec(antivirus_domain)
++ spamassassin_exec_client(antivirus_domain)
++ spamassassin_read_lib_files(antivirus_domain)
++ spamassassin_read_pid_files(antivirus_domain)
++')
+diff --git a/apache.fc b/apache.fc
+index 7caefc3..3009a35 100644
+--- a/apache.fc
++++ b/apache.fc
+@@ -1,162 +1,204 @@
+-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
++HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+ HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
+ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-
+-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
++/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
++/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
++/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
++/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
+-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
++/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
+-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-
+-ifdef(`distro_suse',`
+-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
++/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
++
++ifdef(`distro_suse', `
++/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ ')
+
+-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-
+-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
++/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
++/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+-
+-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
++
++/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++
+ /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-
+-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
++/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++ifdef(`distro_debian', `
++/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++')
+
+-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+-
+-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+-
+-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
++
++/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++
++/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
++/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
++/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+diff --git a/apache.if b/apache.if
+index f6eb485..164501c 100644
+--- a/apache.if
++++ b/apache.if
+@@ -1,9 +1,9 @@
+-## Various web servers.
++## Apache web server
+
+ ########################################
+ ##
+-## Create a set of derived types for
+-## httpd web content.
++## Create a set of derived types for apache
++## web content.
+ ##
+ ##
+ ##
+@@ -13,118 +13,126 @@
+ #
+ template(`apache_content_template',`
+ gen_require(`
+- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
+- attribute httpd_script_domains, httpd_htaccess_type;
++ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t;
++ attribute httpd_script_type, httpd_content_type;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+- ##
+- ##
+- ## Determine whether the script domain can
+- ## modify public files used for public file
+- ## transfer services. Directories/Files must
+- ## be labeled public_content_rw_t.
+- ##
+- ##
+- gen_tunable(allow_httpd_$1_script_anon_write, false)
+-
+- type httpd_$1_content_t, httpdcontent; # customizable
+- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+- files_type(httpd_$1_content_t)
+-
+- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
+- files_type(httpd_$1_htaccess_t)
+-
+- type httpd_$1_script_t, httpd_script_domains;
+- domain_type(httpd_$1_script_t)
+- role system_r types httpd_$1_script_t;
+-
+- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+- corecmd_shell_entry_type(httpd_$1_script_t)
+- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+-
+- type httpd_$1_rw_content_t, httpdcontent; # customizable
+- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+- files_type(httpd_$1_rw_content_t)
+-
+- type httpd_$1_ra_content_t, httpdcontent; # customizable
+- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+- files_type(httpd_$1_ra_content_t)
+-
+- ########################################
+- #
+- # Policy
+- #
+-
+- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+-
+- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+-
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
+- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+-
+- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+-
+- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
+- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
+- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
+-
+- tunable_policy(`allow_httpd_$1_script_anon_write',`
+- miscfiles_manage_public_files(httpd_$1_script_t)
+- ')
+-
++ #This type is for webpages
++ type $1_content_t; # customizable;
++ typeattribute $1_content_t httpd_content_type;
++ typealias $1_content_t alias httpd_$1_script_ro_t;
++ files_type($1_content_t)
++
++ # This type is used for .htaccess files
++ type $1_htaccess_t, httpd_content_type; # customizable;
++ typeattribute $1_htaccess_t httpd_content_type;
++ files_type($1_htaccess_t)
++
++ # Type that CGI scripts run as
++ type $1_script_t, httpd_script_type;
++ domain_type($1_script_t)
++ role system_r types $1_script_t;
++
++ kernel_read_system_state($1_script_t)
++
++ # This type is used for executable scripts files
++ type $1_script_exec_t, httpd_script_exec_type; # customizable;
++ typeattribute $1_script_exec_t httpd_content_type;
++ domain_entry_file($1_script_t, $1_script_exec_t)
++
++ type $1_rw_content_t; # customizable
++ typeattribute $1_rw_content_t httpd_content_type;
++ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
++ files_type($1_rw_content_t)
++
++ type $1_ra_content_t, httpd_content_type; # customizable
++ typeattribute $1_ra_content_t httpd_content_type;
++ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
++ files_type($1_ra_content_t)
++
++ # Allow the script process to search the cgi directory, and users directory
++ allow $1_script_t $1_content_t:dir search_dir_perms;
++
++ can_exec($1_script_t, $1_script_exec_t)
++ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
++ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++
++ allow $1_script_t $1_content_t:dir list_dir_perms;
++ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
++ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
++
++ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++
++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
++
++ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+
+- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+- ')
++ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
++ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+
+- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
+- can_exec(httpd_t, httpd_$1_rw_content_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
+- ')
++ allow $1_script_t $1_script_exec_t:file entrypoint;
+
+- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
+- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
+- ')
++ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
+
+- tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
+- ')
++ # privileged users run the script:
++ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
++
++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
+
+- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
++ # apache runs the script:
++ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
++ allow httpd_t $1_script_t:unix_dgram_socket sendto;
+ ')
+ ')
+
+ ########################################
+ ##
+-## Role access for apache.
++## Create a set of derived types for apache
++## web content.
++##
++##
++##
++## The prefix to be used for deriving new type names.
++##
++##
++##
++##
++## The prefix to be used for deriving old type names.
++##
++##
++#
++template(`apache_content_alias_template',`
++ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
++ typealias $1_script_t alias httpd_$2_script_t;
++ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
++ typealias $1_content_t alias httpd_$2_content_t;
++ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
++ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
++')
++
++########################################
++##
++## Role access for apache
+ ##
+ ##
+ ##
+@@ -133,47 +141,61 @@ template(`apache_content_template',`
+ ##
+ ##
+ ##
+-## User domain for the role.
++## User domain for the role
+ ##
+ ##
+ #
+ interface(`apache_role',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_user_content_t, httpd_user_htaccess_t;
+- type httpd_user_script_t, httpd_user_script_exec_t;
+- type httpd_user_ra_content_t, httpd_user_rw_content_t;
++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
+ ')
+
+ role $1 types httpd_user_script_t;
+
+- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
+-
+- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
+- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
+- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
+-
+- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
+- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
++
++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++
++ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++
++ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++
++ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++
++ apache_exec_modules($2)
++ apache_filetrans_home_content($2)
+
+ tunable_policy(`httpd_enable_cgi',`
++ # If a user starts a script by hand it gets the proper context
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+ ')
+
+@@ -184,7 +206,7 @@ interface(`apache_role',`
+
+ ########################################
+ ##
+-## Read user httpd script executable files.
++## Read httpd user scripts executables.
+ ##
+ ##
+ ##
+@@ -204,7 +226,7 @@ interface(`apache_read_user_scripts',`
+
+ ########################################
+ ##
+-## Read user httpd content.
++## Read user web content.
+ ##
+ ##
+ ##
+@@ -224,7 +246,7 @@ interface(`apache_read_user_content',`
+
+ ########################################
+ ##
+-## Execute httpd with a domain transition.
++## Transition to apache.
+ ##
+ ##
+ ##
+@@ -241,27 +263,47 @@ interface(`apache_domtrans',`
+ domtrans_pattern($1, httpd_exec_t, httpd_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Execute httpd server in the httpd domain.
++## Allow the specified domain to execute apache
++## in the caller domain.
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`apache_initrc_domtrans',`
++interface(`apache_exec',`
+ gen_require(`
+- type httpd_initrc_exec_t;
++ type httpd_exec_t;
+ ')
+
+- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
++ can_exec($1, httpd_exec_t)
++')
++
++######################################
++##
++## Allow the specified domain to execute apache suexec
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_exec_suexec',`
++ gen_require(`
++ type httpd_suexec_exec_t;
++ ')
++
++ can_exec($1, httpd_suexec_exec_t)
+ ')
+
+ #######################################
+ ##
+-## Send generic signals to httpd.
++## Send a generic signal to apache.
+ ##
+ ##
+ ##
+@@ -279,7 +321,7 @@ interface(`apache_signal',`
+
+ ########################################
+ ##
+-## Send null signals to httpd.
++## Send a null signal to apache.
+ ##
+ ##
+ ##
+@@ -297,7 +339,7 @@ interface(`apache_signull',`
+
+ ########################################
+ ##
+-## Send child terminated signals to httpd.
++## Send a SIGCHLD signal to apache.
+ ##
+ ##
+ ##
+@@ -315,8 +357,7 @@ interface(`apache_sigchld',`
+
+ ########################################
+ ##
+-## Inherit and use file descriptors
+-## from httpd.
++## Inherit and use file descriptors from Apache.
+ ##
+ ##
+ ##
+@@ -334,8 +375,8 @@ interface(`apache_use_fds',`
+
+ ########################################
+ ##
+-## Do not audit attempts to read and
+-## write httpd unnamed pipes.
++## Do not audit attempts to read and write Apache
++## unnamed pipes.
+ ##
+ ##
+ ##
+@@ -348,13 +389,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
+ type httpd_t;
+ ')
+
+- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Allow attempts to read and write Apache
++## unix domain stream sockets.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_rw_stream_sockets',`
++ gen_require(`
++ type httpd_t;
++ ')
++
++ allow $1 httpd_t:unix_stream_socket { getattr read write };
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and
+-## write httpd unix domain stream sockets.
++## Do not audit attempts to read and write Apache
++## unix domain stream sockets.
+ ##
+ ##
+ ##
+@@ -367,13 +427,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+ type httpd_t;
+ ')
+
+- dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and
+-## write httpd TCP sockets.
++## Do not audit attempts to read and write Apache
++## TCP sockets.
+ ##
+ ##
+ ##
+@@ -391,8 +451,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## all httpd content.
++## Create, read, write, and delete all web content.
+ ##
+ ##
+ ##
+@@ -417,7 +476,8 @@ interface(`apache_manage_all_content',`
+
+ ########################################
+ ##
+-## Set attributes httpd cache directories.
++## Allow domain to set the attributes
++## of the APACHE cache directory.
+ ##
+ ##
+ ##
+@@ -435,7 +495,8 @@ interface(`apache_setattr_cache_dirs',`
+
+ ########################################
+ ##
+-## List httpd cache directories.
++## Allow the specified domain to list
++## Apache cache.
+ ##
+ ##
+ ##
+@@ -453,7 +514,8 @@ interface(`apache_list_cache',`
+
+ ########################################
+ ##
+-## Read and write httpd cache files.
++## Allow the specified domain to read
++## and write Apache cache files.
+ ##
+ ##
+ ##
+@@ -471,7 +533,8 @@ interface(`apache_rw_cache_files',`
+
+ ########################################
+ ##
+-## Delete httpd cache directories.
++## Allow the specified domain to delete
++## Apache cache dirs.
+ ##
+ ##
+ ##
+@@ -489,7 +552,8 @@ interface(`apache_delete_cache_dirs',`
+
+ ########################################
+ ##
+-## Delete httpd cache files.
++## Allow the specified domain to delete
++## Apache cache.
+ ##
+ ##
+ ##
+@@ -507,49 +571,51 @@ interface(`apache_delete_cache_files',`
+
+ ########################################
+ ##
+-## Read httpd configuration files.
++## Allow the specified domain to search
++## apache configuration dirs.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`apache_read_config',`
++interface(`apache_search_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 httpd_config_t:dir list_dir_perms;
+- read_files_pattern($1, httpd_config_t, httpd_config_t)
+- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
++ allow $1 httpd_config_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Search httpd configuration directories.
++## Allow the specified domain to read
++## apache configuration files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`apache_search_config',`
++interface(`apache_read_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 httpd_config_t:dir search_dir_perms;
++ allow $1 httpd_config_t:dir list_dir_perms;
++ read_files_pattern($1, httpd_config_t, httpd_config_t)
++ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## httpd configuration files.
++## Allow the specified domain to manage
++## apache configuration files.
+ ##
+ ##
+ ##
+@@ -570,8 +636,8 @@ interface(`apache_manage_config',`
+
+ ########################################
+ ##
+-## Execute the Apache helper program
+-## with a domain transition.
++## Execute the Apache helper program with
++## a domain transition.
+ ##
+ ##
+ ##
+@@ -608,16 +674,38 @@ interface(`apache_domtrans_helper',`
+ #
+ interface(`apache_run_helper',`
+ gen_require(`
+- attribute_role httpd_helper_roles;
++ type httpd_helper_t;
+ ')
+
+ apache_domtrans_helper($1)
+- roleattribute $2 httpd_helper_roles;
++ role $2 types httpd_helper_t;
++')
++
++########################################
++##
++## dontaudit attempts to read
++## apache log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_dontaudit_read_log',`
++ gen_require(`
++ type httpd_log_t;
++ ')
++
++ dontaudit $1 httpd_log_t:file read_file_perms;
++ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read httpd log files.
++## Allow the specified domain to read
++## apache log files.
+ ##
+ ##
+ ##
+@@ -639,7 +727,8 @@ interface(`apache_read_log',`
+
+ ########################################
+ ##
+-## Append httpd log files.
++## Allow the specified domain to append
++## to apache log files.
+ ##
+ ##
+ ##
+@@ -657,10 +746,29 @@ interface(`apache_append_log',`
+ append_files_pattern($1, httpd_log_t, httpd_log_t)
+ ')
+
++#######################################
++##
++## Allow the specified domain to write
++## to apache log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_write_log',`
++ gen_require(`
++ type httpd_log_t;
++ ')
++
++ allow $1 httpd_log_t:file write;
++')
++
+ ########################################
+ ##
+-## Do not audit attempts to append
+-## httpd log files.
++## Do not audit attempts to append to the
++## Apache logs.
+ ##
+ ##
+ ##
+@@ -678,8 +786,8 @@ interface(`apache_dontaudit_append_log',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## httpd log files.
++## Allow the specified domain to manage
++## to apache var lib files.
+ ##
+ ##
+ ##
+@@ -687,20 +795,21 @@ interface(`apache_dontaudit_append_log',`
+ ##
+ ##
+ #
+-interface(`apache_manage_log',`
++interface(`apache_manage_lib',`
+ gen_require(`
+- type httpd_log_t;
++ type httpd_var_lib_t;
+ ')
+
+- logging_search_logs($1)
+- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+- manage_files_pattern($1, httpd_log_t, httpd_log_t)
+- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+ ')
+
+-#######################################
++########################################
+ ##
+-## Write apache log files.
++## Allow the specified domain to manage
++## to apache log files.
+ ##
+ ##
+ ##
+@@ -708,19 +817,21 @@ interface(`apache_manage_log',`
+ ##
+ ##
+ #
+-interface(`apache_write_log',`
++interface(`apache_manage_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+- write_files_pattern($1, httpd_log_t, httpd_log_t)
++ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
++ manage_files_pattern($1, httpd_log_t, httpd_log_t)
++ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to search
+-## httpd module directories.
++## Do not audit attempts to search Apache
++## module directories.
+ ##
+ ##
+ ##
+@@ -738,7 +849,8 @@ interface(`apache_dontaudit_search_modules',`
+
+ ########################################
+ ##
+-## List httpd module directories.
++## Allow the specified domain to read
++## the apache module directories.
+ ##
+ ##
+ ##
+@@ -746,17 +858,19 @@ interface(`apache_dontaudit_search_modules',`
+ ##
+ ##
+ #
+-interface(`apache_list_modules',`
++interface(`apache_read_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+- allow $1 httpd_modules_t:dir list_dir_perms;
++ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ ')
+
+ ########################################
+ ##
+-## Execute httpd module files.
++## Allow the specified domain to list
++## the contents of the apache modules
++## directory.
+ ##
+ ##
+ ##
+@@ -764,19 +878,19 @@ interface(`apache_list_modules',`
+ ##
+ ##
+ #
+-interface(`apache_exec_modules',`
++interface(`apache_list_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir list_dir_perms;
+- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+- can_exec($1, httpd_modules_t)
++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ ')
+
+ ########################################
+ ##
+-## Read httpd module files.
++## Allow the specified domain to execute
++## apache modules.
+ ##
+ ##
+ ##
+@@ -784,19 +898,19 @@ interface(`apache_exec_modules',`
+ ##
+ ##
+ #
+-interface(`apache_read_module_files',`
++interface(`apache_exec_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+- libs_search_lib($1)
+- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++ allow $1 httpd_modules_t:dir list_dir_perms;
++ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
++ can_exec($1, httpd_modules_t)
+ ')
+
+ ########################################
+ ##
+-## Execute a domain transition to
+-## run httpd_rotatelogs.
++## Execute a domain transition to run httpd_rotatelogs.
+ ##
+ ##
+ ##
+@@ -809,13 +923,50 @@ interface(`apache_domtrans_rotatelogs',`
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+
++#######################################
++##
++## Execute httpd_rotatelogs in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apache_exec_rotatelogs',`
++ gen_require(`
++ type httpd_rotatelogs_exec_t;
++ ')
++
++ can_exec($1, httpd_rotatelogs_exec_t)
++')
++
++#######################################
++##
++## Execute httpd system scripts in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apache_exec_sys_script',`
++ gen_require(`
++ type httpd_sys_script_exec_t;
++ ')
++
++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_sys_script_exec_t)
++')
++
+ ########################################
+ ##
+-## List httpd system content directories.
++## Allow the specified domain to list
++## apache system content files.
+ ##
+ ##
+ ##
+@@ -829,13 +980,14 @@ interface(`apache_list_sys_content',`
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## httpd system content files.
++## Allow the specified domain to manage
++## apache system content files.
+ ##
+ ##
+ ##
+@@ -844,6 +996,7 @@ interface(`apache_list_sys_content',`
+ ##
+ ##
+ #
++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+ interface(`apache_manage_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+@@ -855,32 +1008,98 @@ interface(`apache_manage_sys_content',`
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Create, read, write, and delete
+-## httpd system rw content.
++## Allow the specified domain to read
++## apache system content rw files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`apache_manage_sys_rw_content',`
++interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+- apache_search_sys_content($1)
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++##
++## Allow the specified domain to read
++## apache system content rw dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_dirs',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_manage_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ ')
+
+ ########################################
+ ##
+-## Execute all httpd scripts in the
+-## system script domain.
++## Allow the specified domain to delete
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_delete_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++########################################
++##
++## Execute all web scripts in the system
++## script domain.
+ ##
+ ##
+ ##
+@@ -888,10 +1107,17 @@ interface(`apache_manage_sys_rw_content',`
+ ##
+ ##
+ #
++# cjp: this interface specifically added to allow
++# sysadm_t to run scripts
+ interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_sys_script_t;
++ type httpd_sys_script_exec_t;
++ type httpd_sys_script_t, httpd_sys_content_t;
++ ')
++
++ tunable_policy(`httpd_enable_cgi',`
++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+@@ -901,9 +1127,8 @@ interface(`apache_domtrans_sys_script',`
+
+ ########################################
+ ##
+-## Do not audit attempts to read and
+-## write httpd system script unix
+-## domain stream sockets.
++## Do not audit attempts to read and write Apache
++## system script unix domain stream sockets.
+ ##
+ ##
+ ##
+@@ -916,7 +1141,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+ type httpd_sys_script_t;
+ ')
+
+- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
+ ')
+
+ ########################################
+@@ -941,7 +1166,7 @@ interface(`apache_domtrans_all_scripts',`
+ ########################################
+ ##
+ ## Execute all user scripts in the user
+-## script domain. Add user script domains
++## script domain. Add user script domains
+ ## to the specified role.
+ ##
+ ##
+@@ -954,6 +1179,7 @@ interface(`apache_domtrans_all_scripts',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`apache_run_all_scripts',`
+ gen_require(`
+@@ -966,7 +1192,8 @@ interface(`apache_run_all_scripts',`
+
+ ########################################
+ ##
+-## Read httpd squirrelmail data files.
++## Allow the specified domain to read
++## apache squirrelmail data.
+ ##
+ ##
+ ##
+@@ -979,12 +1206,13 @@ interface(`apache_read_squirrelmail_data',`
+ type httpd_squirrelmail_t;
+ ')
+
+- allow $1 httpd_squirrelmail_t:file read_file_perms;
++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ ')
+
+ ########################################
+ ##
+-## Append httpd squirrelmail data files.
++## Allow the specified domain to append
++## apache squirrelmail data.
+ ##
+ ##
+ ##
+@@ -1002,7 +1230,7 @@ interface(`apache_append_squirrelmail_data',`
+
+ ########################################
+ ##
+-## Search httpd system content.
++## Search apache system content.
+ ##
+ ##
+ ##
+@@ -1015,13 +1243,12 @@ interface(`apache_search_sys_content',`
+ type httpd_sys_content_t;
+ ')
+
+- files_search_var($1)
+ allow $1 httpd_sys_content_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read httpd system content.
++## Read apache system content.
+ ##
+ ##
+ ##
+@@ -1041,7 +1268,7 @@ interface(`apache_read_sys_content',`
+
+ ########################################
+ ##
+-## Search httpd system CGI directories.
++## Search apache system CGI directories.
+ ##
+ ##
+ ##
+@@ -1059,8 +1286,7 @@ interface(`apache_search_sys_scripts',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete all
+-## user httpd content.
++## Create, read, write, and delete all user web content.
+ ##
+ ##
+ ##
+@@ -1071,18 +1297,21 @@ interface(`apache_search_sys_scripts',`
+ #
+ interface(`apache_manage_all_user_content',`
+ gen_require(`
+- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
+- type httpd_user_htaccess_t, httpd_user_script_exec_t;
++ attribute httpd_user_content_type, httpd_user_script_exec_type;
+ ')
+
+- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
+- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
++ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
++ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
++ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
++
++ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
++ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
++ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ ')
+
+ ########################################
+ ##
+-## Search system script state directories.
++## Search system script state directory.
+ ##
+ ##
+ ##
+@@ -1100,7 +1329,8 @@ interface(`apache_search_sys_script_state',`
+
+ ########################################
+ ##
+-## Read httpd tmp files.
++## Allow the specified domain to read
++## apache tmp files.
+ ##
+ ##
+ ##
+@@ -1117,10 +1347,29 @@ interface(`apache_read_tmp_files',`
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+ ')
+
++######################################
++##
++## Dontaudit attempts to read and write
++## apache tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
+ ########################################
+ ##
+-## Do not audit attempts to write
+-## httpd tmp files.
++## Dontaudit attempts to write
++## apache tmp files.
+ ##
+ ##
+ ##
+@@ -1133,7 +1382,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+ type httpd_tmp_t;
+ ')
+
+- dontaudit $1 httpd_tmp_t:file write_file_perms;
++ dontaudit $1 httpd_tmp_t:file write;
+ ')
+
+ ########################################
+@@ -1142,6 +1391,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+ ##
+ ##
+ ##
++## Execute CGI in the specified domain.
++##
++##
+ ## This is an interface to support third party modules
+ ## and its use is not allowed in upstream reference
+ ## policy.
+@@ -1171,8 +1423,31 @@ interface(`apache_cgi_domain',`
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an apache environment.
++## Execute httpd server in the httpd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apache_systemctl',`
++ gen_require(`
++ type httpd_t;
++ type httpd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 httpd_unit_file_t:file read_file_perms;
++ allow $1 httpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, httpd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate an apache environment
+ ##
+ ##
+ ##
+@@ -1189,18 +1464,19 @@ interface(`apache_cgi_domain',`
+ interface(`apache_admin',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+- attribute httpd_script_domains, httpd_htaccess_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
+- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
+- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
+- type httpd_initrc_exec_t, httpd_keytab_t;
++ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
++ type httpd_suexec_tmp_t, httpd_tmp_t;
++ type httpd_unit_file_t;
+ ')
+
+- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
+- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
+- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
++ allow $1 httpd_t:process signal_perms;
++ ps_process_pattern($1, httpd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -1210,10 +1486,10 @@ interface(`apache_admin',`
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+- files_search_etc($1)
+- admin_pattern($1, { httpd_keytab_t httpd_config_t })
++ files_list_etc($1)
++ admin_pattern($1, httpd_config_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, httpd_log_t)
+
+ admin_pattern($1, httpd_modules_t)
+@@ -1224,9 +1500,141 @@ interface(`apache_admin',`
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
+- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
++ admin_pattern($1, httpdcontent)
++ admin_pattern($1, httpd_script_exec_type)
++
++ seutil_domtrans_setfiles($1)
++
++ files_list_tmp($1)
++ admin_pattern($1, httpd_tmp_t)
++ admin_pattern($1, httpd_php_tmp_t)
++ admin_pattern($1, httpd_suexec_tmp_t)
++
++ apache_systemctl($1)
++ admin_pattern($1, httpd_unit_file_t)
++ allow $1 httpd_unit_file_t:service all_service_perms;
++
++ apache_filetrans_named_content($1)
++')
++
++########################################
++##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_leaks',`
++ gen_require(`
++ type httpd_t;
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 httpd_t:tcp_socket { read write };
++ dontaudit $1 httpd_t:unix_dgram_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
++########################################
++##
++## Transition to apache named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_filetrans_named_content',`
++ gen_require(`
++ type httpd_sys_content_t, httpd_sys_rw_content_t;
++ type httpd_tmp_t;
++ ')
++
++
++ apache_filetrans_home_content($1)
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
++ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
++')
++
++########################################
++##
++## Allow any httpd_exec_t to be an entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_entrypoint',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++ allow $1 httpd_exec_t:file entrypoint;
++')
++
++########################################
++##
++## Execute a httpd_exec_t in the specified domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`apache_exec_domtrans',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++
++ domtrans_pattern($1, httpd_exec_t, $2)
++')
++
++########################################
++##
++## Transition to apache home content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_filetrans_home_content',`
++ gen_require(`
++ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
++ type httpd_user_content_ra_t;
++ ')
+
+- apache_run_all_scripts($1, $2)
+- apache_run_helper($1, $2)
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
++ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
++ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
++ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+ ')
+diff --git a/apache.te b/apache.te
+index 6649962..3226dec 100644
+--- a/apache.te
++++ b/apache.te
+@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
+ # Declarations
+ #
+
++selinux_genbool(httpd_bool_t)
++
+ ##
+-##
+-## Determine whether httpd can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-##
++##
++## Allow Apache to modify public files
++## used for public file transfer services. Directories/Files must
++## be labeled public_content_rw_t.
++##
+ ##
+-gen_tunable(allow_httpd_anon_write, false)
++gen_tunable(httpd_anon_write, false)
+
+ ##
+-##
+-## Determine whether httpd can use mod_auth_pam.
+-##
++##
++## Dontaudit Apache to search dirs.
++##
+ ##
+-gen_tunable(allow_httpd_mod_auth_pam, false)
++gen_tunable(httpd_dontaudit_search_dirs, false)
+
+ ##
+-##
+-## Determine whether httpd can use built in scripting.
+-##
++##
++## Allow Apache to use mod_auth_pam
++##
+ ##
+-gen_tunable(httpd_builtin_scripting, false)
++gen_tunable(httpd_mod_auth_pam, false)
+
+ ##
+-##
+-## Determine whether httpd can check spam.
+-##
++##
++## Allow Apache to use mod_auth_ntlm_winbind
++##
+ ##
+-gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+
+ ##
+-##
+-## Determine whether httpd scripts and modules
+-## can connect to the network using TCP.
+-##
++##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem, false)
++
++##
++##
++## Allow httpd processes to manage IPA content
++##
++##
++gen_tunable(httpd_manage_ipa, false)
++
++##
++##
++## Allow httpd to use built in scripting (usually php)
++##
++##
++gen_tunable(httpd_builtin_scripting, false)
++
++##
++##
++## Allow HTTPD scripts and modules to connect to the network using TCP.
++##
+ ##
+ gen_tunable(httpd_can_network_connect, false)
+
+ ##
+-##
+-## Determine whether httpd scripts and modules
+-## can connect to cobbler over the network.
+-##
++##
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++##
+ ##
+ gen_tunable(httpd_can_network_connect_cobbler, false)
+
+ ##
+-##
+-## Determine whether scripts and modules can
+-## connect to databases over the network.
+-##
++##
++## Allow HTTPD scripts and modules to server cobbler files.
++##
+ ##
+-gen_tunable(httpd_can_network_connect_db, false)
++gen_tunable(httpd_serve_cobbler_files, false)
+
+ ##
+-##
+-## Determine whether httpd can connect to
+-## ldap over the network.
+-##
++##
++## Allow HTTPD to connect to port 80 for graceful shutdown
++##
+ ##
+-gen_tunable(httpd_can_network_connect_ldap, false)
++gen_tunable(httpd_graceful_shutdown, false)
+
+ ##
+-##
+-## Determine whether httpd can connect
+-## to memcache server over the network.
+-##
++##
++## Allow HTTPD scripts and modules to connect to databases over the network.
++##
+ ##
+-gen_tunable(httpd_can_network_connect_memcache, false)
++gen_tunable(httpd_can_network_connect_db, false)
+
+ ##
+-##
+-## Determine whether httpd can act as a relay.
+-##
++##
++## Allow httpd to connect to memcache server
++##
++##
++gen_tunable(httpd_can_network_memcache, false)
++
++##
++##
++## Allow httpd to act as a relay
++##
+ ##
+ gen_tunable(httpd_can_network_relay, false)
+
+ ##
+-##
+-## Determine whether httpd daemon can
+-## connect to zabbix over the network.
+-##
++##
++## Allow http daemon to connect to zabbix
++##
+ ##
+-gen_tunable(httpd_can_network_connect_zabbix, false)
++gen_tunable(httpd_can_connect_zabbix, false)
+
+ ##
+-##
+-## Determine whether httpd can send mail.
+-##
++##
++## Allow http daemon to connect to mythtv
++##
++##
++gen_tunable(httpd_can_connect_mythtv, false)
++
++##
++##
++## Allow http daemon to check spam
++##
++##
++gen_tunable(httpd_can_check_spam, false)
++
++##
++##
++## Allow http daemon to send mail
++##
+ ##
+ gen_tunable(httpd_can_sendmail, false)
+
+ ##
+-##
+-## Determine whether httpd can communicate
+-## with avahi service via dbus.
+-##
++##
++## Allow Apache to communicate with avahi service via dbus
++##
+ ##
+ gen_tunable(httpd_dbus_avahi, false)
+
+ ##
+-##
+-## Determine wether httpd can use support.
+-##
++##
++## Allow Apache to communicate with sssd service via dbus
++##
+ ##
+-gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_dbus_sssd, false)
+
+ ##
+-##
+-## Determine whether httpd can act as a
+-## FTP server by listening on the ftp port.
+-##
++##
++## Allow httpd cgi support
++##
+ ##
+-gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_enable_cgi, false)
+
+ ##
+-##
+-## Determine whether httpd can traverse
+-## user home directories.
+-##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
+ ##
+-gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_enable_ftp_server, false)
+
+ ##
+-##
+-## Determine whether httpd gpg can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-##
++##
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
++##
+ ##
+-gen_tunable(httpd_gpg_anon_write, false)
++gen_tunable(httpd_can_connect_ftp, false)
+
+ ##
+-##
+-## Determine whether httpd can execute
+-## its temporary content.
+-##
++##
++## Allow httpd to connect to the ldap port
++##
+ ##
+-gen_tunable(httpd_tmp_exec, false)
++gen_tunable(httpd_can_connect_ldap, false)
+
+ ##
+-##
+-## Determine whether httpd scripts and
+-## modules can use execmem and execstack.
+-##
++##
++## Allow httpd to read home directories
++##
+ ##
+-gen_tunable(httpd_execmem, false)
++gen_tunable(httpd_enable_homedirs, false)
+
+ ##
+-##
+-## Determine whether httpd can connect
+-## to port 80 for graceful shutdown.
+-##
++##
++## Allow httpd to read user content
++##
+ ##
+-gen_tunable(httpd_graceful_shutdown, false)
++gen_tunable(httpd_read_user_content, false)
+
+ ##
+-##
+-## Determine whether httpd can
+-## manage IPA content files.
+-##
++##
++## Allow Apache to run in stickshift mode, not transition to passenger
++##
+ ##
+-gen_tunable(httpd_manage_ipa, false)
++gen_tunable(httpd_run_stickshift, false)
++
+
+ ##
+-##
+-## Determine whether httpd can use mod_auth_ntlm_winbind.
+-##
++##
++## Allow Apache to run preupgrade
++##
+ ##
+-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_run_preupgrade, false)
+
+ ##
+-##
+-## Determine whether httpd can read
+-## generic user home content files.
+-##
++##
++## Allow Apache to query NS records
++##
+ ##
+-gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_verify_dns, false)
+
+ ##
+-##
+-## Determine whether httpd can change
+-## its resource limits.
+-##
++##
++## Allow httpd daemon to change its resource limits
++##
+ ##
+ gen_tunable(httpd_setrlimit, false)
+
+ ##
+-##
+-## Determine whether httpd can run
+-## SSI executables in the same domain
+-## as system CGI scripts.
+-##
++##
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++##
+ ##
+ gen_tunable(httpd_ssi_exec, false)
+
+ ##
+-##
+-## Determine whether httpd can communicate
+-## with the terminal. Needed for entering the
+-## passphrase for certificates at the terminal.
+-##
++##
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
++##
+ ##
+ gen_tunable(httpd_tty_comm, false)
+
+ ##
+-##
+-## Determine whether httpd can have full access
+-## to its content types.
+-##
++##
++## Unify HTTPD handling of all content files.
++##
+ ##
+ gen_tunable(httpd_unified, false)
+
+ ##
+-##
+-## Determine whether httpd can use
+-## cifs file systems.
+-##
++##
++## Allow httpd to access openstack ports
++##
++##
++gen_tunable(httpd_use_openstack, false)
++
++##
++##
++## Allow httpd to access cifs file systems
++##
+ ##
+ gen_tunable(httpd_use_cifs, false)
+
+ ##
+ ##
+-## Determine whether httpd can
+-## use fuse file systems.
++## Allow httpd to access FUSE file systems
+ ##
+ ##
+ gen_tunable(httpd_use_fusefs, false)
+
+ ##
+-##
+-## Determine whether httpd can use gpg.
+-##
++##
++## Allow httpd to run gpg
++##
+ ##
+ gen_tunable(httpd_use_gpg, false)
+
+ ##
+-##
+-## Determine whether httpd can use
+-## nfs file systems.
+-##
++##
++## Allow httpd to connect to sasl
++##
++##
++gen_tunable(httpd_use_sasl, false)
++
++##
++##
++## Allow httpd to access nfs file systems
++##
+ ##
+ gen_tunable(httpd_use_nfs, false)
+
++##
++##
++## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
++##
++##
++gen_tunable(httpd_sys_script_anon_write, false)
++
+ attribute httpdcontent;
+-attribute httpd_htaccess_type;
++attribute httpd_user_content_type;
++attribute httpd_content_type;
+
+-# domains that can exec all scripts
++# domains that can exec all users scripts
+ attribute httpd_exec_scripts;
+
++attribute httpd_script_type;
+ attribute httpd_script_exec_type;
++attribute httpd_user_script_exec_type;
+
+-# all script domains
++# user script domains
+ attribute httpd_script_domains;
+
+-attribute_role httpd_helper_roles;
+-roleattribute system_r httpd_helper_roles;
+-
+ type httpd_t;
+ type httpd_exec_t;
++ifdef(`distro_redhat',`
++ typealias httpd_t alias phpfpm_t;
++ typealias httpd_exec_t alias phpfpm_exec_t;
++')
+ init_daemon_domain(httpd_t, httpd_exec_t)
++role system_r types httpd_t;
+
++# httpd_cache_t is the type given to the /var/cache/httpd
++# directory and the files under that directory
+ type httpd_cache_t;
+ files_type(httpd_cache_t)
+
++# httpd_config_t is the type given to the configuration files
+ type httpd_config_t;
+ files_config_file(httpd_config_t)
+
+ type httpd_helper_t;
+ type httpd_helper_exec_t;
+-application_domain(httpd_helper_t, httpd_helper_exec_t)
+-role httpd_helper_roles types httpd_helper_t;
++domain_type(httpd_helper_t)
++domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
++role system_r types httpd_helper_t;
+
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +345,35 @@ init_script_file(httpd_initrc_exec_t)
+ type httpd_keytab_t;
+ files_type(httpd_keytab_t)
+
++type httpd_unit_file_t;
++ifdef(`distro_redhat',`
++ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
++')
++systemd_unit_file(httpd_unit_file_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+
+ type httpd_log_t;
++ifdef(`distro_redhat',`
++ typealias httpd_log_t alias phpfpm_log_t;
++')
+ logging_log_file(httpd_log_t)
+
++# httpd_modules_t is the type given to module files (libraries)
++# that come with Apache /etc/httpd/modules and /usr/lib/apache
+ type httpd_modules_t;
+ files_type(httpd_modules_t)
+
++type httpd_php_t;
++type httpd_php_exec_t;
++domain_type(httpd_php_t)
++domain_entry_file(httpd_php_t, httpd_php_exec_t)
++role system_r types httpd_php_t;
++
++type httpd_php_tmp_t;
++files_tmp_file(httpd_php_tmp_t)
++
+ type httpd_rotatelogs_t;
+ type httpd_rotatelogs_exec_t;
+ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +381,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+ type httpd_squirrelmail_t;
+ files_type(httpd_squirrelmail_t)
+
+-type squirrelmail_spool_t;
+-files_tmp_file(squirrelmail_spool_t)
+-
+-type httpd_suexec_t;
++# SUEXEC runs user scripts as their own user ID
++type httpd_suexec_t; #, daemon;
+ type httpd_suexec_exec_t;
+ domain_type(httpd_suexec_t)
+ domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
+@@ -314,9 +391,19 @@ role system_r types httpd_suexec_t;
+ type httpd_suexec_tmp_t;
+ files_tmp_file(httpd_suexec_tmp_t)
+
+-apache_content_template(sys)
+-corecmd_shell_entry_type(httpd_sys_script_t)
+-typealias httpd_sys_content_t alias ntop_http_content_t;
++# setup the system domain for system CGI scripts
++apache_content_template(httpd_sys)
++
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
++typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
++
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
+ type httpd_tmp_t;
+ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +411,21 @@ files_tmp_file(httpd_tmp_t)
+ type httpd_tmpfs_t;
+ files_tmpfs_file(httpd_tmpfs_t)
+
+-apache_content_template(user)
++apache_content_template(httpd_user)
+ ubac_constrained(httpd_user_script_t)
++
++typeattribute httpd_user_content_t httpdcontent;
++typeattribute httpd_user_rw_content_t httpdcontent;
++typeattribute httpd_user_ra_content_t httpdcontent;
++
+ userdom_user_home_content(httpd_user_content_t)
+ userdom_user_home_content(httpd_user_htaccess_t)
+ userdom_user_home_content(httpd_user_script_exec_t)
+ userdom_user_home_content(httpd_user_ra_content_t)
+ userdom_user_home_content(httpd_user_rw_content_t)
++typeattribute httpd_user_script_t httpd_script_domains;
+ typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
++typealias httpd_user_content_t alias httpd_unconfined_content_t;
+ typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+ typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+ typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+@@ -346,33 +440,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+ typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
+ typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+
++# for apache2 memory mapped files
+ type httpd_var_lib_t;
+ files_type(httpd_var_lib_t)
+
+ type httpd_var_run_t;
++ifdef(`distro_redhat',`
++ typealias httpd_var_run_t alias phpfpm_var_run_t;
++')
+ files_pid_file(httpd_var_run_t)
+
+-type httpd_passwd_t;
+-type httpd_passwd_exec_t;
+-domain_type(httpd_passwd_t)
+-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
+-role system_r types httpd_passwd_t;
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
+-type httpd_gpg_t;
+-domain_type(httpd_gpg_t)
+-role system_r types httpd_gpg_t;
++# File Type of squirrelmail attachments
++type squirrelmail_spool_t;
++files_tmp_file(squirrelmail_spool_t)
++files_spool_file(squirrelmail_spool_t)
+
+ optional_policy(`
+ prelink_object_file(httpd_modules_t)
+ ')
+
++type httpd_passwd_t;
++type httpd_passwd_exec_t;
++application_domain(httpd_passwd_t, httpd_passwd_exec_t)
++role system_r types httpd_passwd_t;
++
+ ########################################
+ #
+-# Local policy
++# Apache server local policy
+ #
+
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+-dontaudit httpd_t self:capability net_admin;
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
++dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow httpd_t self:fd use;
+ allow httpd_t self:sock_file read_sock_file_perms;
+@@ -381,30 +482,39 @@ allow httpd_t self:shm create_shm_perms;
+ allow httpd_t self:sem create_sem_perms;
+ allow httpd_t self:msgq create_msgq_perms;
+ allow httpd_t self:msg { send receive };
+-allow httpd_t self:unix_dgram_socket sendto;
+-allow httpd_t self:unix_stream_socket { accept connectto listen };
+-allow httpd_t self:tcp_socket { accept listen };
++allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow httpd_t self:tcp_socket create_stream_socket_perms;
++allow httpd_t self:udp_socket create_socket_perms;
++dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+
++# Allow httpd_t to put files in /var/cache/httpd etc
+ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+-files_var_filetrans(httpd_t, httpd_cache_t, dir)
++files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+
++# Allow the httpd_t to read the web servers config files
+ allow httpd_t httpd_config_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+
++can_exec(httpd_t, httpd_exec_t)
++
+ allow httpd_t httpd_keytab_t:file read_file_perms;
+
+ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+
+-allow httpd_t httpd_log_t:dir setattr_dir_perms;
++allow httpd_t httpd_log_t:dir setattr;
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++# cjp: need to refine create interfaces to
++# cut this back to add_name only
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+
++apache_domtrans_rotatelogs(httpd_t)
++# Apache-httpd needs to be able to send signals to the log rotate procs.
+ allow httpd_t httpd_rotatelogs_t:process signal_perms;
+
+ manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+
++allow httpd_t httpd_suexec_exec_t:process { signal signull };
+ allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+
++allow httpd_t httpd_sys_content_t:dir list_dir_perms;
++read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++
+ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+-can_exec(httpd_t, httpd_exec_t)
+-
+-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+-
+ kernel_read_kernel_sysctls(httpd_t)
+-kernel_read_network_state(httpd_t)
++# for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
++kernel_read_network_state(httpd_t)
+ kernel_search_network_sysctl(httpd_t)
+
+-corenet_all_recvfrom_unlabeled(httpd_t)
+ corenet_all_recvfrom_netlabel(httpd_t)
+ corenet_tcp_sendrecv_generic_if(httpd_t)
++corenet_udp_sendrecv_generic_if(httpd_t)
+ corenet_tcp_sendrecv_generic_node(httpd_t)
++corenet_udp_sendrecv_generic_node(httpd_t)
++corenet_tcp_sendrecv_all_ports(httpd_t)
++corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_generic_node(httpd_t)
+-
+-corenet_sendrecv_http_server_packets(httpd_t)
++corenet_udp_bind_generic_node(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+-corenet_tcp_sendrecv_http_port(httpd_t)
+-
+-corenet_sendrecv_http_cache_server_packets(httpd_t)
++corenet_udp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
+-corenet_tcp_sendrecv_http_cache_port(httpd_t)
+-
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
++corenet_tcp_bind_ntop_port(httpd_t)
++corenet_tcp_bind_jboss_management_port(httpd_t)
++corenet_tcp_bind_jboss_messaging_port(httpd_t)
++corenet_sendrecv_http_server_packets(httpd_t)
++corenet_tcp_bind_puppet_port(httpd_t)
++# Signal self for shutdown
++tunable_policy(`httpd_graceful_shutdown',`
++ corenet_tcp_connect_http_port(httpd_t)
++')
+
+ dev_read_sysfs(httpd_t)
+ dev_read_rand(httpd_t)
+ dev_read_urand(httpd_t)
+ dev_rw_crypto(httpd_t)
+
+-domain_use_interactive_fds(httpd_t)
+-
+ fs_getattr_all_fs(httpd_t)
+ fs_search_auto_mountpoints(httpd_t)
+-
+-fs_getattr_all_fs(httpd_t)
+-fs_read_anon_inodefs_files(httpd_t)
+ fs_read_iso9660_files(httpd_t)
+-fs_search_auto_mountpoints(httpd_t)
++fs_rw_anon_inodefs_files(httpd_t)
++fs_read_hugetlbfs_files(httpd_t)
++
++auth_use_nsswitch(httpd_t)
+
++application_exec_all(httpd_t)
++
++# execute perl
++corecmd_exec_bin(httpd_t)
++corecmd_exec_shell(httpd_t)
++
++domain_use_interactive_fds(httpd_t)
++domain_dontaudit_read_all_domains_state(httpd_t)
++
++files_dontaudit_search_all_pids(httpd_t)
+ files_dontaudit_getattr_all_pids(httpd_t)
+-files_read_usr_files(httpd_t)
++files_exec_usr_files(httpd_t)
+ files_list_mnt(httpd_t)
++files_read_mnt_symlinks(httpd_t)
++files_search_all(httpd_t)
+ files_search_spool(httpd_t)
+ files_read_var_symlinks(httpd_t)
+ files_read_var_lib_files(httpd_t)
+ files_search_home(httpd_t)
+ files_getattr_home_dir(httpd_t)
++# for modules that want to access /etc/mtab
+ files_read_etc_runtime_files(httpd_t)
++# Allow httpd_t to have access to files such as nisswitch.conf
++# for tomcat
+ files_read_var_lib_symlinks(httpd_t)
+
+-auth_use_nsswitch(httpd_t)
++fs_search_auto_mountpoints(httpd_sys_script_t)
++# php uploads a file to /tmp and then execs programs to acton them
++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+ libs_read_lib_files(httpd_t)
+
++ifdef(`hide_broken_symptoms',`
++ libs_exec_lib_files(httpd_t)
++')
++
+ logging_send_syslog_msg(httpd_t)
+
+-miscfiles_read_localization(httpd_t)
++init_dontaudit_read_utmp(httpd_t)
++
+ miscfiles_read_fonts(httpd_t)
+ miscfiles_read_public_files(httpd_t)
+ miscfiles_read_generic_certs(httpd_t)
+ miscfiles_read_tetex_data(httpd_t)
+-
+-seutil_dontaudit_search_config(httpd_t)
++miscfiles_dontaudit_access_check_cert(httpd_t)
+
+ userdom_use_unpriv_users_fds(httpd_t)
+
+-ifdef(`TODO',`
+- tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`httpd_setrlimit',`
++ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
++')
+
+- logging_send_audit_msgs(httpd_t)
+- ')
++tunable_policy(`httpd_anon_write',`
++ miscfiles_manage_public_files(httpd_t)
+ ')
+
+-ifdef(`hide_broken_symptoms',`
+- libs_exec_lib_files(httpd_t)
++tunable_policy(`httpd_dontaudit_search_dirs',`
++ files_dontaudit_search_non_security_dirs(httpd_t)
+ ')
+
+-tunable_policy(`allow_httpd_anon_write',`
+- miscfiles_manage_public_files(httpd_t)
++#
++# We need optionals to be able to be within booleans to make this work
++#
++tunable_policy(`httpd_mod_auth_pam',`
++ auth_domtrans_chkpwd(httpd_t)
++ logging_send_audit_msgs(httpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
++ samba_domtrans_winbind_helper(httpd_t)
++ ')
+ ')
+
+ tunable_policy(`httpd_can_network_connect',`
+- corenet_sendrecv_all_client_packets(httpd_t)
+ corenet_tcp_connect_all_ports(httpd_t)
+- corenet_tcp_sendrecv_all_ports(httpd_t)
+ ')
+
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_sendrecv_gds_db_client_packets(httpd_t)
+ corenet_tcp_connect_gds_db_port(httpd_t)
+- corenet_tcp_sendrecv_gds_db_port(httpd_t)
+- corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_t)
+- corenet_tcp_sendrecv_mssql_port(httpd_t)
+- corenet_sendrecv_oracledb_client_packets(httpd_t)
+- corenet_tcp_connect_oracledb_port(httpd_t)
+- corenet_tcp_sendrecv_oracledb_port(httpd_t)
++ corenet_sendrecv_mssql_client_packets(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_t)
++ corenet_sendrecv_oracle_client_packets(httpd_t)
++')
++
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
+ ')
+
+ tunable_policy(`httpd_can_network_relay',`
+- corenet_sendrecv_gopher_client_packets(httpd_t)
++ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+- corenet_tcp_sendrecv_gopher_port(httpd_t)
+- corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+- corenet_tcp_sendrecv_ftp_port(httpd_t)
+- corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+- corenet_tcp_sendrecv_http_port(httpd_t)
+- corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
+- corenet_tcp_sendrecv_http_cache_port(httpd_t)
+- corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_squid_port(httpd_t)
+- corenet_tcp_sendrecv_squid_port(httpd_t)
++ corenet_tcp_connect_memcache_port(httpd_t)
++ corenet_sendrecv_gopher_client_packets(httpd_t)
++ corenet_sendrecv_ftp_client_packets(httpd_t)
++ corenet_sendrecv_http_client_packets(httpd_t)
++ corenet_sendrecv_http_cache_client_packets(httpd_t)
++ corenet_sendrecv_squid_client_packets(httpd_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ ')
+
+-tunable_policy(`httpd_builtin_scripting',`
+- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
+
+- allow httpd_t httpdcontent:dir list_dir_perms;
+- allow httpd_t httpdcontent:file read_file_perms;
+- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+ ')
+
+-tunable_policy(`httpd_enable_cgi',`
+- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
+- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
++tunable_policy(`httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
+
+-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+-# ')
++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
++')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+
+ manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
++')
++
++tunable_policy(`httpd_can_connect_ftp',`
++ corenet_tcp_connect_ftp_port(httpd_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++')
++
++tunable_policy(`httpd_can_connect_ldap',`
++ corenet_tcp_connect_ldap_port(httpd_t)
++')
++
++tunable_policy(`httpd_can_connect_mythtv',`
++ corenet_tcp_connect_mythtv_port(httpd_t)
++')
++
++tunable_policy(`httpd_can_connect_zabbix',`
++ corenet_tcp_connect_zabbix_port(httpd_t)
+ ')
+
+ tunable_policy(`httpd_enable_ftp_server',`
+- corenet_sendrecv_ftp_server_packets(httpd_t)
+ corenet_tcp_bind_ftp_port(httpd_t)
+- corenet_tcp_sendrecv_ftp_port(httpd_t)
++ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_t)
++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
++ can_exec(httpd_t, httpd_tmp_t)
++')
++
++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_symlinks(httpd_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+- fs_read_cifs_files(httpd_t)
+- fs_read_cifs_symlinks(httpd_t)
++ fs_manage_nfs_dirs(httpd_t)
++ fs_manage_nfs_files(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_t)
++
++optional_policy(`
++ tunable_policy(`httpd_use_nfs',`
++ automount_search_tmp_dirs(httpd_t)
++ ')
+ ')
+
+-tunable_policy(`httpd_execmem',`
+- allow httpd_t self:process { execmem execstack };
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_t)
++ fs_read_cifs_symlinks(httpd_t)
+ ')
+
+ tunable_policy(`httpd_can_sendmail',`
+- corenet_sendrecv_smtp_client_packets(httpd_t)
++ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+- corenet_tcp_sendrecv_smtp_port(httpd_t)
+- corenet_sendrecv_pop_client_packets(httpd_t)
++ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+- corenet_tcp_sendrecv_pop_port(httpd_t)
+-
++ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
++ postfix_rw_spool_maildrop_files(httpd_t)
+ ')
+
+-optional_policy(`
+- tunable_policy(`httpd_can_network_connect_zabbix',`
+- zabbix_tcp_connect(httpd_t)
+- ')
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+- spamassassin_domtrans_client(httpd_t)
+- ')
+-')
+-
+-tunable_policy(`httpd_graceful_shutdown',`
+- corenet_sendrecv_http_client_packets(httpd_t)
+- corenet_tcp_connect_http_port(httpd_t)
+- corenet_tcp_sendrecv_http_port(httpd_t)
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
+- ')
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+- samba_domtrans_winbind_helper(httpd_t)
+- ')
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+ ')
+
+-tunable_policy(`httpd_read_user_content',`
+- userdom_read_user_home_content_files(httpd_t)
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_t)
++ fs_manage_fusefs_files(httpd_t)
++ fs_manage_fusefs_symlinks(httpd_t)
+ ')
+
+ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',`
+
+ tunable_policy(`httpd_ssi_exec',`
+ corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
++ allow httpd_sys_script_t httpd_t:fd use;
++ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
++ allow httpd_sys_script_t httpd_t:process sigchld;
+ ')
+
+-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+- can_exec(httpd_t, httpd_tmp_t)
+-')
+-
++# When the admin starts the server, the server wants to access
++# the TTY or PTY associated with the session. The httpd appears
++# to run correctly without this permission, so the permission
++# are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_t)
+-',`
+- userdom_dontaudit_use_user_terminals(httpd_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_cifs_dirs(httpd_t)
+- fs_manage_cifs_files(httpd_t)
+- fs_manage_cifs_symlinks(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_t)
+-')
++optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
+
+-tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_fusefs_dirs(httpd_t)
+- fs_manage_fusefs_files(httpd_t)
+- fs_read_fusefs_symlinks(httpd_t)
+-')
++ tunable_policy(`httpd_serve_cobbler_files',`
++ cobbler_manage_lib_files(httpd_t)
++',`
++ cobbler_read_lib_files(httpd_t)
++ cobbler_search_lib(httpd_t)
++ ')
+
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
+ ')
+
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
++optional_policy(`
++ tunable_policy(`httpd_use_sasl',`
++ sasl_connect(httpd_t)
++ ')
+ ')
+
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
++optional_policy(`
++ # Support for ABRT retrace server
++ # mod_wsgi
++ abrt_manage_spool_retrace(httpd_t)
++ abrt_domtrans_retrace_worker(httpd_t)
++ abrt_read_config(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -749,24 +898,32 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- clamav_domtrans_clamscan(httpd_t)
++ cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+
+ optional_policy(`
+- cobbler_read_config(httpd_t)
+- cobbler_read_lib_files(httpd_t)
++ cvs_read_data(httpd_t)
+ ')
+
+ optional_policy(`
+- cron_system_entry(httpd_t, httpd_exec_t)
++ daemontools_service_domain(httpd_t, httpd_exec_t)
+ ')
+
+ optional_policy(`
+- cvs_read_data(httpd_t)
++ #needed by FreeIPA
++ dirsrv_stream_connect(httpd_t)
+ ')
+
+ optional_policy(`
+- daemontools_service_domain(httpd_t, httpd_exec_t)
++ dirsrv_manage_config(httpd_t)
++ dirsrv_manage_log(httpd_t)
++ dirsrv_manage_var_run(httpd_t)
++ dirsrv_read_share(httpd_t)
++ dirsrv_signal(httpd_t)
++ dirsrv_signull(httpd_t)
++ dirsrvadmin_manage_config(httpd_t)
++ dirsrvadmin_manage_tmp(httpd_t)
++ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -775,6 +932,10 @@ optional_policy(`
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
++
++ tunable_policy(`httpd_dbus_sssd',
++ sssd_dbus_chat(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -786,35 +947,60 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_manage_host_rcache(httpd_t)
+- kerberos_read_keytab(httpd_t)
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+- kerberos_use(httpd_t)
++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
++ gpg_domtrans_web(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+- ldap_stream_connect(httpd_t)
++ gssproxy_stream_connect(httpd_t)
++')
+
+- tunable_policy(`httpd_can_network_connect_ldap',`
+- ldap_tcp_connect(httpd_t)
+- ')
++optional_policy(`
++ ipa_search_lib(httpd_t)
++')
++
++optional_policy(`
++ mirrormanager_manage_pid_files(httpd_t)
++ mirrormanager_manage_pid_sock_files(httpd_t)
++ mirrormanager_read_lib_files(httpd_t)
++ mirrormanager_read_log(httpd_t)
++')
++
++optional_policy(`
++ jetty_admin(httpd_t)
++')
++
++optional_policy(`
++ kerberos_manage_host_rcache(httpd_t)
++ kerberos_read_keytab(httpd_t)
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
++ kerberos_use(httpd_t)
++')
++
++optional_policy(`
++ # needed by FreeIPA
++ ldap_stream_connect(httpd_t)
++ ldap_read_certs(httpd_t)
+ ')
+
+ optional_policy(`
+ mailman_signal_cgi(httpd_t)
+ mailman_domtrans_cgi(httpd_t)
+ mailman_read_data_files(httpd_t)
++ # should have separate types for public and private archives
+ mailman_search_data(httpd_t)
+ mailman_read_archive(httpd_t)
+ ')
+
+ optional_policy(`
+- memcached_stream_connect(httpd_t)
++ mediawiki_read_tmp_files(httpd_t)
++ mediawiki_delete_tmp_files(httpd_t)
++')
+
+- tunable_policy(`httpd_can_network_connect_memcache',`
+- memcached_tcp_connect(httpd_t)
+- ')
++optional_policy(`
++ memcached_stream_connect(httpd_t)
+
+ tunable_policy(`httpd_manage_ipa',`
+ memcached_manage_pid_files(httpd_t)
+@@ -822,8 +1008,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ munin_read_config(httpd_t)
++')
++
++optional_policy(`
++ # Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
+ mysql_stream_connect(httpd_t)
++ mysql_rw_db_sockets(httpd_t)
++
++ optional_policy(`
++ postgresql_stream_connect(httpd_t)
++ ')
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_t)
+@@ -832,6 +1028,7 @@ optional_policy(`
+
+ optional_policy(`
+ nagios_read_config(httpd_t)
++ nagios_read_log(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -842,20 +1039,40 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openshift_search_lib(httpd_t)
++ openshift_initrc_signull(httpd_t)
++ openshift_initrc_signal(httpd_t)
++')
++
++optional_policy(`
++ passenger_exec(httpd_t)
++ passenger_kill(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++')
++
++optional_policy(`
+ pcscd_read_pid_files(httpd_t)
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_t)
+- postgresql_unpriv_client(httpd_t)
++ pki_apache_domain_signal(httpd_t)
++ pki_manage_apache_config_files(httpd_t)
++ pki_manage_apache_lib(httpd_t)
++ pki_manage_apache_log_files(httpd_t)
++ pki_manage_apache_run(httpd_t)
++ pki_read_tomcat_cert(httpd_t)
++')
+
+- tunable_policy(`httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_t)
+- ')
++optional_policy(`
++ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++ pwauth_domtrans(httpd_t)
+ ')
+
+ optional_policy(`
+- puppet_read_lib_files(httpd_t)
++ rpm_dontaudit_read_db(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -863,19 +1080,35 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Allow httpd to work with postgresql
++ postgresql_stream_connect(httpd_t)
++ postgresql_unpriv_client(httpd_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_t)
++ ')
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(httpd_t)
+ ')
+
+ optional_policy(`
+ smokeping_read_lib_files(httpd_t)
++ smokeping_read_pid_files(httpd_t)
+ ')
+
+ optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+
+ optional_policy(`
++ thin_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ udev_read_db(httpd_t)
+ ')
+
+@@ -883,65 +1116,189 @@ optional_policy(`
+ yam_read_content(httpd_t)
+ ')
+
++optional_policy(`
++ zarafa_manage_lib_files(httpd_t)
++ zarafa_stream_connect_server(httpd_t)
++ zarafa_search_config(httpd_t)
++')
++
++optional_policy(`
++ zoneminder_append_log(httpd_t)
++ zoneminder_manage_lib_dirs(httpd_t)
++ zoneminder_manage_lib_files(httpd_t)
++ zoneminder_stream_connect(httpd_t)
++ zoneminder_exec(httpd_t)
++')
++
+ ########################################
+ #
+-# Helper local policy
++# Apache helper local policy
+ #
+
+-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
++domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+
+-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
++allow httpd_helper_t httpd_config_t:file read_file_perms;
+
+-files_search_etc(httpd_helper_t)
++allow httpd_helper_t httpd_log_t:file append_file_perms;
+
+-logging_search_logs(httpd_helper_t)
+ logging_send_syslog_msg(httpd_helper_t)
+
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
++tunable_policy(`httpd_run_stickshift', `
++ allow httpd_t self:capability { fowner fsetid sys_resource };
++ dontaudit httpd_t self:capability sys_ptrace;
++ allow httpd_t self:process setexec;
++
++ files_dontaudit_getattr_all_files(httpd_t)
++ domain_getpgid_all_domains(httpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ passenger_manage_lib_files(httpd_t)
++ passenger_getattr_log_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ oddjob_dbus_chat(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_preupgrade', `
++ anaconda_manage_lib_files_preupgrade(httpd_t)
++ anaconda_domtrans_preupgrade(httpd_t)
++ ',`
++ anaconda_read_lib_files_preupgrade(httpd_t)
++ anaconda_exec_preupgrade(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_preupgrade', `
++ corenet_tcp_bind_preupgrade_port(httpd_t)
++ ')
++')
++
+ tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_helper_t)
+-',`
+- userdom_dontaudit_use_user_terminals(httpd_helper_t)
++ userdom_use_inherited_user_terminals(httpd_helper_t)
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
++# Apache PHP script local policy
++#
++
++allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow httpd_php_t self:fd use;
++allow httpd_php_t self:fifo_file rw_fifo_file_perms;
++allow httpd_php_t self:sock_file read_sock_file_perms;
++allow httpd_php_t self:unix_dgram_socket create_socket_perms;
++allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
++allow httpd_php_t self:unix_dgram_socket sendto;
++allow httpd_php_t self:unix_stream_socket connectto;
++allow httpd_php_t self:shm create_shm_perms;
++allow httpd_php_t self:sem create_sem_perms;
++allow httpd_php_t self:msgq create_msgq_perms;
++allow httpd_php_t self:msg { send receive };
++
++domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
++
++# allow php to read and append to apache logfiles
++allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
++
++manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
++manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
++files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
++
++fs_search_auto_mountpoints(httpd_php_t)
++
++auth_use_nsswitch(httpd_php_t)
++
++libs_exec_lib_files(httpd_php_t)
++
++userdom_use_unpriv_users_fds(httpd_php_t)
++
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_gds_db_port(httpd_php_t)
++ corenet_tcp_connect_mssql_port(httpd_php_t)
++ corenet_sendrecv_mssql_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
++ corenet_sendrecv_oracle_client_packets(httpd_php_t)
++')
++
++optional_policy(`
++ mysql_stream_connect(httpd_php_t)
++ mysql_rw_db_sockets(httpd_php_t)
++ mysql_read_config(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_php_t)
++ ')
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_php_t)
++ postgresql_unpriv_client(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_php_t)
++ ')
++')
++
++########################################
++#
++# Apache suexec local policy
+ #
+
+ allow httpd_suexec_t self:capability { setuid setgid };
+ allow httpd_suexec_t self:process signal_perms;
+ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
+-allow httpd_suexec_t self:tcp_socket { accept listen };
+-allow httpd_suexec_t self:unix_stream_socket { accept listen };
++allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
++
++domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+
+ create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
++
++allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
+
+ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
+ kernel_read_kernel_sysctls(httpd_suexec_t)
+ kernel_list_proc(httpd_suexec_t)
+ kernel_read_proc_symlinks(httpd_suexec_t)
+
+-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+-corenet_all_recvfrom_netlabel(httpd_suexec_t)
+-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+-
+-corecmd_exec_bin(httpd_suexec_t)
+-corecmd_exec_shell(httpd_suexec_t)
+-
+ dev_read_urand(httpd_suexec_t)
+
+ fs_read_iso9660_files(httpd_suexec_t)
+ fs_search_auto_mountpoints(httpd_suexec_t)
+
+-files_read_usr_files(httpd_suexec_t)
++application_exec_all(httpd_suexec_t)
++
++# for shell scripts
++corecmd_exec_bin(httpd_suexec_t)
++corecmd_exec_shell(httpd_suexec_t)
++
+ files_dontaudit_search_pids(httpd_suexec_t)
+ files_search_home(httpd_suexec_t)
+
+@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t)
+ logging_search_logs(httpd_suexec_t)
+ logging_send_syslog_msg(httpd_suexec_t)
+
+-miscfiles_read_localization(httpd_suexec_t)
+ miscfiles_read_public_files(httpd_suexec_t)
+
+-tunable_policy(`httpd_builtin_scripting',`
+- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
+-
+- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
+- allow httpd_suexec_t httpdcontent:file read_file_perms;
+- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
+-')
++corenet_all_recvfrom_netlabel(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect',`
++ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_suexec_t self:udp_socket create_socket_perms;
++
++ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
++ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
++ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
++ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
++ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
++ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ ')
+
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_gds_db_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
+- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
+- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
+- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
+ ')
+
++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
++
+ tunable_policy(`httpd_can_sendmail',`
+- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
+- corenet_tcp_connect_smtp_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
+- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
+- corenet_tcp_connect_pop_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
+ mta_send_mail(httpd_suexec_t)
+- mta_signal_system_mail(httpd_suexec_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_read_cifs_files(httpd_suexec_t)
+- fs_read_cifs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_suexec_t)
++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
+ fs_exec_nfs_files(httpd_suexec_t)
+ ')
+
+-tunable_policy(`httpd_execmem',`
+- allow httpd_suexec_t self:process { execmem execstack };
+-')
+-
+-tunable_policy(`httpd_tmp_exec',`
+- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
+-')
+-
+-tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_suexec_t)
+-',`
+- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_manage_cifs_dirs(httpd_suexec_t)
+- fs_manage_cifs_files(httpd_suexec_t)
+- fs_manage_cifs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_suexec_t)
++ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+ ')
+
+-tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_manage_fusefs_dirs(httpd_suexec_t)
+- fs_manage_fusefs_files(httpd_suexec_t)
+- fs_read_fusefs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_manage_nfs_dirs(httpd_suexec_t)
+- fs_manage_nfs_files(httpd_suexec_t)
+- fs_manage_nfs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_suexec_t)
++optional_policy(`
++ mailman_domtrans_cgi(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+- mailman_domtrans_cgi(httpd_suexec_t)
++ mta_stub(httpd_suexec_t)
++
++ # apache should set close-on-exec
++ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+@@ -1083,172 +1391,106 @@ optional_policy(`
+ ')
+ ')
+
+-tunable_policy(`httpd_read_user_content',`
+- userdom_read_user_home_content_files(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_suexec_t)
+-')
+-
+ ########################################
+ #
+-# Common script local policy
++# Apache system script local policy
+ #
+
+-allow httpd_script_domains self:fifo_file rw_file_perms;
+-allow httpd_script_domains self:unix_stream_socket connectto;
++allow httpd_sys_script_t self:process getsched;
+
+-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+-
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
+-kernel_dontaudit_search_sysctl(httpd_script_domains)
+-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+-
+-corenet_all_recvfrom_unlabeled(httpd_script_domains)
+-corenet_all_recvfrom_netlabel(httpd_script_domains)
+-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
+-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
++allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+-corecmd_exec_all_executables(httpd_script_domains)
++dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
+-dev_read_rand(httpd_script_domains)
+-dev_read_urand(httpd_script_domains)
++allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+
+-files_exec_etc_files(httpd_script_domains)
+-files_read_etc_files(httpd_script_domains)
+-files_search_home(httpd_script_domains)
++allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
++read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
++read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+-libs_exec_ld_so(httpd_script_domains)
+-libs_exec_lib_files(httpd_script_domains)
++kernel_read_kernel_sysctls(httpd_sys_script_t)
+
+-logging_search_logs(httpd_script_domains)
++dev_list_sysfs(httpd_sys_script_t)
+
+-miscfiles_read_fonts(httpd_script_domains)
+-miscfiles_read_public_files(httpd_script_domains)
++files_read_var_symlinks(httpd_sys_script_t)
++files_search_var_lib(httpd_sys_script_t)
++files_search_spool(httpd_sys_script_t)
+
+-seutil_dontaudit_search_config(httpd_script_domains)
++logging_inherit_append_all_logs(httpd_sys_script_t)
+
+-tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_script_domains httpdcontent:file entrypoint;
++# Should we add a boolean?
++apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
++auth_use_nsswitch(httpd_sys_script_t)
+
+- can_exec(httpd_script_domains, httpdcontent)
++ifdef(`distro_redhat',`
++ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+ ')
+
+-tunable_policy(`httpd_enable_cgi',`
+- allow httpd_script_domains self:process { setsched signal_perms };
+- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
+-
+- kernel_read_system_state(httpd_script_domains)
+-
+- fs_getattr_all_fs(httpd_script_domains)
+-
+- files_read_etc_runtime_files(httpd_script_domains)
+- files_read_usr_files(httpd_script_domains)
+-
+- libs_read_lib_files(httpd_script_domains)
+-
+- miscfiles_read_localization(httpd_script_domains)
++tunable_policy(`httpd_can_sendmail',`
++ mta_send_mail(httpd_sys_script_t)
+ ')
+
+ optional_policy(`
+- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+- nis_use_ypbind_uncond(httpd_script_domains)
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
+ ')
+ ')
+
+-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
+- corenet_tcp_connect_gds_db_port(httpd_script_domains)
+- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
+- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
+- corenet_tcp_connect_mssql_port(httpd_script_domains)
+- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
+- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
+- corenet_tcp_connect_oracledb_port(httpd_script_domains)
+- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
+-')
+-
+-optional_policy(`
+- mysql_read_config(httpd_script_domains)
+- mysql_stream_connect(httpd_script_domains)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- mysql_tcp_connect(httpd_script_domains)
+- ')
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
++ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+ ')
+
+-optional_policy(`
+- postgresql_stream_connect(httpd_script_domains)
++fs_cifs_entry_type(httpd_sys_script_t)
++fs_read_iso9660_files(httpd_sys_script_t)
++fs_nfs_entry_type(httpd_sys_script_t)
++fs_rw_anon_inodefs_files(httpd_sys_script_t)
+
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_script_domains)
+- ')
+-')
++tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
++ fs_manage_nfs_dirs(httpd_sys_script_t)
++ fs_manage_nfs_files(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
++ fs_exec_nfs_files(httpd_sys_script_t)
+
+-optional_policy(`
+- nscd_use(httpd_script_domains)
++ fs_list_auto_mountpoints(httpd_suexec_t)
++ fs_manage_nfs_dirs(httpd_suexec_t)
++ fs_manage_nfs_files(httpd_suexec_t)
++ fs_manage_nfs_symlinks(httpd_suexec_t)
++ fs_exec_nfs_files(httpd_suexec_t)
+ ')
+
+-########################################
+-#
+-# System script local policy
+-#
+-
+-allow httpd_sys_script_t self:tcp_socket { accept listen };
+-
+-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+-
+-dontaudit httpd_sys_script_t httpd_config_t:dir search;
+-
+-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
+-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
+-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
+-
+-kernel_read_kernel_sysctls(httpd_sys_script_t)
+-
+-fs_search_auto_mountpoints(httpd_sys_script_t)
+-
+-files_read_var_symlinks(httpd_sys_script_t)
+-files_search_var_lib(httpd_sys_script_t)
+-files_search_spool(httpd_sys_script_t)
+-
+-apache_domtrans_rotatelogs(httpd_sys_script_t)
+-
+-auth_use_nsswitch(httpd_sys_script_t)
+-
+-tunable_policy(`httpd_can_sendmail',`
+- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
+- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
+- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_pop_port(httpd_sys_script_t)
+- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
+-
+- mta_send_mail(httpd_sys_script_t)
+- mta_signal_system_mail(httpd_sys_script_t)
++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_sys_script_t self:udp_socket create_socket_perms;
++
++ corenet_tcp_bind_generic_node(httpd_sys_script_t)
++ corenet_udp_bind_generic_node(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_tcp_connect_all_ports(httpd_sys_script_t)
++ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_sys_script_t)
+ ')
+
+-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+- corenet_tcp_connect_all_ports(httpd_sys_script_t)
+- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_execmem',`
+- allow httpd_sys_script_t self:process { execmem execstack };
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',`
+ ')
+
+ tunable_policy(`httpd_use_cifs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_sys_script_t)
++ fs_manage_cifs_dirs(httpd_suexec_t)
++ fs_manage_cifs_files(httpd_suexec_t)
++ fs_manage_cifs_symlinks(httpd_suexec_t)
++ fs_exec_cifs_files(httpd_suexec_t)
+ ')
+
+ tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_sys_script_t)
+ fs_manage_fusefs_files(httpd_sys_script_t)
+- fs_read_fusefs_symlinks(httpd_sys_script_t)
++ fs_manage_fusefs_symlinks(httpd_sys_script_t)
++ fs_manage_fusefs_dirs(httpd_suexec_t)
++ fs_manage_fusefs_files(httpd_suexec_t)
++ fs_manage_fusefs_symlinks(httpd_suexec_t)
++ fs_exec_fusefs_files(httpd_suexec_t)
+ ')
+
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_sys_script_t)
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_sys_script_t)
++ fs_read_cifs_symlinks(httpd_sys_script_t)
+ ')
+
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+- fs_manage_nfs_dirs(httpd_sys_script_t)
+- fs_manage_nfs_files(httpd_sys_script_t)
+- fs_manage_nfs_symlinks(httpd_sys_script_t)
++optional_policy(`
++ clamav_domtrans_clamscan(httpd_sys_script_t)
++ clamav_domtrans_clamscan(httpd_t)
+ ')
+
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_sys_script_t)
++optional_policy(`
++ mysql_stream_connect(httpd_sys_script_t)
++ mysql_rw_db_sockets(httpd_sys_script_t)
++ mysql_read_config(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ optional_policy(`
+- clamav_domtrans_clamscan(httpd_sys_script_t)
++ postgresql_stream_connect(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ optional_policy(`
+- postgresql_unpriv_client(httpd_sys_script_t)
++ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
+ ')
+
+ ########################################
+ #
+-# Rotatelogs local policy
++# httpd_rotatelogs local policy
+ #
+
+ allow httpd_rotatelogs_t self:capability dac_override;
+
+ manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+
+ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+ kernel_dontaudit_list_proc(httpd_rotatelogs_t)
++kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+-files_read_etc_files(httpd_rotatelogs_t)
+
+ logging_search_logs(httpd_rotatelogs_t)
+
+-miscfiles_read_localization(httpd_rotatelogs_t)
+
+ ########################################
+ #
+@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+ #
+
+ optional_policy(`
+- apache_content_template(unconfined)
++ type httpd_unconfined_script_t;
++ type httpd_unconfined_script_exec_t;
++ domain_type(httpd_unconfined_script_t)
++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
++
++ role system_r types httpd_unconfined_script_t;
++ allow httpd_t httpd_unconfined_script_t:process signal_perms;
+ ')
+
+ ########################################
+@@ -1330,49 +1589,38 @@ optional_policy(`
+ # User content local policy
+ #
+
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_user_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+- fs_list_auto_mountpoints(httpd_user_script_t)
+- fs_read_cifs_files(httpd_user_script_t)
+- fs_read_cifs_symlinks(httpd_user_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_user_script_t)
+-')
++auth_use_nsswitch(httpd_user_script_t)
+
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(httpd_user_script_t)
+- fs_read_nfs_files(httpd_user_script_t)
+- fs_read_nfs_symlinks(httpd_user_script_t)
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_user_script_t httpdcontent:file entrypoint;
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_user_script_t)
++# allow accessing files/dirs below the users home dir
++tunable_policy(`httpd_enable_homedirs',`
++ userdom_search_user_home_content(httpd_t)
++ userdom_search_user_home_content(httpd_suexec_t)
++ userdom_search_user_home_content(httpd_user_script_t)
+ ')
+
+ tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_t)
++ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ ')
+
+-optional_policy(`
+- postgresql_unpriv_client(httpd_user_script_t)
+-')
+-
+ ########################################
+ #
+-# Passwd local policy
++# httpd_passwd local policy
+ #
+
+ allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
+ allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
+
+-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
+-
+ kernel_read_system_state(httpd_passwd_t)
+
+ corecmd_exec_bin(httpd_passwd_t)
+@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t)
+
+ domain_use_interactive_fds(httpd_passwd_t)
+
++
+ auth_use_nsswitch(httpd_passwd_t)
+
+-miscfiles_read_generic_certs(httpd_passwd_t)
+-miscfiles_read_localization(httpd_passwd_t)
++miscfiles_read_certs(httpd_passwd_t)
+
+-########################################
+-#
+-# GPG local policy
+-#
++systemd_manage_passwd_run(httpd_passwd_t)
++systemd_manage_passwd_run(httpd_t)
++#systemd_passwd_agent_dev_template(httpd)
++
++domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
++dontaudit httpd_passwd_t httpd_config_t:file read;
++
++search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
++corecmd_shell_entry_type(httpd_script_type)
++
++allow httpd_script_type self:fifo_file rw_file_perms;
++allow httpd_script_type self:unix_stream_socket connectto;
++
++allow httpd_script_type httpd_t:fifo_file write;
++# apache should set close-on-exec
++apache_dontaudit_leaks(httpd_script_type)
++
++append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
++logging_search_logs(httpd_script_type)
++
++kernel_dontaudit_search_sysctl(httpd_script_type)
++kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
++
++dev_read_rand(httpd_script_type)
++dev_read_urand(httpd_script_type)
++
++corecmd_exec_all_executables(httpd_script_type)
++application_exec_all(httpd_script_type)
++
++files_exec_etc_files(httpd_script_type)
++files_search_home(httpd_script_type)
++
++libs_exec_ld_so(httpd_script_type)
++libs_exec_lib_files(httpd_script_type)
++
++miscfiles_read_fonts(httpd_script_type)
++miscfiles_read_public_files(httpd_script_type)
+
+-allow httpd_gpg_t self:process setrlimit;
++allow httpd_t httpd_script_type:unix_stream_socket connectto;
+
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
++allow httpd_t httpd_script_exec_type:file read_file_perms;
++allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
++allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
++allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
++allow httpd_script_type self:process { setsched signal_perms };
++allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
++allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
+
+-files_read_usr_files(httpd_gpg_t)
++allow httpd_script_type httpd_t:fd use;
++allow httpd_script_type httpd_t:process sigchld;
+
+-miscfiles_read_localization(httpd_gpg_t)
++dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
+
+-tunable_policy(`httpd_gpg_anon_write',`
+- miscfiles_manage_public_files(httpd_gpg_t)
++fs_getattr_xattr_fs(httpd_script_type)
++
++files_read_etc_runtime_files(httpd_script_type)
++
++libs_read_lib_files(httpd_script_type)
++
++allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
++
++tunable_policy(`httpd_enable_cgi && nis_enabled',`
++ nis_use_ypbind_uncond(httpd_script_type)
+ ')
+
+ optional_policy(`
+- apache_manage_sys_rw_content(httpd_gpg_t)
++ nscd_socket_use(httpd_script_type)
+ ')
+
+-optional_policy(`
+- gpg_entry_type(httpd_gpg_t)
+- gpg_exec(httpd_gpg_t)
++read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++tunable_policy(`httpd_builtin_scripting',`
++ allow httpd_t httpd_content_type:dir search_dir_perms;
++ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
++
++ allow httpd_t httpd_content_type:dir list_dir_perms;
++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++')
++
++tunable_policy(`httpd_use_openstack',`
++ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++ corenet_tcp_connect_glance_port(httpd_sys_script_t)
++ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_use_openstack',`
++ corenet_tcp_connect_osapi_compute_port(httpd_t)
+ ')
+diff --git a/apcupsd.fc b/apcupsd.fc
+index 5ec0e13..97c204f 100644
+--- a/apcupsd.fc
++++ b/apcupsd.fc
+@@ -1,18 +1,23 @@
++/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
++
+ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
++
+ /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+ /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+ /var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
++/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+
+ /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+
+ /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+diff --git a/apcupsd.if b/apcupsd.if
+index f3c0aba..f6e25ed 100644
+--- a/apcupsd.if
++++ b/apcupsd.if
+@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
+ ########################################
+ ##
+ ## Execute a domain transition to
+-## run httpd_apcupsd_cgi_script.
++## run apcupsd_cgi_script.
+ ##
+ ##
+ ##
+@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
+ #
+ interface(`apcupsd_cgi_script_domtrans',`
+ gen_require(`
+- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
++ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
+ ')
+
+ files_search_var($1)
+- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
++ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
+
+ optional_policy(`
+ apache_search_sys_content($1)
+@@ -125,6 +125,50 @@ interface(`apcupsd_cgi_script_domtrans',`
+
+ ########################################
+ ##
++## Execute apcupsd server in the apcupsd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apcupsd_systemctl',`
++ gen_require(`
++ type apcupsd_t;
++ type apcupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 apcupsd_unit_file_t:file read_file_perms;
++ allow $1 apcupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apcupsd_t)
++')
++
++########################################
++##
++## Create configuration files in /var/lock
++## with a named file type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apcupsd_filetrans_named_content',`
++ gen_require(`
++ type apcupsd_lock_t;
++ ')
++
++ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
++ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an apcupsd environment.
+ ##
+@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
+ gen_require(`
+ type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
+ type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
++ type apcupsd_unit_file_t;
++ type apcupsd_power_t;
+ ')
+
+- allow $1 apcupsd_t:process { ptrace signal_perms };
++ allow $1 apcupsd_t:process signal_perms;
+ ps_process_pattern($1, apcupsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 apcupsd_t:process ptrace;
++ ')
++
+ apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apcupsd_initrc_exec_t system_r;
+@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, apcupsd_var_run_t)
++
++ apcupsd_systemctl($1)
++ admin_pattern($1, apcupsd_unit_file_t)
++ allow $1 apcupsd_unit_file_t:service all_service_perms;
++
++ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
++ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+ ')
+diff --git a/apcupsd.te b/apcupsd.te
+index 080bc4d..de60b99 100644
+--- a/apcupsd.te
++++ b/apcupsd.te
+@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
+ type apcupsd_var_run_t;
+ files_pid_file(apcupsd_var_run_t)
+
++type apcupsd_power_t;
++files_type(apcupsd_power_t)
++
++type apcupsd_unit_file_t;
++systemd_unit_file(apcupsd_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+ allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
+
+-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
++files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
++
++manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+ logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
+
+ manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
+ corecmd_exec_bin(apcupsd_t)
+ corecmd_exec_shell(apcupsd_t)
+
+-corenet_all_recvfrom_unlabeled(apcupsd_t)
+ corenet_all_recvfrom_netlabel(apcupsd_t)
+ corenet_tcp_sendrecv_generic_if(apcupsd_t)
+ corenet_tcp_sendrecv_generic_node(apcupsd_t)
+@@ -67,26 +73,35 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+ corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+ corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
+ corenet_tcp_connect_apcupsd_port(apcupsd_t)
++corenet_udp_bind_apc_port(apcupsd_t)
++corenet_udp_bind_snmp_port(apcupsd_t)
+
+ corenet_udp_bind_snmp_port(apcupsd_t)
+ corenet_sendrecv_snmp_server_packets(apcupsd_t)
+ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+
++fs_getattr_xattr_fs(apcupsd_t)
++
+ dev_rw_generic_usb_dev(apcupsd_t)
+
+-files_read_etc_files(apcupsd_t)
++domain_signull_all_domains(apcupsd_t)
++
+ files_manage_etc_runtime_files(apcupsd_t)
+ files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
+
+-term_use_unallocated_ttys(apcupsd_t)
++term_use_all_terms(apcupsd_t)
+
+-logging_send_syslog_msg(apcupsd_t)
++#apcupsd runs shutdown, probably need a shutdown domain
++init_rw_utmp(apcupsd_t)
++init_telinit(apcupsd_t)
+
+-miscfiles_read_localization(apcupsd_t)
++auth_use_nsswitch(apcupsd_t)
++
++logging_send_syslog_msg(apcupsd_t)
+
+ sysnet_dns_name_resolve(apcupsd_t)
+
+-userdom_use_user_ttys(apcupsd_t)
++userdom_use_inherited_user_ttys(apcupsd_t)
+
+ optional_policy(`
+ hostname_exec(apcupsd_t)
+@@ -101,6 +116,11 @@ optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+ ')
+
++optional_policy(`
++ systemd_start_power_services(apcupsd_t)
++ systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -108,20 +128,20 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(apcupsd_cgi)
+-
+- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+-
+- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+-
+- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
++ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
++
++ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
++ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
++
++ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
++ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
++ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
++
++ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
+ ')
+diff --git a/apm.fc b/apm.fc
+index ce27d2f..d20377e 100644
+--- a/apm.fc
++++ b/apm.fc
+@@ -1,3 +1,4 @@
++/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
+ /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
+
+ /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+diff --git a/apm.if b/apm.if
+index 1a7a97e..2c7252a 100644
+--- a/apm.if
++++ b/apm.if
+@@ -141,6 +141,30 @@ interface(`apm_stream_connect',`
+
+ ########################################
+ ##
++## Execute apmd server in the apmd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apmd_systemctl',`
++ gen_require(`
++ type apmd_t;
++ type apmd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 apmd_unit_file_t:file read_file_perms;
++ allow $1 apmd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apmd_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an apm environment.
+ ##
+@@ -163,9 +187,13 @@ interface(`apm_admin',`
+ type apmd_tmp_t;
+ ')
+
+- allow $1 apmd_t:process { ptrace signal_perms };
++ allow $1 apmd_t:process { signal_perms };
+ ps_process_pattern($1, apmd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 apmd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, apmd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apmd_initrc_exec_t system_r;
+diff --git a/apm.te b/apm.te
+index 7fd431b..e05b2d4 100644
+--- a/apm.te
++++ b/apm.te
+@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
+ type apmd_var_run_t;
+ files_pid_file(apmd_var_run_t)
+
++type apmd_unit_file_t;
++systemd_unit_file(apmd_unit_file_t)
++
+ ########################################
+ #
+ # Client local policy
+@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
+
+ fs_getattr_xattr_fs(apm_t)
+
+-term_use_all_terms(apm_t)
++term_use_all_inherited_terms(apm_t)
+
+ domain_use_interactive_fds(apm_t)
+
+@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
+ #
+
+ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+ allow apmd_t self:process { signal_perms getsession };
+ allow apmd_t self:fifo_file rw_fifo_file_perms;
+ allow apmd_t self:netlink_socket create_socket_perms;
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+ fs_dontaudit_getattr_all_symlinks(apmd_t)
+ fs_dontaudit_getattr_all_pipes(apmd_t)
+ fs_dontaudit_getattr_all_sockets(apmd_t)
+-
+-selinux_search_fs(apmd_t)
++fs_read_cgroup_files(apmd_t)
+
+ corecmd_exec_all_executables(apmd_t)
+
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+ auth_use_nsswitch(apmd_t)
+
+ init_domtrans_script(apmd_t)
++init_read_utmp(apmd_t)
++init_telinit(apmd_t)
+
+ libs_exec_ld_so(apmd_t)
+ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
+ logging_send_audit_msgs(apmd_t)
+ logging_send_syslog_msg(apmd_t)
+
+-miscfiles_read_localization(apmd_t)
+ miscfiles_read_hwdata(apmd_t)
+
+ modutils_domtrans_insmod(apmd_t)
+ modutils_read_module_config(apmd_t)
+
+-seutil_dontaudit_read_config(apmd_t)
++seutil_sigchld_newrole(apmd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+ userdom_dontaudit_search_user_home_dirs(apmd_t)
+-userdom_dontaudit_search_user_home_content(apmd_t)
++userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
+
+ optional_policy(`
+ automount_domtrans(apmd_t)
+@@ -206,11 +210,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(apmd_t)
++ shutdown_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+- shutdown_domtrans(apmd_t)
++ sssd_search_lib(apmd_t)
++')
++
++optional_policy(`
++ systemd_dbus_chat_logind(apmd_t)
+ ')
+
+ optional_policy(`
+diff --git a/apt.if b/apt.if
+index cde81d2..2fe0201 100644
+--- a/apt.if
++++ b/apt.if
+@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir list_dir_perms;
+- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
++ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
+ allow $1 apt_var_cache_t:file read_file_perms;
+ ')
+
+diff --git a/apt.te b/apt.te
+index efa8530..f928b63 100644
+--- a/apt.te
++++ b/apt.te
+@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
+ corecmd_exec_bin(apt_t)
+ corecmd_exec_shell(apt_t)
+
+-corenet_all_recvfrom_unlabeled(apt_t)
+ corenet_all_recvfrom_netlabel(apt_t)
+ corenet_tcp_sendrecv_generic_if(apt_t)
+ corenet_tcp_sendrecv_generic_node(apt_t)
+@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
+ domain_use_interactive_fds(apt_t)
+
+ files_exec_usr_files(apt_t)
+-files_read_etc_files(apt_t)
+ files_read_etc_runtime_files(apt_t)
+
+ fs_getattr_all_fs(apt_t)
+
+ term_create_pty(apt_t, apt_devpts_t)
+ term_list_ptys(apt_t)
+-term_use_all_terms(apt_t)
++term_use_all_inherited_terms(apt_t)
+
+ libs_exec_ld_so(apt_t)
+ libs_exec_lib_files(apt_t)
+
+ logging_send_syslog_msg(apt_t)
+
+-miscfiles_read_localization(apt_t)
+-
+ seutil_use_newrole_fds(apt_t)
+
+ sysnet_read_config(apt_t)
+
+-userdom_use_user_terminals(apt_t)
++userdom_use_inherited_user_terminals(apt_t)
+
+ optional_policy(`
+ backup_manage_store_files(apt_t)
+diff --git a/arpwatch.fc b/arpwatch.fc
+index 9ca0d0f..9a1a61f 100644
+--- a/arpwatch.fc
++++ b/arpwatch.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
++
+ /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+ /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+diff --git a/arpwatch.if b/arpwatch.if
+index 50c9b9c..533a555 100644
+--- a/arpwatch.if
++++ b/arpwatch.if
+@@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+
+ ########################################
+ ##
++## Execute arpwatch server in the arpwatch domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`arpwatch_systemctl',`
++ gen_require(`
++ type arpwatch_t;
++ type arpwatch_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 arpwatch_unit_file_t:file read_file_perms;
++ allow $1 arpwatch_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, arpwatch_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an arpwatch environment.
+ ##
+@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
+ gen_require(`
+ type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
++ type arpwatch_unit_file_t;
+ ')
+
+- allow $1 arpwatch_t:process { ptrace signal_perms };
++ allow $1 arpwatch_t:process signal_perms;
+ ps_process_pattern($1, arpwatch_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 arpwatch_t:process ptrace;
++ ')
++
+ arpwatch_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 arpwatch_initrc_exec_t system_r;
+@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
++
++ arpwatch_systemctl($1)
++ admin_pattern($1, arpwatch_unit_file_t)
++ allow $1 arpwatch_unit_file_t:service all_service_perms;
+ ')
+diff --git a/arpwatch.te b/arpwatch.te
+index 2d7bf34..2927585 100644
+--- a/arpwatch.te
++++ b/arpwatch.te
+@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
+ type arpwatch_var_run_t;
+ files_pid_file(arpwatch_var_run_t)
+
++type arpwatch_unit_file_t;
++systemd_unit_file(arpwatch_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
+ allow arpwatch_t self:tcp_socket { accept listen };
+ allow arpwatch_t self:packet_socket create_socket_perms;
+ allow arpwatch_t self:socket create_socket_perms;
++allow arpwatch_t self:netlink_socket create_socket_perms;
+
+ manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+ manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+-kernel_read_kernel_sysctls(arpwatch_t)
+ kernel_read_network_state(arpwatch_t)
++# meminfo
+ kernel_read_system_state(arpwatch_t)
++kernel_read_kernel_sysctls(arpwatch_t)
++kernel_read_proc_symlinks(arpwatch_t)
+ kernel_request_load_module(arpwatch_t)
+
++corenet_all_recvfrom_netlabel(arpwatch_t)
++corenet_tcp_sendrecv_generic_if(arpwatch_t)
++corenet_udp_sendrecv_generic_if(arpwatch_t)
++corenet_raw_sendrecv_generic_if(arpwatch_t)
++corenet_tcp_sendrecv_generic_node(arpwatch_t)
++corenet_udp_sendrecv_generic_node(arpwatch_t)
++corenet_raw_sendrecv_generic_node(arpwatch_t)
++corenet_tcp_sendrecv_all_ports(arpwatch_t)
++corenet_udp_sendrecv_all_ports(arpwatch_t)
++
+ dev_read_sysfs(arpwatch_t)
+ dev_read_usbmon_dev(arpwatch_t)
+ dev_rw_generic_usb_dev(arpwatch_t)
+@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
+
+ domain_use_interactive_fds(arpwatch_t)
+
+-files_read_usr_files(arpwatch_t)
+ files_search_var_lib(arpwatch_t)
+
+ auth_use_nsswitch(arpwatch_t)
+
+ logging_send_syslog_msg(arpwatch_t)
+
+-miscfiles_read_localization(arpwatch_t)
+-
+ userdom_dontaudit_search_user_home_dirs(arpwatch_t)
+ userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+
+diff --git a/asterisk.if b/asterisk.if
+index 2077053..198a02a 100644
+--- a/asterisk.if
++++ b/asterisk.if
+@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
+ type asterisk_var_lib_t, asterisk_initrc_exec_t;
+ ')
+
+- allow $1 asterisk_t:process { ptrace signal_perms };
++ allow $1 asterisk_t:process signal_perms;
+ ps_process_pattern($1, asterisk_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 asterisk_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 asterisk_initrc_exec_t system_r;
+diff --git a/asterisk.te b/asterisk.te
+index 7e41350..e8e1672 100644
+--- a/asterisk.te
++++ b/asterisk.te
+@@ -19,7 +19,7 @@ type asterisk_log_t;
+ logging_log_file(asterisk_log_t)
+
+ type asterisk_spool_t;
+-files_type(asterisk_spool_t)
++files_spool_file(asterisk_spool_t)
+
+ type asterisk_tmp_t;
+ files_tmp_file(asterisk_tmp_t)
+@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+
+ manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+
++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+-
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
+ can_exec(asterisk_t, asterisk_exec_t)
+
+ kernel_read_kernel_sysctls(asterisk_t)
+@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
+ corecmd_exec_bin(asterisk_t)
+ corecmd_exec_shell(asterisk_t)
+
+-corenet_all_recvfrom_unlabeled(asterisk_t)
+ corenet_all_recvfrom_netlabel(asterisk_t)
+ corenet_tcp_sendrecv_generic_if(asterisk_t)
+ corenet_udp_sendrecv_generic_if(asterisk_t)
+@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
+
+ corenet_sendrecv_sip_client_packets(asterisk_t)
+ corenet_tcp_connect_sip_port(asterisk_t)
++corenet_tcp_connect_http_port(asterisk_t)
+
+ dev_rw_generic_usb_dev(asterisk_t)
+ dev_read_sysfs(asterisk_t)
+@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
+
+ domain_use_interactive_fds(asterisk_t)
+
+-files_read_usr_files(asterisk_t)
+ files_search_spool(asterisk_t)
+ files_dontaudit_search_home(asterisk_t)
+
+@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
+ logging_search_logs(asterisk_t)
+ logging_send_syslog_msg(asterisk_t)
+
+-miscfiles_read_localization(asterisk_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+ userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+diff --git a/authconfig.fc b/authconfig.fc
+new file mode 100644
+index 0000000..4579cfe
+--- /dev/null
++++ b/authconfig.fc
+@@ -0,0 +1,3 @@
++/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
++
++/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
+diff --git a/authconfig.if b/authconfig.if
+new file mode 100644
+index 0000000..316c324
+--- /dev/null
++++ b/authconfig.if
+@@ -0,0 +1,127 @@
++
++## policy for authconfig
++
++########################################
++##
++## Execute TEMPLATE in the authconfig domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`authconfig_domtrans',`
++ gen_require(`
++ type authconfig_t, authconfig_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
++')
++
++########################################
++##
++## Search authconfig lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_search_lib',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ allow $1 authconfig_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read authconfig lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_read_lib_files',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++########################################
++##
++## Manage authconfig lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_manage_lib_files',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++########################################
++##
++## Manage authconfig lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_manage_lib_dirs',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an authconfig environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_admin',`
++ gen_require(`
++ type authconfig_t;
++ type authconfig_var_lib_t;
++ ')
++
++ allow $1 authconfig_t:process { ptrace signal_perms };
++ ps_process_pattern($1, authconfig_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, authconfig_var_lib_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/authconfig.te b/authconfig.te
+new file mode 100644
+index 0000000..362a049
+--- /dev/null
++++ b/authconfig.te
+@@ -0,0 +1,33 @@
++policy_module(authconfig, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type authconfig_t;
++type authconfig_exec_t;
++application_domain(authconfig_t, authconfig_exec_t)
++role system_r types authconfig_t;
++
++type authconfig_var_lib_t;
++files_type(authconfig_var_lib_t)
++
++########################################
++#
++# authconfig local policy
++#
++allow authconfig_t self:fifo_file rw_fifo_file_perms;
++allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
++
++domain_use_interactive_fds(authconfig_t)
++domain_named_filetrans(authconfig_t)
++
++init_domtrans_script(authconfig_t)
++
++unconfined_domain_noaudit(authconfig_t)
+diff --git a/automount.fc b/automount.fc
+index 92adb37..0a2ffc6 100644
+--- a/automount.fc
++++ b/automount.fc
+@@ -1,6 +1,8 @@
+ /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+ /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
++
+ /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
+ /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
+diff --git a/automount.if b/automount.if
+index f24e369..4484a98 100644
+--- a/automount.if
++++ b/automount.if
+@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
+
+ ########################################
+ ##
++## Allow domain to search of automount temporary
++## directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`automount_search_tmp_dirs',`
++ gen_require(`
++ type automount_tmp_t;
++ ')
++
++ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to get
+ ## attributes of automount temporary
+ ## directories.
+@@ -134,6 +152,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+
+ ########################################
+ ##
++## Execute automount server in the automount domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`automount_systemctl',`
++ gen_require(`
++ type automount_t;
++ type automount_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 automount_unit_file_t:file read_file_perms;
++ allow $1 automount_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, automount_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an automount environment.
+ ##
+@@ -153,12 +195,16 @@ interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
+ type automount_var_run_t, automount_initrc_exec_t;
+- type automount_keytab_t;
++ type automount_unit_file_t, automount_keytab_t;
+ ')
+
+- allow $1 automount_t:process { ptrace signal_perms };
++ allow $1 automount_t:process signal_perms;
+ ps_process_pattern($1, automount_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 automount_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 automount_initrc_exec_t system_r;
+@@ -175,4 +221,8 @@ interface(`automount_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, automount_var_run_t)
++
++ automount_systemctl($1)
++ admin_pattern($1, automount_unit_file_t)
++ allow $1 automount_unit_file_t:service all_service_perms;
+ ')
+diff --git a/automount.te b/automount.te
+index 27d2f40..daed3ef 100644
+--- a/automount.te
++++ b/automount.te
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+
++type automount_unit_file_t;
++systemd_unit_file(automount_unit_file_t)
++
+ type automount_var_run_t;
+ files_pid_file(automount_var_run_t)
+
+@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
+ # Local policy
+ #
+
+-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability2 block_suspend;
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_fifo_file_perms;
+@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+ corecmd_exec_bin(automount_t)
+ corecmd_exec_shell(automount_t)
+
+-corenet_all_recvfrom_unlabeled(automount_t)
+ corenet_all_recvfrom_netlabel(automount_t)
+ corenet_tcp_sendrecv_generic_if(automount_t)
+ corenet_udp_sendrecv_generic_if(automount_t)
+@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
++files_getattr_all_files(automount_t)
+ files_getattr_default_dirs(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_getattr_isid_type_dirs(automount_t)
+@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
+ files_mounton_all_mountpoints(automount_t)
+ files_mounton_mnt(automount_t)
+ files_read_etc_runtime_files(automount_t)
+-files_read_usr_files(automount_t)
+ files_search_boot(automount_t)
+ files_search_all(automount_t)
+ files_unmount_all_file_type_fs(automount_t)
+@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
+ fs_mount_all_fs(automount_t)
+ fs_mount_autofs(automount_t)
+ fs_read_nfs_files(automount_t)
++fs_read_nfs_symlinks(automount_t)
+ fs_search_all(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_unmount_all_fs(automount_t)
+@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
+ logging_send_syslog_msg(automount_t)
+ logging_search_logs(automount_t)
+
+-miscfiles_read_localization(automount_t)
+ miscfiles_read_generic_certs(automount_t)
+
+-mount_domtrans(automount_t)
+-mount_signal(automount_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(automount_t)
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(automount_t)
++ mount_domtrans_showmount(automount_t)
++ mount_signal(automount_t)
++')
++
++optional_policy(`
+ fstools_domtrans(automount_t)
+ ')
+
+@@ -166,3 +173,8 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(automount_t)
+ ')
++
++tunable_policy(`mount_anyfile',`
++ files_mounton_non_security(automount_t)
++')
++
+diff --git a/avahi.fc b/avahi.fc
+index e9fe2ca..4c2d076 100644
+--- a/avahi.fc
++++ b/avahi.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
++
+ /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+diff --git a/avahi.if b/avahi.if
+index 9078c3d..2f6b250 100644
+--- a/avahi.if
++++ b/avahi.if
+@@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ##
++## Execute avahi server in the avahi domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`avahi_systemctl',`
++ gen_require(`
++ type avahi_t;
++ type avahi_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 avahi_unit_file_t:file read_file_perms;
++ allow $1 avahi_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, avahi_t)
++')
++
++########################################
++##
+ ## Create specified objects in generic
+ ## pid directories with the avahi pid file type.
+ ##
+@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
+ interface(`avahi_admin',`
+ gen_require(`
+ type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
++ type avahi_unit_file_t;
+ type avahi_var_lib_t;
+ ')
+
+- allow $1 avahi_t:process { ptrace signal_perms };
++ allow $1 avahi_t:process signal_perms;
+ ps_process_pattern($1, avahi_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 avahi_t:process ptrace;
++ ')
++
+ avahi_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 avahi_initrc_exec_t system_r;
+@@ -274,4 +303,8 @@ interface(`avahi_admin',`
+
+ files_search_var_lib($1)
+ admin_pattern($1, avahi_var_lib_t)
++
++ avahi_systemctl($1)
++ admin_pattern($1, avahi_unit_file_t)
++ allow $1 avahi_unit_file_t:service all_service_perms;
+ ')
+diff --git a/avahi.te b/avahi.te
+index b8355b3..ad2aa45 100644
+--- a/avahi.te
++++ b/avahi.te
+@@ -13,10 +13,14 @@ type avahi_initrc_exec_t;
+ init_script_file(avahi_initrc_exec_t)
+
+ type avahi_var_lib_t;
+-files_pid_file(avahi_var_lib_t)
++files_type(avahi_var_lib_t)
+
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
++init_sock_file(avahi_var_run_t)
++
++type avahi_unit_file_t;
++systemd_unit_file(avahi_unit_file_t)
+
+ ########################################
+ #
+@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
+ corecmd_exec_bin(avahi_t)
+ corecmd_exec_shell(avahi_t)
+
+-corenet_all_recvfrom_unlabeled(avahi_t)
+ corenet_all_recvfrom_netlabel(avahi_t)
+ corenet_tcp_sendrecv_generic_if(avahi_t)
+ corenet_udp_sendrecv_generic_if(avahi_t)
+@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
+ fs_list_inotifyfs(avahi_t)
+
+ domain_use_interactive_fds(avahi_t)
++domain_dontaudit_signull_all_domains(avahi_t)
+
+ files_read_etc_runtime_files(avahi_t)
+-files_read_usr_files(avahi_t)
+
+ auth_use_nsswitch(avahi_t)
+
+@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
+
+ logging_send_syslog_msg(avahi_t)
+
+-miscfiles_read_localization(avahi_t)
+ miscfiles_read_generic_certs(avahi_t)
+
+ sysnet_domtrans_ifconfig(avahi_t)
+ sysnet_manage_config(avahi_t)
+ sysnet_etc_filetrans_config(avahi_t)
+
++systemd_login_signull(avahi_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+ userdom_dontaudit_search_user_home_dirs(avahi_t)
+
+diff --git a/awstats.fc b/awstats.fc
+index 11e6d5f..73b4ea4 100644
+--- a/awstats.fc
++++ b/awstats.fc
+@@ -1,5 +1,5 @@
+ /usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
+-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
++/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
++/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
+
+ /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
+diff --git a/awstats.te b/awstats.te
+index c1b16c3..ffbf2cb 100644
+--- a/awstats.te
++++ b/awstats.te
+@@ -26,6 +26,7 @@ type awstats_var_lib_t;
+ files_type(awstats_var_lib_t)
+
+ apache_content_template(awstats)
++apache_content_alias_template(awstats, awstats)
+
+ ########################################
+ #
+@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+ manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+
+-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
++allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
+
+-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
++can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
+
+ kernel_dontaudit_read_system_state(awstats_t)
+
+@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
+ dev_read_urand(awstats_t)
+
+ files_dontaudit_search_all_mountpoints(awstats_t)
+-files_read_etc_files(awstats_t)
+-files_read_usr_files(awstats_t)
+
+ fs_list_inotifyfs(awstats_t)
+
+@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
+
+ logging_read_generic_logs(awstats_t)
+
+-miscfiles_read_localization(awstats_t)
+-
+ sysnet_dns_name_resolve(awstats_t)
+
+ tunable_policy(`awstats_purge_apache_log_files',`
+@@ -90,9 +87,13 @@ optional_policy(`
+ # CGI local policy
+ #
+
+-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++apache_read_log(awstats_script_t)
++
++manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
+
+-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+-files_search_var_lib(httpd_awstats_script_t)
++allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+-apache_read_log(httpd_awstats_script_t)
++read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
++files_search_var_lib(awstats_script_t)
+diff --git a/backup.te b/backup.te
+index 7811450..d8a8bd6 100644
+--- a/backup.te
++++ b/backup.te
+@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
+ corecmd_exec_bin(backup_t)
+ corecmd_exec_shell(backup_t)
+
+-corenet_all_recvfrom_unlabeled(backup_t)
+ corenet_all_recvfrom_netlabel(backup_t)
+ corenet_tcp_sendrecv_generic_if(backup_t)
+ corenet_tcp_sendrecv_generic_node(backup_t)
+@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
+
+ sysnet_read_config(backup_t)
+
+-userdom_use_user_terminals(backup_t)
++userdom_use_inherited_user_terminals(backup_t)
+
+ optional_policy(`
+ cron_system_entry(backup_t, backup_exec_t)
+diff --git a/bacula.fc b/bacula.fc
+index 27ec3d5..65aa71b 100644
+--- a/bacula.fc
++++ b/bacula.fc
+@@ -8,6 +8,8 @@
+ /usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+ /usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
++/var/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0)
++
+ /var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0)
+
+ /var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0)
+diff --git a/bacula.if b/bacula.if
+index dcd774e..c240ffa 100644
+--- a/bacula.if
++++ b/bacula.if
+@@ -69,6 +69,7 @@ interface(`bacula_admin',`
+ type bacula_t, bacula_etc_t, bacula_log_t;
+ type bacula_spool_t, bacula_var_lib_t;
+ type bacula_var_run_t, bacula_initrc_exec_t;
++ attribute_role bacula_admin_roles;
+ ')
+
+ allow $1 bacula_t:process { ptrace signal_perms };
+diff --git a/bacula.te b/bacula.te
+index f16b000..4e48c62 100644
+--- a/bacula.te
++++ b/bacula.te
+@@ -27,6 +27,9 @@ type bacula_store_t;
+ files_type(bacula_store_t)
+ files_mountpoint(bacula_store_t)
+
++type bacula_tmp_t;
++files_tmp_file(bacula_tmp_t)
++
+ type bacula_var_lib_t;
+ files_type(bacula_var_lib_t)
+
+@@ -43,16 +46,22 @@ role bacula_admin_roles types bacula_admin_t;
+ # Local policy
+ #
+
+-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
+ allow bacula_t self:process signal;
+ allow bacula_t self:fifo_file rw_fifo_file_perms;
+ allow bacula_t self:tcp_socket { accept listen };
+
+ read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+
++manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
++manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
++files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file })
++
++manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
+ append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
++logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
+
+ manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+ manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+@@ -88,6 +97,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ corenet_sendrecv_generic_server_packets(bacula_t)
+ corenet_udp_bind_generic_port(bacula_t)
+
++
++#TODO: check port labels for hplip a bacula
++corenet_tcp_bind_bacula_port(bacula_t)
++
+ corenet_sendrecv_hplip_server_packets(bacula_t)
+ corenet_tcp_bind_hplip_port(bacula_t)
+ corenet_udp_bind_hplip_port(bacula_t)
+@@ -105,6 +118,7 @@ files_read_all_symlinks(bacula_t)
+ fs_getattr_xattr_fs(bacula_t)
+ fs_list_all(bacula_t)
+
++auth_use_nsswitch(bacula_t)
+ auth_read_shadow(bacula_t)
+
+ logging_send_syslog_msg(bacula_t)
+@@ -125,6 +139,12 @@ optional_policy(`
+ ldap_stream_connect(bacula_t)
+ ')
+
++optional_policy(`
++ postgresql_tcp_connect(bacula_t)
++ postgresql_stream_connect(bacula_t)
++')
++
++
+ ########################################
+ #
+ # Client local policy
+@@ -148,11 +168,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+
+ domain_use_interactive_fds(bacula_admin_t)
+
+-files_read_etc_files(bacula_admin_t)
+-
+-miscfiles_read_localization(bacula_admin_t)
+-
+ sysnet_dns_name_resolve(bacula_admin_t)
+
+ userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
+ userdom_use_user_ptys(bacula_admin_t)
++
+diff --git a/bcfg2.fc b/bcfg2.fc
+index fb42e35..8af0e14 100644
+--- a/bcfg2.fc
++++ b/bcfg2.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
++
+ /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+ /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
+diff --git a/bcfg2.if b/bcfg2.if
+index ec95d36..186271b 100644
+--- a/bcfg2.if
++++ b/bcfg2.if
+@@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',`
+
+ ########################################
+ ##
++## Execute bcfg2 server in the bcfg2 domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bcfg2_systemctl',`
++ gen_require(`
++ type bcfg2_t;
++ type bcfg2_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bcfg2_unit_file_t:file read_file_perms;
++ allow $1 bcfg2_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bcfg2_t)
++')
++
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an bcfg2 environment.
+ ##
+@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
+ gen_require(`
+ type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
+ type bcfg2_var_run_t;
++ type bcfg2_unit_file_t;
+ ')
+
+- allow $1 bcfg2_t:process { ptrace signal_perms };
++ allow $1 bcfg2_t:process { signal_perms };
+ ps_process_pattern($1, bcfg2_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bcfg2_t:process ptrace;
++ ')
++
+ bcfg2_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 bcfg2_initrc_exec_t system_r;
+@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
+
+ files_search_var_lib($1)
+ admin_pattern($1, bcfg2_var_lib_t)
++
++ bcfg2_systemctl($1)
++ admin_pattern($1, bcfg2_unit_file_t)
++ allow $1 bcfg2_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/bcfg2.te b/bcfg2.te
+index c3fd7b1..e189593 100644
+--- a/bcfg2.te
++++ b/bcfg2.te
+@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
+ type bcfg2_var_lib_t;
+ files_type(bcfg2_var_lib_t)
+
++type bcfg2_unit_file_t;
++systemd_unit_file(bcfg2_unit_file_t)
++
+ type bcfg2_var_run_t;
+ files_pid_file(bcfg2_var_run_t)
+
+@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
+
+ domain_use_interactive_fds(bcfg2_t)
+
+-files_read_usr_files(bcfg2_t)
+
+ auth_use_nsswitch(bcfg2_t)
+
+ logging_send_syslog_msg(bcfg2_t)
+-
+-miscfiles_read_localization(bcfg2_t)
+diff --git a/bind.fc b/bind.fc
+index 2b9a3a1..750788c 100644
+--- a/bind.fc
++++ b/bind.fc
+@@ -1,54 +1,76 @@
+-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
++/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++
++/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
+ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
++/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
++/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+ /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0)
+
+-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+
+-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
++ifdef(`distro_debian',`
++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++')
++
++ifdef(`distro_gentoo',`
++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++')
+
+-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++ifdef(`distro_redhat',`
++/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /var/named/chroot/proc(/.*)? <>
+-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ /var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+ /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-
+-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++')
+diff --git a/bind.if b/bind.if
+index 531a8f2..0b86f2f 100644
+--- a/bind.if
++++ b/bind.if
+@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute bind server in the bind domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bind_systemctl',`
++ gen_require(`
++ type named_unit_file_t;
++ type named_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 named_unit_file_t:file read_file_perms;
++ allow $1 named_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, named_t)
++')
++
++########################################
++##
+ ## Execute ndc in the ndc domain.
+ ##
+ ##
+@@ -169,6 +193,7 @@ interface(`bind_read_config',`
+ type named_conf_t;
+ ')
+
++ allow $1 named_conf_t:dir list_dir_perms;
+ read_files_pattern($1, named_conf_t, named_conf_t)
+ ')
+
+@@ -212,6 +237,25 @@ interface(`bind_manage_config_dirs',`
+
+ ########################################
+ ##
++## Create, read, write, and delete
++## BIND configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_manage_config',`
++ gen_require(`
++ type named_conf_t;
++ ')
++
++ manage_files_pattern($1, named_conf_t, named_conf_t)
++')
++
++########################################
++##
+ ## Search bind cache directories.
+ ##
+ ##
+@@ -310,6 +354,27 @@ interface(`bind_read_zone',`
+
+ ########################################
+ ##
++## Read BIND zone files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_read_log',`
++ gen_require(`
++ type named_zone_t;
++ type named_log_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ read_files_pattern($1, named_log_t, named_log_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## bind zone files.
+ ##
+@@ -344,6 +409,25 @@ interface(`bind_udp_chat_named',`
+
+ ########################################
+ ##
++## Allow the domain to read bind state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_read_state',`
++ gen_require(`
++ type named_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, named_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an bind environment.
+ ##
+@@ -364,11 +448,17 @@ interface(`bind_admin',`
+ type named_t, named_tmp_t, named_log_t;
+ type named_cache_t, named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+- type named_keytab_t;
++ type named_keytab_t, named_unit_file_t;
++ ')
++
++ allow $1 named_t:process signal_perms;
++ ps_process_pattern($1, named_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 named_t:process ptrace;
+ ')
+
+- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { named_t ndc_t })
++ bind_run_ndc($1, $2)
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -384,11 +474,15 @@ interface(`bind_admin',`
+ files_list_etc($1)
+ admin_pattern($1, { named_keytab_t named_conf_t })
+
++ admin_pattern($1, named_keytab_t)
++
+ files_list_var($1)
+ admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
+
+- bind_run_ndc($1, $2)
++ admin_pattern($1, named_unit_file_t)
++ bind_systemctl($1)
++ allow $1 named_unit_file_t:service all_service_perms;
+ ')
+diff --git a/bind.te b/bind.te
+index 1241123..e196b89 100644
+--- a/bind.te
++++ b/bind.te
+@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
+ init_system_domain(named_t, named_checkconf_exec_t)
+
+ type named_conf_t;
+-files_type(named_conf_t)
++files_config_file(named_conf_t)
+ files_mountpoint(named_conf_t)
+
+ # for secondary zone files
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+
++type named_unit_file_t;
++systemd_unit_file(named_unit_file_t)
++
+ type named_keytab_t;
+ files_type(named_keytab_t)
+
+@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
+ # Local policy
+ #
+
+-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
++allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
+ dontaudit named_t self:capability sys_tty_config;
++allow named_t self:capability2 block_suspend;
+ allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+ allow named_t self:fifo_file rw_fifo_file_perms;
+ allow named_t self:unix_stream_socket { accept listen };
+@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+ allow named_t named_keytab_t:file read_file_perms;
+
+-append_files_pattern(named_t, named_log_t, named_log_t)
+-create_files_pattern(named_t, named_log_t, named_log_t)
+-setattr_files_pattern(named_t, named_log_t, named_log_t)
++manage_files_pattern(named_t, named_log_t, named_log_t)
+ logging_log_filetrans(named_t, named_log_t, file)
+
+ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -115,7 +117,6 @@ kernel_read_network_state(named_t)
+
+ corecmd_search_bin(named_t)
+
+-corenet_all_recvfrom_unlabeled(named_t)
+ corenet_all_recvfrom_netlabel(named_t)
+ corenet_tcp_sendrecv_generic_if(named_t)
+ corenet_udp_sendrecv_generic_if(named_t)
+@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+ dev_read_urand(named_t)
++dev_dontaudit_write_urand(named_t)
+
+ domain_use_interactive_fds(named_t)
+
+@@ -175,6 +177,19 @@ tunable_policy(`named_write_master_zones',`
+ ')
+
+ optional_policy(`
++ cron_system_entry(named_t, named_exec_t)
++')
++
++optional_policy(`
++ # needed by FreeIPA with DNS support
++ dirsrv_stream_connect(named_t)
++')
++
++optional_policy(`
++ dnssec_trigger_manage_pid_files(named_t)
++')
++
++optional_policy(`
+ dbus_system_domain(named_t, named_exec_t)
+
+ init_dbus_chat_script(named_t)
+@@ -187,7 +202,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ipsec_rw_inherited_pipes(named_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(named_t)
+ kerberos_read_keytab(named_t)
++ kerberos_read_host_rcache(named_t)
+ kerberos_use(named_t)
+ ')
+
+@@ -215,7 +236,8 @@ optional_policy(`
+ #
+
+ allow ndc_t self:capability { dac_override net_admin };
+-allow ndc_t self:process signal_perms;
++allow ndc_t self:capability2 block_suspend;
++allow ndc_t self:process { fork signal_perms };
+ allow ndc_t self:fifo_file rw_fifo_file_perms;
+ allow ndc_t self:unix_stream_socket { accept listen };
+
+@@ -229,10 +251,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+ allow ndc_t named_zone_t:dir search_dir_perms;
+
+-kernel_read_kernel_sysctls(ndc_t)
+ kernel_read_system_state(ndc_t)
++kernel_read_kernel_sysctls(ndc_t)
+
+-corenet_all_recvfrom_unlabeled(ndc_t)
+ corenet_all_recvfrom_netlabel(ndc_t)
+ corenet_tcp_sendrecv_generic_if(ndc_t)
+ corenet_tcp_sendrecv_generic_node(ndc_t)
+@@ -242,6 +263,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+ corenet_tcp_connect_rndc_port(ndc_t)
+ corenet_sendrecv_rndc_client_packets(ndc_t)
+
++dev_read_rand(ndc_t)
++dev_read_urand(ndc_t)
++
+ domain_use_interactive_fds(ndc_t)
+
+ files_search_pids(ndc_t)
+@@ -257,7 +281,7 @@ init_use_script_ptys(ndc_t)
+
+ logging_send_syslog_msg(ndc_t)
+
+-miscfiles_read_localization(ndc_t)
++userdom_use_inherited_user_terminals(ndc_t)
+
+ userdom_use_user_terminals(ndc_t)
+
+diff --git a/bird.te b/bird.te
+index 1d60c27..f8bb700 100644
+--- a/bird.te
++++ b/bird.te
+@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
+ corenet_tcp_sendrecv_bgp_port(bird_t)
+
+ # /etc/iproute2/rt_realms
+-files_read_etc_files(bird_t)
+
+ logging_send_syslog_msg(bird_t)
+
+diff --git a/bitlbee.fc b/bitlbee.fc
+index e9708d6..61362d0 100644
+--- a/bitlbee.fc
++++ b/bitlbee.fc
+@@ -7,7 +7,7 @@
+
+ /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
+
+-/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
++/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0)
+
+ /var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+ /var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+diff --git a/bitlbee.if b/bitlbee.if
+index e73fb79..2badfc0 100644
+--- a/bitlbee.if
++++ b/bitlbee.if
+@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
+ type bitlbee_log_t, bitlbee_tmp_t;
+ ')
+
+- allow $1 bitlbee_t:process { ptrace signal_perms };
++ allow $1 bitlbee_t:process signal_perms;
+ ps_process_pattern($1, bitlbee_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bitlbee_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitlbee_initrc_exec_t system_r;
+diff --git a/bitlbee.te b/bitlbee.te
+index f5c1a48..f255b29 100644
+--- a/bitlbee.te
++++ b/bitlbee.te
+@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
+
+ allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+ allow bitlbee_t self:process { setsched signal };
++
+ allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+-allow bitlbee_t self:tcp_socket { accept listen };
+-allow bitlbee_t self:unix_stream_socket { accept listen };
++allow bitlbee_t self:udp_socket create_socket_perms;
++allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
++allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
+ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+ manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+ append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+ create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+ setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
+
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+ manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
+
+-kernel_read_kernel_sysctls(bitlbee_t)
+ kernel_read_system_state(bitlbee_t)
++kernel_read_kernel_sysctls(bitlbee_t)
+
+ corenet_all_recvfrom_unlabeled(bitlbee_t)
+ corenet_all_recvfrom_netlabel(bitlbee_t)
+@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+
+ corenet_sendrecv_ircd_server_packets(bitlbee_t)
+ corenet_tcp_bind_ircd_port(bitlbee_t)
++corenet_tcp_bind_interwise_port(bitlbee_t)
+ corenet_sendrecv_ircd_client_packets(bitlbee_t)
++corenet_tcp_connect_interwise_port(bitlbee_t)
+ corenet_tcp_connect_ircd_port(bitlbee_t)
+ corenet_tcp_sendrecv_ircd_port(bitlbee_t)
+
+@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+ dev_read_rand(bitlbee_t)
+ dev_read_urand(bitlbee_t)
+
+-files_read_usr_files(bitlbee_t)
+-
+ libs_legacy_use_shared_libs(bitlbee_t)
+
+ auth_use_nsswitch(bitlbee_t)
+
+ logging_send_syslog_msg(bitlbee_t)
+
+-miscfiles_read_localization(bitlbee_t)
+-
+ optional_policy(`
+ tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+ ')
+diff --git a/blueman.fc b/blueman.fc
+index c295d2e..4f84e9c 100644
+--- a/blueman.fc
++++ b/blueman.fc
+@@ -1,3 +1,4 @@
++
+ /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
+
+ /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
+diff --git a/blueman.if b/blueman.if
+index 16ec525..1dd4059 100644
+--- a/blueman.if
++++ b/blueman.if
+@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
+
+ allow $1 blueman_t:dbus send_msg;
+ allow blueman_t $1:dbus send_msg;
++ ps_process_pattern(blueman_t, $1)
+ ')
+
+ ########################################
+diff --git a/blueman.te b/blueman.te
+index 3a5032e..2097425 100644
+--- a/blueman.te
++++ b/blueman.te
+@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
+
+ type blueman_t;
+ type blueman_exec_t;
+-dbus_system_domain(blueman_t, blueman_exec_t)
++init_daemon_domain(blueman_t, blueman_exec_t)
+
+ type blueman_var_lib_t;
+ files_type(blueman_var_lib_t)
+@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
+ #
+
+ allow blueman_t self:capability { net_admin sys_nice };
+-allow blueman_t self:process { signal_perms setsched };
++allow blueman_t self:process { execmem signal_perms setsched };
++
+ allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+ manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+ files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
+
+-kernel_read_net_sysctls(blueman_t)
++kernel_rw_net_sysctls(blueman_t)
+ kernel_read_system_state(blueman_t)
+ kernel_request_load_module(blueman_t)
+
+@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
+ dev_read_rand(blueman_t)
+ dev_read_urand(blueman_t)
+ dev_rw_wireless(blueman_t)
++dev_rwx_zero(blueman_t)
+
+ domain_use_interactive_fds(blueman_t)
+
+ files_list_tmp(blueman_t)
+-files_read_usr_files(blueman_t)
+
+ auth_use_nsswitch(blueman_t)
+
+ logging_send_syslog_msg(blueman_t)
+
+-miscfiles_read_localization(blueman_t)
+-
+ sysnet_domtrans_ifconfig(blueman_t)
++sysnet_dns_name_resolve(blueman_t)
+
+ optional_policy(`
+ avahi_domtrans(blueman_t)
+ ')
+
+ optional_policy(`
++ bluetooth_read_config(blueman_t)
++')
++
++optional_policy(`
++ dbus_system_domain(blueman_t, blueman_exec_t)
++')
++
++optional_policy(`
+ dnsmasq_domtrans(blueman_t)
+ dnsmasq_read_pid_files(blueman_t)
+ ')
+
+ optional_policy(`
++ gnome_search_gconf(blueman_t)
++')
++
++optional_policy(`
+ iptables_domtrans(blueman_t)
+ ')
++
++optional_policy(`
++ xserver_read_state_xdm(blueman_t)
++')
+diff --git a/bluetooth.fc b/bluetooth.fc
+index 2b9c7f3..0086b95 100644
+--- a/bluetooth.fc
++++ b/bluetooth.fc
+@@ -5,10 +5,14 @@
+ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
++
+ /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+ /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+ /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+diff --git a/bluetooth.if b/bluetooth.if
+index c723a0a..b23b46a 100644
+--- a/bluetooth.if
++++ b/bluetooth.if
+@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
+ domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
+
+ ps_process_pattern($2, bluetooth_helper_t)
+- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
++
++ allow $2 bluetooth_helper_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 bluetooth_helper_t:process ptrace;
++ ')
+
+ allow $2 bluetooth_t:socket rw_socket_perms;
+
+@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
+ allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
++ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
++ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
++ bluetooth_stream_connect($2)
+ stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+- files_search_pids($2)
+ ')
+
+ #####################################
+@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## bluetooth over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`bluetooth_dontaudit_dbus_chat',`
++ gen_require(`
++ type bluetooth_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 bluetooth_t:dbus send_msg;
++ dontaudit bluetooth_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+ ##
+ ##
+@@ -190,6 +218,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+
+ ########################################
+ ##
++## Execute bluetooth server in the bluetooth domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bluetooth_systemctl',`
++ gen_require(`
++ type bluetooth_t;
++ type bluetooth_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 bluetooth_unit_file_t:file read_file_perms;
++ allow $1 bluetooth_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bluetooth_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an bluetooth environment.
+ ##
+@@ -210,12 +262,16 @@ interface(`bluetooth_admin',`
+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
+- type bluetooth_initrc_exec_t;
++ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
+ ')
+
+- allow $1 bluetooth_t:process { ptrace signal_perms };
++ allow $1 bluetooth_t:process signal_perms;
+ ps_process_pattern($1, bluetooth_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bluetooth_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bluetooth_initrc_exec_t system_r;
+@@ -235,4 +291,8 @@ interface(`bluetooth_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, bluetooth_var_run_t)
++
++ bluetooth_systemctl($1)
++ admin_pattern($1, bluetooth_unit_file_t)
++ allow $1 bluetooth_unit_file_t:service all_service_perms;
+ ')
+diff --git a/bluetooth.te b/bluetooth.te
+index 851769e..a069dc3 100644
+--- a/bluetooth.te
++++ b/bluetooth.te
+@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
+ type bluetooth_var_run_t;
+ files_pid_file(bluetooth_var_run_t)
+
++type bluetooth_unit_file_t;
++systemd_unit_file(bluetooth_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+
+ manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+ manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
+
+ manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+ manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+ can_exec(bluetooth_t, bluetooth_helper_exec_t)
+
++corecmd_exec_bin(bluetooth_t)
++corecmd_exec_shell(bluetooth_t)
++
+ kernel_read_kernel_sysctls(bluetooth_t)
+ kernel_read_system_state(bluetooth_t)
+ kernel_read_network_state(bluetooth_t)
+ kernel_request_load_module(bluetooth_t)
+ kernel_search_debugfs(bluetooth_t)
+
+-corecmd_exec_bin(bluetooth_t)
+-corecmd_exec_shell(bluetooth_t)
++corenet_all_recvfrom_netlabel(bluetooth_t)
++corenet_tcp_sendrecv_generic_if(bluetooth_t)
++corenet_udp_sendrecv_generic_if(bluetooth_t)
++corenet_raw_sendrecv_generic_if(bluetooth_t)
++corenet_tcp_sendrecv_generic_node(bluetooth_t)
++corenet_udp_sendrecv_generic_node(bluetooth_t)
++corenet_raw_sendrecv_generic_node(bluetooth_t)
++corenet_tcp_sendrecv_all_ports(bluetooth_t)
++corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+ dev_read_sysfs(bluetooth_t)
+ dev_rw_usbfs(bluetooth_t)
+@@ -105,12 +119,12 @@ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
+ dev_rw_input_dev(bluetooth_t)
+ dev_rw_wireless(bluetooth_t)
++dev_rw_uhid_dev(bluetooth_t)
+
+ domain_use_interactive_fds(bluetooth_t)
+ domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+ files_read_etc_runtime_files(bluetooth_t)
+-files_read_usr_files(bluetooth_t)
+
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t)
+
+ logging_send_syslog_msg(bluetooth_t)
+
+-miscfiles_read_localization(bluetooth_t)
+ miscfiles_read_fonts(bluetooth_t)
+ miscfiles_read_hwdata(bluetooth_t)
+
+@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
++# machine-info
++systemd_hostnamed_read_config(bluetooth_t)
++systemd_dbus_chat_hostnamed(bluetooth_t)
++
+ optional_policy(`
+ dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
+ domain_read_all_domains_state(bluetooth_helper_t)
+
+ files_read_etc_runtime_files(bluetooth_helper_t)
+-files_read_usr_files(bluetooth_helper_t)
+ files_dontaudit_list_default(bluetooth_helper_t)
+
+ term_dontaudit_use_all_ttys(bluetooth_helper_t)
+diff --git a/boinc.fc b/boinc.fc
+index 6d3ccad..bda740a 100644
+--- a/boinc.fc
++++ b/boinc.fc
+@@ -1,9 +1,12 @@
+-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
++
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++
++/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+diff --git a/boinc.if b/boinc.if
+index 02fefaa..308616e 100644
+--- a/boinc.if
++++ b/boinc.if
+@@ -1,9 +1,166 @@
+-## Platform for computing using volunteered resources.
++## policy for boinc
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an boinc environment.
++## Execute a domain transition to run boinc.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_domtrans',`
++ gen_require(`
++ type boinc_t, boinc_exec_t;
++ ')
++
++ domtrans_pattern($1, boinc_exec_t, boinc_t)
++')
++
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_initrc_domtrans',`
++ gen_require(`
++ type boinc_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++')
++
++#######################################
++##
++## Dontaudit getattr on boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_dontaudit_getattr_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ dontaudit $1 boinc_var_lib_t:file getattr;
++')
++
++########################################
++##
++## Search boinc lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_search_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ allow $1 boinc_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_read_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Manage boinc var_lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_var_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_systemctl',`
++ gen_require(`
++ type boinc_t;
++ type boinc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 boinc_unit_file_t:file read_file_perms;
++ allow $1 boinc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, boinc_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an boinc environment.
+ ##
+ ##
+ ##
+@@ -19,26 +176,32 @@
+ #
+ interface(`boinc_admin',`
+ gen_require(`
+-
+- type boinc_t, boinc_project_t, boinc_log_t;
+- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
+- type boinc_project_var_lib_t, boinc_project_tmp_t;
++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++ type boinc_unit_file_t;
+ ')
+
+- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { boinc_t boinc_project_t })
++ allow $1 boinc_t:process signal_perms;
++ ps_process_pattern($1, boinc_t)
+
+- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 boinc_t:process ptrace;
++ ')
++
++ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- logging_search_logs($1)
+- admin_pattern($1, boinc_log_t)
++ files_list_var_lib($1)
++ admin_pattern($1, boinc_var_lib_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
++ boinc_systemctl($1)
++ admin_pattern($1, boinc_unit_file_t)
+
+- files_search_var_lib($1)
+- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
++ allow $1 boinc_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/boinc.te b/boinc.te
+index 687d4c4..3c5a83a 100644
+--- a/boinc.te
++++ b/boinc.te
+@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
+ ##
+ gen_tunable(boinc_execmem, true)
+
+-type boinc_t;
++attribute boinc_domain;
++
++type boinc_t, boinc_domain;
+ type boinc_exec_t;
+ init_daemon_domain(boinc_t, boinc_exec_t)
+
+@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
+ type boinc_var_lib_t;
+ files_type(boinc_var_lib_t)
+
+-type boinc_project_var_lib_t;
+-files_type(boinc_project_var_lib_t)
+-
+ type boinc_log_t;
+ logging_log_file(boinc_log_t)
+
++type boinc_unit_file_t;
++systemd_unit_file(boinc_unit_file_t)
++
+ type boinc_project_t;
+ domain_type(boinc_project_t)
+-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
+ role system_r types boinc_project_t;
+
+ type boinc_project_tmp_t;
+ files_tmp_file(boinc_project_tmp_t)
+
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
++#######################################
++#
++# boinc domain local policy
++#
++
++allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:process signal;
++allow boinc_domain self:sem create_sem_perms;
++
++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++
++corecmd_exec_bin(boinc_domain)
++corecmd_exec_shell(boinc_domain)
++
++dev_read_rand(boinc_domain)
++dev_read_urand(boinc_domain)
++dev_read_sysfs(boinc_domain)
++dev_rw_xserver_misc(boinc_domain)
++
++domain_read_all_domains_state(boinc_domain)
++
++files_read_etc_runtime_files(boinc_domain)
++
++fs_getattr_all_fs(boinc_domain)
++
++miscfiles_read_fonts(boinc_domain)
++
++tunable_policy(`boinc_execmem',`
++ allow boinc_domain self:process { execstack execmem };
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(boinc_domain)
++')
++
+ ########################################
+ #
+-# Local policy
++# boinc local policy
+ #
+
+ allow boinc_t self:process { setsched setpgid signull sigkill };
+-allow boinc_t self:unix_stream_socket { accept listen };
+-allow boinc_t self:tcp_socket { accept listen };
++
++allow boinc_t self:unix_stream_socket create_stream_socket_perms;
++allow boinc_t self:tcp_socket create_stream_socket_perms;
+ allow boinc_t self:shm create_shm_perms;
+-allow boinc_t self:fifo_file rw_fifo_file_perms;
+-allow boinc_t self:sem create_sem_perms;
+
+ manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+ manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+ manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+ fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+-
+-# entry files to the boinc_project_t domain
+-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++# this should be created by default by boinc
++# we need this label for transition to boinc_project_t
++# other boinc lib files will end up with boinc_var_lib_t
+ filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
+ filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
+
+-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+-logging_log_filetrans(boinc_t, boinc_log_t, file)
+-
+-can_exec(boinc_t, boinc_var_lib_t)
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
++logging_log_filetrans(boinc_t, boinc_log_t, { file })
+
++# needs read /proc/interrupts
+ kernel_read_system_state(boinc_t)
++kernel_read_network_state(boinc_t)
+ kernel_search_vm_sysctl(boinc_t)
+
+-corenet_all_recvfrom_unlabeled(boinc_t)
++dev_getattr_mouse_dev(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
++
+ corenet_all_recvfrom_netlabel(boinc_t)
+ corenet_tcp_sendrecv_generic_if(boinc_t)
++corenet_udp_sendrecv_generic_if(boinc_t)
+ corenet_tcp_sendrecv_generic_node(boinc_t)
++corenet_udp_sendrecv_generic_node(boinc_t)
++corenet_tcp_sendrecv_all_ports(boinc_t)
++corenet_udp_sendrecv_all_ports(boinc_t)
+ corenet_tcp_bind_generic_node(boinc_t)
+-
+-corenet_sendrecv_boinc_client_packets(boinc_t)
+-corenet_sendrecv_boinc_server_packets(boinc_t)
++corenet_udp_bind_generic_node(boinc_t)
+ corenet_tcp_bind_boinc_port(boinc_t)
+-corenet_tcp_connect_boinc_port(boinc_t)
+-corenet_tcp_sendrecv_boinc_port(boinc_t)
+-
+-corenet_sendrecv_boinc_client_server_packets(boinc_t)
+ corenet_tcp_bind_boinc_client_port(boinc_t)
+-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
+-
+-corenet_sendrecv_http_client_packets(boinc_t)
++corenet_tcp_connect_boinc_port(boinc_t)
+ corenet_tcp_connect_http_port(boinc_t)
+-corenet_tcp_sendrecv_http_port(boinc_t)
+-
+-corenet_sendrecv_http_cache_client_packets(boinc_t)
+ corenet_tcp_connect_http_cache_port(boinc_t)
+-corenet_tcp_sendrecv_http_cache_port(boinc_t)
+-
+-corenet_sendrecv_squid_client_packets(boinc_t)
+ corenet_tcp_connect_squid_port(boinc_t)
+-corenet_tcp_sendrecv_squid_port(boinc_t)
+-
+-corecmd_exec_bin(boinc_t)
+-corecmd_exec_shell(boinc_t)
+-
+-dev_read_rand(boinc_t)
+-dev_read_urand(boinc_t)
+-dev_read_sysfs(boinc_t)
+-dev_rw_xserver_misc(boinc_t)
+-
+-domain_read_all_domains_state(boinc_t)
+
+ files_dontaudit_getattr_boot_dirs(boinc_t)
+-files_getattr_all_dirs(boinc_t)
+-files_getattr_all_files(boinc_t)
+-files_read_etc_files(boinc_t)
+-files_read_etc_runtime_files(boinc_t)
+-files_read_usr_files(boinc_t)
+
+-fs_getattr_all_fs(boinc_t)
++auth_read_passwd(boinc_t)
+
+ term_getattr_all_ptys(boinc_t)
+ term_getattr_unallocated_ttys(boinc_t)
+@@ -137,8 +151,9 @@ init_read_utmp(boinc_t)
+
+ logging_send_syslog_msg(boinc_t)
+
+-miscfiles_read_fonts(boinc_t)
+-miscfiles_read_localization(boinc_t)
++modutils_dontaudit_exec_insmod(boinc_t)
++
++xserver_stream_connect(boinc_t)
+
+ tunable_policy(`boinc_execmem',`
+ allow boinc_t self:process { execstack execmem };
+@@ -148,48 +163,61 @@ optional_policy(`
+ mta_send_mail(boinc_t)
+ ')
+
+-optional_policy(`
+- sysnet_dns_name_resolve(boinc_t)
+-')
+-
+ ########################################
+ #
+-# Project local policy
++# boinc-projects local policy
+ #
+
+ allow boinc_project_t self:capability { setuid setgid };
+-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
++allow boinc_t boinc_project_t:process noatsecure;
++
++allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
++tunable_policy(`deny_ptrace',`',`
++ allow boinc_project_t self:process ptrace;
++')
++
++allow boinc_project_t self:process { execstack };
+
+ manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+ manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+ manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+ files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+ manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+ manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
+
+ allow boinc_project_t boinc_project_var_lib_t:file execmod;
+-can_exec(boinc_project_t, boinc_project_var_lib_t)
+
+ allow boinc_project_t boinc_t:shm rw_shm_perms;
+-allow boinc_project_t boinc_tmpfs_t:file { read write };
++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
+ kernel_read_kernel_sysctls(boinc_project_t)
+-kernel_read_network_state(boinc_project_t)
+ kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
+
+-corenet_all_recvfrom_unlabeled(boinc_project_t)
+-corenet_all_recvfrom_netlabel(boinc_project_t)
+-corenet_tcp_sendrecv_generic_if(boinc_project_t)
+-corenet_tcp_sendrecv_generic_node(boinc_project_t)
+-corenet_tcp_bind_generic_node(boinc_project_t)
+-
+-corenet_sendrecv_boinc_client_packets(boinc_project_t)
+ corenet_tcp_connect_boinc_port(boinc_project_t)
+-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
+
+ files_dontaudit_search_home(boinc_project_t)
+
++# needed by java
++fs_read_hugetlbfs_files(boinc_project_t)
++
++optional_policy(`
++ gnome_read_gconf_config(boinc_project_t)
++')
++
+ optional_policy(`
+ java_exec(boinc_project_t)
+ ')
++
++# until solution for VirtualBox, java ..
++optional_policy(`
++ unconfined_domain(boinc_project_t)
++')
+diff --git a/brctl.te b/brctl.te
+index c5a9113..1919abd 100644
+--- a/brctl.te
++++ b/brctl.te
+@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+
+ kernel_request_load_module(brctl_t)
++kernel_read_system_state(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
+
+@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
+
+ domain_use_interactive_fds(brctl_t)
+
+-files_read_etc_files(brctl_t)
+-
+ term_dontaudit_use_console(brctl_t)
+
+-miscfiles_read_localization(brctl_t)
+-
+ optional_policy(`
+ xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+diff --git a/brltty.fc b/brltty.fc
+new file mode 100644
+index 0000000..0cfe342
+--- /dev/null
++++ b/brltty.fc
+@@ -0,0 +1,8 @@
++/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
++
++/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
++
++/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
++
++/var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0)
++
+diff --git a/brltty.if b/brltty.if
+new file mode 100644
+index 0000000..968c957
+--- /dev/null
++++ b/brltty.if
+@@ -0,0 +1,80 @@
++
++## brltty is refreshable braille display driver for Linux/Unix
++
++########################################
++##
++## Execute brltty in the brltty domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`brltty_domtrans',`
++ gen_require(`
++ type brltty_t, brltty_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, brltty_exec_t, brltty_t)
++')
++########################################
++##
++## Execute brltty server in the brltty domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`brltty_systemctl',`
++ gen_require(`
++ type brltty_t;
++ type brltty_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 brltty_unit_file_t:file read_file_perms;
++ allow $1 brltty_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, brltty_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an brltty environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`brltty_admin',`
++ gen_require(`
++ type brltty_t;
++ type brltty_unit_file_t;
++ ')
++
++ allow $1 brltty_t:process { signal_perms };
++ ps_process_pattern($1, brltty_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 brltty_t:process ptrace;
++ ')
++
++ brltty_systemctl($1)
++ admin_pattern($1, brltty_unit_file_t)
++ allow $1 brltty_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/brltty.te b/brltty.te
+new file mode 100644
+index 0000000..32c786b
+--- /dev/null
++++ b/brltty.te
+@@ -0,0 +1,61 @@
++policy_module(brltty, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type brltty_t;
++type brltty_exec_t;
++init_daemon_domain(brltty_t, brltty_exec_t)
++
++type brltty_var_lib_t;
++files_type(brltty_var_lib_t)
++
++type brltty_var_run_t;
++files_pid_file(brltty_var_run_t)
++
++type brltty_unit_file_t;
++systemd_unit_file(brltty_unit_file_t)
++
++########################################
++#
++# brltty local policy
++#
++allow brltty_t self:capability { sys_admin sys_tty_config mknod };
++allow brltty_t self:process { fork signal_perms };
++
++allow brltty_t self:fifo_file rw_fifo_file_perms;
++allow brltty_t self:unix_stream_socket create_stream_socket_perms;
++allow brltty_t self:tcp_socket listen;
++
++manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
++manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
++manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
++files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
++
++manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
++allow brltty_t brltty_var_run_t:dir mounton;
++
++kernel_read_system_state(brltty_t)
++kernel_read_usermodehelper_state(brltty_t)
++
++auth_use_nsswitch(brltty_t)
++
++corenet_tcp_bind_brlp_port(brltty_t)
++
++dev_read_sysfs(brltty_t)
++dev_getattr_generic_usb_dev(brltty_t)
++
++fs_getattr_all_fs(brltty_t)
++
++logging_send_syslog_msg(brltty_t)
++
++modutils_domtrans_insmod(brltty_t)
++
++sysnet_dns_name_resolve(brltty_t)
++
++term_use_unallocated_ttys(brltty_t)
+diff --git a/bugzilla.fc b/bugzilla.fc
+index fce0b6e..9efceac 100644
+--- a/bugzilla.fc
++++ b/bugzilla.fc
+@@ -1,4 +1,4 @@
+-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
+
+-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
+diff --git a/bugzilla.if b/bugzilla.if
+index 1b22262..d9ea246 100644
+--- a/bugzilla.if
++++ b/bugzilla.if
+@@ -12,10 +12,10 @@
+ #
+ interface(`bugzilla_search_content',`
+ gen_require(`
+- type httpd_bugzilla_content_t;
++ type bugzilla_content_t;
+ ')
+
+- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++ allow $1 bugzilla_content_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
+ #
+ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ gen_require(`
+- type httpd_bugzilla_script_t;
++ type bugzilla_script_t;
+ ')
+
+- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
+ ')
+
+ ########################################
+@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+-##
+ #
+ interface(`bugzilla_admin',`
+ gen_require(`
+- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+- type httpd_bugzilla_htaccess_t;
++ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
++ type bugzilla_rw_content_t, bugzilla_script_exec_t;
++ type bugzilla_htaccess_t, bugzilla_tmp_t;
++ ')
++
++ allow $1 bugzilla_script_t:process signal_perms;
++ ps_process_pattern($1, bugzilla_script_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bugzilla_script_t:process ptrace;
+ ')
+
+- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+- ps_process_pattern($1, httpd_bugzilla_script_t)
++ files_list_tmp($1)
++ admin_pattern($1, bugzilla_tmp_t)
+
+- files_search_usr($1)
+- admin_pattern($1, httpd_bugzilla_script_exec_t)
+- admin_pattern($1, httpd_bugzilla_script_t)
+- admin_pattern($1, httpd_bugzilla_content_t)
+- admin_pattern($1, httpd_bugzilla_htaccess_t)
+- admin_pattern($1, httpd_bugzilla_ra_content_t)
++ files_list_var_lib(bugzilla_script_t)
++
++ admin_pattern($1, bugzilla_script_exec_t)
++ admin_pattern($1, bugzilla_script_t)
++ admin_pattern($1, bugzilla_content_t)
++ admin_pattern($1, bugzilla_htaccess_t)
++ admin_pattern($1, bugzilla_ra_content_t)
+
+ files_search_tmp($1)
+ files_search_var_lib($1)
+- admin_pattern($1, httpd_bugzilla_rw_content_t)
++ admin_pattern($1, bugzilla_rw_content_t)
+
+- apache_list_sys_content($1)
++ optional_policy(`
++ apache_list_sys_content($1)
++ ')
+ ')
+diff --git a/bugzilla.te b/bugzilla.te
+index 18623e3..c62f617 100644
+--- a/bugzilla.te
++++ b/bugzilla.te
+@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
+ #
+
+ apache_content_template(bugzilla)
++apache_content_alias_template(bugzilla, bugzilla)
++
++type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
++files_tmp_file(bugzilla_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
++allow bugzilla_script_t self:tcp_socket { accept listen };
++
++corenet_all_recvfrom_netlabel(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
++
++corenet_sendrecv_http_client_packets(bugzilla_script_t)
++corenet_tcp_connect_http_port(bugzilla_script_t)
++corenet_tcp_sendrecv_http_port(bugzilla_script_t)
++
++corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
++corenet_tcp_connect_smtp_port(bugzilla_script_t)
++corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
++
++manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
+
+-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
++files_search_var_lib(bugzilla_script_t)
+
+-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
++auth_read_passwd(bugzilla_script_t)
+
+-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
++dev_read_sysfs(bugzilla_script_t)
+
+-files_search_var_lib(httpd_bugzilla_script_t)
++sysnet_read_config(bugzilla_script_t)
++sysnet_use_ldap(bugzilla_script_t)
+
+-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+-sysnet_use_ldap(httpd_bugzilla_script_t)
++miscfiles_read_certs(bugzilla_script_t)
+
+ optional_policy(`
+- mta_send_mail(httpd_bugzilla_script_t)
++ mta_send_mail(bugzilla_script_t)
+ ')
+
+ optional_policy(`
+- mysql_stream_connect(httpd_bugzilla_script_t)
+- mysql_tcp_connect(httpd_bugzilla_script_t)
++ mysql_stream_connect(bugzilla_script_t)
++ mysql_tcp_connect(bugzilla_script_t)
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_bugzilla_script_t)
+- postgresql_tcp_connect(httpd_bugzilla_script_t)
++ postgresql_stream_connect(bugzilla_script_t)
++ postgresql_tcp_connect(bugzilla_script_t)
+ ')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..b5ee23b
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..2d2e60c
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,122 @@
++## policy for bumblebee
++
++########################################
++##
++## Execute bumblebee in the bumblebee domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bumblebee_domtrans',`
++ gen_require(`
++ type bumblebee_t, bumblebee_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
++')
++
++########################################
++##
++## Read bumblebee PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bumblebee_read_pid_files',`
++ gen_require(`
++ type bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
++')
++
++########################################
++##
++## Execute bumblebee server in the bumblebee domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bumblebee_systemctl',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bumblebee_unit_file_t:file read_file_perms;
++ allow $1 bumblebee_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bumblebee_t)
++')
++
++########################################
++##
++## Connect to bumblebee over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bumblebee_stream_connect',`
++ gen_require(`
++ type bumblebee_t, bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an bumblebee environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`bumblebee_admin',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_var_run_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ allow $1 bumblebee_t:process { signal_perms };
++ ps_process_pattern($1, bumblebee_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bumblebee_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, bumblebee_var_run_t)
++
++ bumblebee_systemctl($1)
++ admin_pattern($1, bumblebee_unit_file_t)
++ allow $1 bumblebee_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/bumblebee.te b/bumblebee.te
+new file mode 100644
+index 0000000..23a4606
+--- /dev/null
++++ b/bumblebee.te
+@@ -0,0 +1,61 @@
++policy_module(bumblebee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bumblebee_t;
++type bumblebee_exec_t;
++init_daemon_domain(bumblebee_t, bumblebee_exec_t)
++
++type bumblebee_var_run_t;
++files_pid_file(bumblebee_var_run_t)
++
++type bumblebee_unit_file_t;
++systemd_unit_file(bumblebee_unit_file_t)
++
++########################################
++#
++# bumblebee local policy
++#
++
++allow bumblebee_t self:capability { setgid };
++allow bumblebee_t self:process { fork signal_perms };
++allow bumblebee_t self:fifo_file rw_fifo_file_perms;
++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_dontaudit_write_proc_files(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
++
++corecmd_exec_shell(bumblebee_t)
++corecmd_exec_bin(bumblebee_t)
++
++dev_read_sysfs(bumblebee_t)
++
++auth_use_nsswitch(bumblebee_t)
++
++logging_send_syslog_msg(bumblebee_t)
++
++modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
++
++sysnet_dns_name_resolve(bumblebee_t)
++
++xserver_domtrans(bumblebee_t)
++xserver_signal(bumblebee_t)
++xserver_stream_connect(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++corenet_tcp_connect_xserver_port(bumblebee_t)
++
++optional_policy(`
++ apm_stream_connect(bumblebee_t)
++')
+diff --git a/cachefilesd.fc b/cachefilesd.fc
+index 648c790..aa03fc8 100644
+--- a/cachefilesd.fc
++++ b/cachefilesd.fc
+@@ -1,9 +1,34 @@
+-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories:
++
++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+
+ /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
+ /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
+-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+diff --git a/cachefilesd.if b/cachefilesd.if
+index 8de2ab9..3b41945 100644
+--- a/cachefilesd.if
++++ b/cachefilesd.if
+@@ -1,39 +1,35 @@
+-## CacheFiles user-space management daemon.
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++## policy for cachefilesd
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an cachefilesd environment.
++## Execute a domain transition to run cachefilesd.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+-##
+ #
+-interface(`cachefilesd_admin',`
++interface(`cachefilesd_domtrans',`
+ gen_require(`
+- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
+- type cachefilesd_var_run_t;
++ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+- allow $1 cachefilesd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, cachefilesd_t)
+-
+- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 cachefilesd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_var($1)
+- admin_pattern($1, cachefilesd_cache_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, cachefilesd_var_run_t)
++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
+ ')
+diff --git a/cachefilesd.te b/cachefilesd.te
+index a3760bc..660e5d3 100644
+--- a/cachefilesd.te
++++ b/cachefilesd.te
+@@ -1,52 +1,125 @@
+ policy_module(cachefilesd, 1.1.0)
+
+-########################################
++###############################################################################
+ #
+ # Declarations
+ #
+
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
+ type cachefilesd_t;
+ type cachefilesd_exec_t;
+ init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+-type cachefilesd_initrc_exec_t;
+-init_script_file(cachefilesd_initrc_exec_t)
+-
+-type cachefilesd_cache_t;
+-files_type(cachefilesd_cache_t)
+-
++#
++# The cachefilesd daemon pid file context
++#
+ type cachefilesd_var_run_t;
+ files_pid_file(cachefilesd_var_run_t)
+
+-########################################
+ #
+-# Local policy
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
+ #
++# Permit RPM to deal with files in the cache
++#
++optional_policy(`
++ rpm_use_script_fds(cachefilesd_t)
++')
+
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do. This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache. It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
+ allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
++allow cachefilesd_t self:process signal_perms;
+
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+ manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+ files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
++files_create_as_is_all_files(cachefilesd_t)
+
+-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
+-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
+-
+-dev_rw_cachefiles(cachefilesd_t)
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+-files_create_all_files_as(cachefilesd_t)
+-files_read_etc_files(cachefilesd_t)
++# Allow access to cache superstructure
++manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+
++# Permit statfs on the backing filesystem
+ fs_getattr_xattr_fs(cachefilesd_t)
+
++# Basic access
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
+ term_dontaudit_use_generic_ptys(cachefilesd_t)
+ term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+-logging_send_syslog_msg(cachefilesd_t)
++###############################################################################
++#
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++# (1) the security context used by the module to access files in the cache,
++# as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
+
+-miscfiles_read_localization(cachefilesd_t)
++#
++# (2) the label that will be assigned to new files and directories created in
++# the cache by the module, which will be the same as the label on the
++# directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
+
+-init_dontaudit_use_script_ptys(cachefilesd_t)
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+
+-optional_policy(`
+- rpm_use_script_fds(cachefilesd_t)
+-')
++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
++
++init_sigchld_script(cachefiles_kernel_t)
+diff --git a/calamaris.if b/calamaris.if
+index cd9c528..ba793b7 100644
+--- a/calamaris.if
++++ b/calamaris.if
+@@ -42,7 +42,7 @@ interface(`calamaris_run',`
+ attribute_role calamaris_roles;
+ ')
+
+- lightsquid_domtrans($1)
++ calamaris_domtrans($1)
+ roleattribute $2 calamaris_roles;
+ ')
+
+diff --git a/calamaris.te b/calamaris.te
+index 7e57460..b0cf254 100644
+--- a/calamaris.te
++++ b/calamaris.te
+@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
+
+ corecmd_exec_bin(calamaris_t)
+
++corenet_all_recvfrom_netlabel(calamaris_t)
++corenet_tcp_sendrecv_generic_if(calamaris_t)
++corenet_udp_sendrecv_generic_if(calamaris_t)
++corenet_tcp_sendrecv_generic_node(calamaris_t)
++corenet_udp_sendrecv_generic_node(calamaris_t)
++corenet_tcp_sendrecv_all_ports(calamaris_t)
++corenet_udp_sendrecv_all_ports(calamaris_t)
++
+ dev_read_urand(calamaris_t)
+
+-files_read_usr_files(calamaris_t)
++files_search_pids(calamaris_t)
+ files_read_etc_runtime_files(calamaris_t)
+
+-libs_read_lib_files(calamaris_t)
+-
+ auth_use_nsswitch(calamaris_t)
+
+ logging_send_syslog_msg(calamaris_t)
+
+-miscfiles_read_localization(calamaris_t)
+-
+ userdom_dontaudit_list_user_home_dirs(calamaris_t)
+
+ optional_policy(`
+diff --git a/callweaver.te b/callweaver.te
+index 0e5be4c..b9a407f 100644
+--- a/callweaver.te
++++ b/callweaver.te
+@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
+
+ auth_use_nsswitch(callweaver_t)
+
+-miscfiles_read_localization(callweaver_t)
+diff --git a/canna.if b/canna.if
+index 400db07..f416e22 100644
+--- a/canna.if
++++ b/canna.if
+@@ -43,9 +43,13 @@ interface(`canna_admin',`
+ type canna_var_run_t, canna_initrc_exec_t;
+ ')
+
+- allow $1 canna_t:process { ptrace signal_perms };
++ allow $1 canna_t:process signal_perms;
+ ps_process_pattern($1, canna_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 canna_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 canna_initrc_exec_t system_r;
+diff --git a/canna.te b/canna.te
+index 9fe6162..2245f3b 100644
+--- a/canna.te
++++ b/canna.te
+@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
+ kernel_read_kernel_sysctls(canna_t)
+ kernel_read_system_state(canna_t)
+
+-corenet_all_recvfrom_unlabeled(canna_t)
+ corenet_all_recvfrom_netlabel(canna_t)
+ corenet_tcp_sendrecv_generic_if(canna_t)
+ corenet_tcp_sendrecv_generic_node(canna_t)
+@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
+
+ domain_use_interactive_fds(canna_t)
+
+-files_read_etc_files(canna_t)
+ files_read_etc_runtime_files(canna_t)
+-files_read_usr_files(canna_t)
+ files_search_tmp(canna_t)
+ files_dontaudit_read_root_files(canna_t)
+
+ logging_send_syslog_msg(canna_t)
+
+-miscfiles_read_localization(canna_t)
+-
+ sysnet_read_config(canna_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(canna_t)
+diff --git a/ccs.if b/ccs.if
+index 5ded72d..cb94e5e 100644
+--- a/ccs.if
++++ b/ccs.if
+@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
+ interface(`ccs_admin',`
+ gen_require(`
+ type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
+- type ccs_var_lib_t_t, ccs_var_log_t;
++ type ccs_var_lib_t, ccs_var_log_t;
+ type ccs_var_run_t, ccs_tmp_t;
+ ')
+
+- allow $1 ccs_t:process { ptrace signal_perms };
++ allow $1 ccs_t:process { signal_perms };
+ ps_process_pattern($1, ccs_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ccs_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, ccs_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ccs_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+- admin_pattern($1, ccs_conf_t)
++ admin_pattern($1, cluster_conf_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, ccs_var_lib_t)
+diff --git a/ccs.te b/ccs.te
+index 658134d..58deece 100644
+--- a/ccs.te
++++ b/ccs.te
+@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
+
+ allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+-dontaudit ccs_t self:process ptrace;
++
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+ allow ccs_t self:unix_stream_socket { accept connectto listen };
+ allow ccs_t self:tcp_socket { accept listen };
+@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
+ corecmd_list_bin(ccs_t)
+ corecmd_exec_bin(ccs_t)
+
+-corenet_all_recvfrom_unlabeled(ccs_t)
+ corenet_all_recvfrom_netlabel(ccs_t)
+ corenet_tcp_sendrecv_generic_if(ccs_t)
+ corenet_udp_sendrecv_generic_if(ccs_t)
+@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
+
+ dev_read_urand(ccs_t)
+
+-files_read_etc_files(ccs_t)
+ files_read_etc_runtime_files(ccs_t)
+
+ init_rw_script_tmp_files(ccs_t)
++init_signal(ccs_t)
+
+ logging_send_syslog_msg(ccs_t)
+
+-miscfiles_read_localization(ccs_t)
+-
+ sysnet_dns_name_resolve(ccs_t)
+
+ userdom_manage_unpriv_user_shared_mem(ccs_t)
+@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
+- aisexec_stream_connect(ccs_t)
+- corosync_stream_connect(ccs_t)
++ rhcs_stream_connect_cluster(ccs_t)
+ ')
+
+ optional_policy(`
+diff --git a/cdrecord.if b/cdrecord.if
+index fbc20f6..4de4a00 100644
+--- a/cdrecord.if
++++ b/cdrecord.if
+@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
+
+ allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
+
+- allow $2 cdrecord_t:process { ptrace signal_perms };
++ allow $2 cdrecord_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 cdrecord_t:process ptrace;
++ ')
+ ps_process_pattern($2, cdrecord_t)
+ ')
+diff --git a/cdrecord.te b/cdrecord.te
+index 16883c9..0f4ccb0 100644
+--- a/cdrecord.te
++++ b/cdrecord.te
+@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
+ domain_interactive_fd(cdrecord_t)
+ domain_use_interactive_fds(cdrecord_t)
+
+-files_read_etc_files(cdrecord_t)
+-
+ term_use_controlling_term(cdrecord_t)
+ term_list_ptys(cdrecord_t)
+
+@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
+
+ logging_send_syslog_msg(cdrecord_t)
+
+-miscfiles_read_localization(cdrecord_t)
+-
+-userdom_use_user_terminals(cdrecord_t)
+-userdom_read_user_home_content_files(cdrecord_t)
++userdom_use_inherited_user_terminals(cdrecord_t)
+
+ tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- files_search_mnt(cdrecord_t)
+- fs_read_nfs_files(cdrecord_t)
+- fs_read_nfs_symlinks(cdrecord_t)
+-')
++userdom_home_manager(cdrecord_t)
+
+ optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
+diff --git a/certmaster.if b/certmaster.if
+index 0c53b18..ef29f6e 100644
+--- a/certmaster.if
++++ b/certmaster.if
+@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
+ interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+- type certmaster_etc_rw_t, certmaster_var_log_t;
+- type certmaster_initrc_exec_t;
++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+- allow $1 certmaster_t:process { ptrace signal_perms };
++ allow $1 certmaster_t:process signal_perms;
+ ps_process_pattern($1, certmaster_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmaster_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+diff --git a/certmaster.te b/certmaster.te
+index 4a87873..113f3b3 100644
+--- a/certmaster.te
++++ b/certmaster.te
+@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
+ dev_read_urand(certmaster_t)
+
+ files_list_var(certmaster_t)
+-files_search_etc(certmaster_t)
+-files_read_usr_files(certmaster_t)
+
+ auth_use_nsswitch(certmaster_t)
+
+-miscfiles_read_localization(certmaster_t)
+ miscfiles_manage_generic_cert_dirs(certmaster_t)
+ miscfiles_manage_generic_cert_files(certmaster_t)
++
++mta_send_mail(certmaster_t)
+diff --git a/certmonger.fc b/certmonger.fc
+index ed298d8..cd8eb4d 100644
+--- a/certmonger.fc
++++ b/certmonger.fc
+@@ -2,6 +2,8 @@
+
+ /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
++
+ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+
+ /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
+diff --git a/certmonger.if b/certmonger.if
+index 008f8ef..144c074 100644
+--- a/certmonger.if
++++ b/certmonger.if
+@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
+ ')
+
+ ps_process_pattern($1, certmonger_t)
+- allow $1 certmonger_t:process { ptrace signal_perms };
++ allow $1 certmonger_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmonger_t:process ptrace;
++ ')
+
+ certmonger_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+ ')
+diff --git a/certmonger.te b/certmonger.te
+index 550b287..7f683e5 100644
+--- a/certmonger.te
++++ b/certmonger.te
+@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
+ type certmonger_var_run_t;
+ files_pid_file(certmonger_var_run_t)
+
++type certmonger_unconfined_exec_t;
++application_executable_file(certmonger_unconfined_exec_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
+ allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+ dontaudit certmonger_t self:capability sys_tty_config;
+ allow certmonger_t self:capability2 block_suspend;
++
+ allow certmonger_t self:process { getsched setsched sigkill signal };
+-allow certmonger_t self:fifo_file rw_fifo_file_perms;
+-allow certmonger_t self:unix_stream_socket { accept listen };
+-allow certmonger_t self:tcp_socket { accept listen };
++allow certmonger_t self:fifo_file rw_file_perms;
++allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
++allow certmonger_t self:tcp_socket create_stream_socket_perms;
++allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(certmonger_t)
+ kernel_read_system_state(certmonger_t)
++kernel_read_network_state(certmonger_t)
+
+ corenet_all_recvfrom_unlabeled(certmonger_t)
+ corenet_all_recvfrom_netlabel(certmonger_t)
+@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+
+ corenet_sendrecv_certmaster_client_packets(certmonger_t)
+ corenet_tcp_connect_certmaster_port(certmonger_t)
++
++corenet_tcp_connect_http_port(certmonger_t)
++corenet_tcp_connect_http_cache_port(certmonger_t)
++
++corenet_tcp_connect_ldap_port(certmonger_t)
++
++corenet_tcp_connect_pki_ca_port(certmonger_t)
+ corenet_tcp_sendrecv_certmaster_port(certmonger_t)
+
+ corecmd_exec_bin(certmonger_t)
+ corecmd_exec_shell(certmonger_t)
+
++dev_read_rand(certmonger_t)
+ dev_read_urand(certmonger_t)
+
+ domain_use_interactive_fds(certmonger_t)
+
+-files_read_usr_files(certmonger_t)
+ files_list_tmp(certmonger_t)
++files_list_home(certmonger_t)
+
+ fs_search_cgroup_dirs(certmonger_t)
+
+@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t)
+
+ init_getattr_all_script_files(certmonger_t)
+
++libs_exec_ldconfig(certmonger_t)
++
+ logging_send_syslog_msg(certmonger_t)
+
+-miscfiles_read_localization(certmonger_t)
+-miscfiles_manage_generic_cert_files(certmonger_t)
++miscfiles_manage_all_certs(certmonger_t)
++
++systemd_exec_systemctl(certmonger_t)
+
+ userdom_search_user_home_content(certmonger_t)
+
+ optional_policy(`
+- apache_initrc_domtrans(certmonger_t)
+ apache_search_config(certmonger_t)
+ apache_signal(certmonger_t)
+ apache_signull(certmonger_t)
++ apache_systemctl(certmonger_t)
+ ')
+
+ optional_policy(`
+@@ -92,11 +109,56 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_read_keytab(certmonger_t)
++ dirsrv_manage_config(certmonger_t)
++ dirsrv_signal(certmonger_t)
++ dirsrv_signull(certmonger_t)
++ dirsrv_stream_connect(certmonger_t)
++')
++
++optional_policy(`
++ ipa_manage_lib(certmonger_t)
++')
++
++optional_policy(`
+ kerberos_use(certmonger_t)
++ kerberos_read_keytab(certmonger_t)
+ ')
+
+ optional_policy(`
+ pcscd_read_pid_files(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
+ ')
++
++optional_policy(`
++ pki_rw_tomcat_cert(certmonger_t)
++ pki_read_tomcat_lib_files(certmonger_t)
++')
++
++optional_policy(`
++ sssd_delete_public_files(certmonger_t)
++')
++
++########################################
++#
++# certmonger_unconfined_script_t local policy
++#
++
++optional_policy(`
++ type certmonger_unconfined_t;
++ domain_type(certmonger_unconfined_t)
++
++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
++ role system_r types certmonger_unconfined_t;
++
++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
++
++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(certmonger_unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(certmonger_unconfined_t)
++ ')
++')
+diff --git a/certwatch.te b/certwatch.te
+index 171fafb..e88a026 100644
+--- a/certwatch.te
++++ b/certwatch.te
+@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
+
+ allow certwatch_t self:capability sys_nice;
+ allow certwatch_t self:process { setsched getsched };
++allow certwatch_t self:tcp_socket create_stream_socket_perms;
+
++kernel_read_system_state(certwatch_t)
++
++corecmd_exec_bin(certwatch_t)
++
++dev_read_rand(certwatch_t)
+ dev_read_urand(certwatch_t)
+
+-files_read_etc_files(certwatch_t)
+-files_read_usr_files(certwatch_t)
+ files_read_usr_symlinks(certwatch_t)
+ files_list_tmp(certwatch_t)
+
+ fs_list_inotifyfs(certwatch_t)
+
+ auth_manage_cache(certwatch_t)
++auth_read_passwd(certwatch_t)
+ auth_var_filetrans_cache(certwatch_t)
+
+ logging_send_syslog_msg(certwatch_t)
+
+ miscfiles_read_all_certs(certwatch_t)
+-miscfiles_read_localization(certwatch_t)
++miscfiles_manage_generic_cert_dirs(certwatch_t)
++
++sysnet_read_config(certwatch_t)
+
+-userdom_use_user_terminals(certwatch_t)
+-userdom_dontaudit_list_user_home_dirs(certwatch_t)
++userdom_use_inherited_user_terminals(certwatch_t)
++userdom_dontaudit_list_admin_dir(certwatch_t)
+
+ optional_policy(`
++ apache_domtrans(certwatch_t)
+ apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+ ')
+
+ optional_policy(`
++ mta_send_mail(certwatch_t)
++')
++
++optional_policy(`
+ cron_system_entry(certwatch_t, certwatch_exec_t)
+ ')
+
+diff --git a/cfengine.if b/cfengine.if
+index a731122..5279d4e 100644
+--- a/cfengine.if
++++ b/cfengine.if
+@@ -13,7 +13,6 @@
+ template(`cfengine_domain_template',`
+ gen_require(`
+ attribute cfengine_domain;
+- type cfengine_log_t, cfengine_var_lib_t;
+ ')
+
+ ########################################
+@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
+ # Policy
+ #
+
++ kernel_read_system_state(cfengine_$1_t)
++
+ auth_use_nsswitch(cfengine_$1_t)
++
++ logging_send_syslog_msg(cfengine_$1_t)
++')
++
++######################################
++##
++## Search cfengine lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_search_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ allow $1 cfengine_var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
+ dontaudit $1 cfengine_var_log_t:file write_file_perms;
+ ')
+
++#####################################
++##
++## Allow the specified domain to append cfengine's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_append_inherited_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ cfengine_search_lib_files($1)
++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
++')
++
++####################################
++##
++## Dontaudit the specified domain to write cfengine's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_dontaudit_write_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ dontaudit $1 cfengine_var_log_t:file write;
++')
++
+ ########################################
+ ##
+ ## All of the rules required to
+@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
+ type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
+ ')
+
+- allow $1 cfengine_domain:process { ptrace signal_perms };
++ allow $1 cfengine_domain:process { signal_perms };
+ ps_process_pattern($1, cfengine_domain)
+
+ init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
+@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
+ files_search_var_lib($1)
+ admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
+ ')
++
+diff --git a/cfengine.te b/cfengine.te
+index fbe3ad9..21ab8e1 100644
+--- a/cfengine.te
++++ b/cfengine.te
+@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
+ setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
+ logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
+
+-kernel_read_system_state(cfengine_domain)
+-
+ corecmd_exec_bin(cfengine_domain)
+ corecmd_exec_shell(cfengine_domain)
+
+ dev_read_urand(cfengine_domain)
+ dev_read_sysfs(cfengine_domain)
+
+-logging_send_syslog_msg(cfengine_domain)
+-
+-miscfiles_read_localization(cfengine_domain)
+-
++sysnet_dns_name_resolve(cfengine_domain)
+ sysnet_domtrans_ifconfig(cfengine_domain)
+
+ ########################################
+@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
+ # Monitord local policy
+ #
+
+-kernel_read_hotplug_sysctls(cfengine_monitord_t)
++kernel_read_usermodehelper_state(cfengine_monitord_t)
+ kernel_read_network_state(cfengine_monitord_t)
+
+ domain_read_all_domains_state(cfengine_monitord_t)
+diff --git a/cgroup.if b/cgroup.if
+index 85ca63f..1d1c99c 100644
+--- a/cgroup.if
++++ b/cgroup.if
+@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
+ type cgrules_etc_t, cgclear_t;
+ ')
+
+- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
++ allow $1 cgclear_t:process signal_perms;
++ ps_process_pattern($1, cgclear_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgclear_t:process ptrace;
++ ')
++
++ allow $1 cgconfig_t:process signal_perms;
++ ps_process_pattern($1, cgconfig_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgconfig_t:process ptrace;
++ ')
++
++ allow $1 cgred_t:process signal_perms;
++ ps_process_pattern($1, cgred_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgred_t:process ptrace;
++ ')
+
+ admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
+ files_list_etc($1)
+diff --git a/cgroup.te b/cgroup.te
+index 80a88a2..ec869f5 100644
+--- a/cgroup.te
++++ b/cgroup.te
+@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
+ type cgrules_etc_t;
+ files_config_file(cgrules_etc_t)
+
+-type cgconfig_t;
+-type cgconfig_exec_t;
++type cgconfig_t alias cgconfigparser_t;
++type cgconfig_exec_t alias cgconfigparser_exec_t;
+ init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+ type cgconfig_initrc_exec_t;
+@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
+
+ allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+
+-allow cgclear_t cgconfig_etc_t:file read_file_perms;
++read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
+
+ kernel_read_system_state(cgclear_t)
+
++auth_use_nsswitch(cgclear_t)
++
+ domain_setpriority_all_domains(cgclear_t)
+
+ fs_manage_cgroup_dirs(cgclear_t)
+@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+ kernel_list_unlabeled(cgconfig_t)
+ kernel_read_system_state(cgconfig_t)
+
+-files_read_etc_files(cgconfig_t)
+-
+ fs_manage_cgroup_dirs(cgconfig_t)
+ fs_manage_cgroup_files(cgconfig_t)
+ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
+ fs_unmount_cgroup(cgconfig_t)
+
++auth_use_nsswitch(cgconfig_t)
++
+ ########################################
+ #
+ # cgred local policy
+ #
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:process signal_perms;
+
+-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+
++allow cgred_t cgconfig_etc_t:file read_file_perms;
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+
+ allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
+ files_getattr_all_files(cgred_t)
+ files_getattr_all_sockets(cgred_t)
+ files_read_all_symlinks(cgred_t)
+-files_read_etc_files(cgred_t)
+
+-fs_write_cgroup_files(cgred_t)
++fs_manage_cgroup_dirs(cgred_t)
++fs_manage_cgroup_files(cgred_t)
++fs_list_inotifyfs(cgred_t)
+
+-logging_send_syslog_msg(cgred_t)
++auth_use_nsswitch(cgred_t)
+
+-miscfiles_read_localization(cgred_t)
++logging_send_syslog_msg(cgred_t)
+diff --git a/chrome.fc b/chrome.fc
+new file mode 100644
+index 0000000..5c6bdb6
+--- /dev/null
++++ b/chrome.fc
+@@ -0,0 +1,11 @@
++/opt/google/chrome[^/]*/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/opt/google/chrome[^/]*/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++
++HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
++HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
++HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+diff --git a/chrome.if b/chrome.if
+new file mode 100644
+index 0000000..aa308eb
+--- /dev/null
++++ b/chrome.if
+@@ -0,0 +1,137 @@
++
++## policy for chrome
++
++########################################
++##
++## Execute a domain transition to run chrome_sandbox.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chrome_domtrans_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t, chrome_sandbox_exec_t;
++ ')
++
++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
++ ps_process_pattern(chrome_sandbox_t, $1)
++
++ allow $1 chrome_sandbox_t:fd use;
++
++ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
++ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
++
++ ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++ ')
++')
++
++
++########################################
++##
++## Execute chrome_sandbox in the chrome_sandbox domain, and
++## allow the specified role the chrome_sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the chrome_sandbox domain.
++##
++##
++#
++interface(`chrome_run_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t;
++ type chrome_sandbox_nacl_t;
++ ')
++
++ chrome_domtrans_sandbox($1)
++ role $2 types chrome_sandbox_t;
++ role $2 types chrome_sandbox_nacl_t;
++')
++
++########################################
++##
++## Role access for chrome sandbox
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`chrome_role_notrans',`
++ gen_require(`
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
++ type chrome_sandbox_nacl_t;
++ ')
++
++ role $1 types chrome_sandbox_t;
++ role $1 types chrome_sandbox_nacl_t;
++
++ ps_process_pattern($2, chrome_sandbox_t)
++ allow $2 chrome_sandbox_t:process signal_perms;
++
++ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
++ allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
++ allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
++
++ allow $2 chrome_sandbox_t:shm rw_shm_perms;
++
++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++##
++## Role access for chrome sandbox
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`chrome_role',`
++ chrome_role_notrans($1, $2)
++ chrome_domtrans_sandbox($2)
++')
++
++########################################
++##
++## Dontaudit read/write to a chrome_sandbox leaks
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`chrome_dontaudit_sandbox_leaks',`
++ gen_require(`
++ type chrome_sandbox_t;
++ ')
++
++ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
++')
+diff --git a/chrome.te b/chrome.te
+new file mode 100644
+index 0000000..f50b201
+--- /dev/null
++++ b/chrome.te
+@@ -0,0 +1,249 @@
++policy_module(chrome,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type chrome_sandbox_t;
++type chrome_sandbox_exec_t;
++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
++role system_r types chrome_sandbox_t;
++ubac_constrained(chrome_sandbox_t)
++
++type chrome_sandbox_tmp_t;
++files_tmp_file(chrome_sandbox_tmp_t)
++
++type chrome_sandbox_tmpfs_t;
++files_tmpfs_file(chrome_sandbox_tmpfs_t)
++ubac_constrained(chrome_sandbox_tmpfs_t)
++
++type chrome_sandbox_nacl_t;
++type chrome_sandbox_nacl_exec_t;
++application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
++role system_r types chrome_sandbox_nacl_t;
++ubac_constrained(chrome_sandbox_nacl_t)
++
++type chrome_sandbox_home_t;
++userdom_user_home_content(chrome_sandbox_home_t)
++
++########################################
++#
++# chrome_sandbox local policy
++#
++allow chrome_sandbox_t self:capability2 block_suspend;
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++dontaudit chrome_sandbox_t self:capability sys_nice;
++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
++allow chrome_sandbox_t self:process setsched;
++allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_t self:shm create_shm_perms;
++allow chrome_sandbox_t self:sem create_sem_perms;
++allow chrome_sandbox_t self:msgq create_msgq_perms;
++allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
++dontaudit chrome_sandbox_t self:memprotect mmap_zero;
++
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
++
++kernel_read_system_state(chrome_sandbox_t)
++kernel_read_kernel_sysctls(chrome_sandbox_t)
++
++fs_manage_cgroup_dirs(chrome_sandbox_t)
++fs_manage_cgroup_files(chrome_sandbox_t)
++fs_read_dos_files(chrome_sandbox_t)
++fs_read_hugetlbfs_files(chrome_sandbox_t)
++
++corecmd_exec_bin(chrome_sandbox_t)
++
++corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
++corenet_tcp_connect_aol_port(chrome_sandbox_t)
++corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
++corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
++corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
++corenet_tcp_connect_flash_port(chrome_sandbox_t)
++corenet_tcp_connect_ftp_port(chrome_sandbox_t)
++corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
++corenet_tcp_connect_generic_port(chrome_sandbox_t)
++corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
++corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
++corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
++corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
++corenet_tcp_connect_monopd_port(chrome_sandbox_t)
++corenet_tcp_connect_msnp_port(chrome_sandbox_t)
++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
++corenet_tcp_connect_soundd_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
++corenet_tcp_connect_squid_port(chrome_sandbox_t)
++corenet_tcp_connect_tor_port(chrome_sandbox_t)
++corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
++corenet_tcp_connect_vnc_port(chrome_sandbox_t)
++corenet_tcp_connect_whois_port(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
++
++domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
++
++dev_read_urand(chrome_sandbox_t)
++dev_read_sysfs(chrome_sandbox_t)
++dev_rwx_zero(chrome_sandbox_t)
++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
++
++fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
++
++libs_legacy_use_shared_libs(chrome_sandbox_t)
++
++miscfiles_read_fonts(chrome_sandbox_t)
++
++sysnet_dns_name_resolve(chrome_sandbox_t)
++
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_execute_user_tmp_files(chrome_sandbox_t)
++
++userdom_use_user_ptys(chrome_sandbox_t)
++userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
++userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
++userdom_search_user_home_content(chrome_sandbox_t)
++# This one we should figure a way to make it more secure
++userdom_manage_home_certs(chrome_sandbox_t)
++
++optional_policy(`
++ gnome_exec_config_home_files(chrome_sandbox_t)
++ gnome_read_generic_cache_files(chrome_sandbox_t)
++ gnome_rw_inherited_config(chrome_sandbox_t)
++ gnome_read_home_config(chrome_sandbox_t)
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
++')
++
++optional_policy(`
++ mozilla_write_user_home_files(chrome_sandbox_t)
++')
++
++optional_policy(`
++ xserver_use_user_fonts(chrome_sandbox_t)
++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(chrome_sandbox_t)
++ fs_exec_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_files(chrome_sandbox_t)
++ fs_rw_inherited_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(chrome_sandbox_t)
++ fs_exec_cifs_files(chrome_sandbox_t)
++ fs_rw_inherited_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(chrome_sandbox_t)
++ fs_read_fusefs_files(chrome_sandbox_t)
++ fs_exec_fusefs_files(chrome_sandbox_t)
++ fs_read_fusefs_symlinks(chrome_sandbox_t)
++')
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(chrome_sandbox_t)
++ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
++ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
++')
++
++optional_policy(`
++ bumblebee_stream_connect(chrome_sandbox_t)
++')
++
++optional_policy(`
++ cups_stream_connect(chrome_sandbox_t)
++')
++
++optional_policy(`
++ sandbox_use_ptys(chrome_sandbox_t)
++')
++
++
++########################################
++#
++# chrome_sandbox_nacl local policy
++#
++
++allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
++
++allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_nacl_t self:shm create_shm_perms;
++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
++
++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
++
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
++
++domain_use_interactive_fds(chrome_sandbox_nacl_t)
++
++dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
++
++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
++
++manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++
++kernel_read_state(chrome_sandbox_nacl_t)
++kernel_read_system_state(chrome_sandbox_nacl_t)
++
++corecmd_bin_entry_type(chrome_sandbox_nacl_t)
++
++dev_read_urand(chrome_sandbox_nacl_t)
++dev_read_sysfs(chrome_sandbox_nacl_t)
++dev_rwx_zero(chrome_sandbox_nacl_t)
++
++init_read_state(chrome_sandbox_nacl_t)
++
++libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
++
++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
++
++optional_policy(`
++ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
++')
+diff --git a/chronyd.fc b/chronyd.fc
+index 4e4143e..d5e0260 100644
+--- a/chronyd.fc
++++ b/chronyd.fc
+@@ -1,7 +1,9 @@
+-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
++/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+
+ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
++
+ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+ /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+diff --git a/chronyd.if b/chronyd.if
+index 32e8265..74fd151 100644
+--- a/chronyd.if
++++ b/chronyd.if
+@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
+
+ ########################################
+ ##
+-## Connect to chronyd using a unix
+-## domain stream socket.
++## Read chronyd keys files.
+ ##
+ ##
+ ##
+@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
+ ##
+ ##
+ #
+-interface(`chronyd_stream_connect',`
++interface(`chronyd_read_keys',`
+ gen_require(`
+- type chronyd_t, chronyd_var_run_t;
++ type chronyd_keys_t;
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ ')
+
+ ########################################
+ ##
+-## Send to chronyd using a unix domain
+-## datagram socket.
++## Append chronyd keys files.
+ ##
+ ##
+ ##
+@@ -129,18 +126,62 @@ interface(`chronyd_stream_connect',`
+ ##
+ ##
+ #
+-interface(`chronyd_dgram_send',`
++interface(`chronyd_append_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
++########################################
++##
++## Execute chronyd server in the chronyd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chronyd_systemctl',`
++ gen_require(`
++ type chronyd_t;
++ type chronyd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 chronyd_unit_file_t:file read_file_perms;
++ allow $1 chronyd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, chronyd_t)
++')
++
++#######################################
++##
++## Connect to chronyd using a unix
++## domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_stream_connect',`
+ gen_require(`
+ type chronyd_t, chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ ')
+
+ ########################################
+ ##
+-## Read chronyd key files.
++## Send to chronyd using a unix domain
++## datagram socket.
+ ##
+ ##
+ ##
+@@ -148,13 +189,13 @@ interface(`chronyd_dgram_send',`
+ ##
+ ##
+ #
+-interface(`chronyd_read_key_files',`
++interface(`chronyd_dgram_send',`
+ gen_require(`
+- type chronyd_keys_t;
++ type chronyd_t, chronyd_var_run_t;
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++ files_search_pids($1)
++ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ ')
+
+ ####################################
+@@ -176,28 +217,38 @@ interface(`chronyd_read_key_files',`
+ #
+ interface(`chronyd_admin',`
+ gen_require(`
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t, chronyd_unit_file_t;
+ ')
+
+- allow $1 chronyd_t:process { ptrace signal_perms };
++ allow $1 chronyd_t:process signal_perms;
+ ps_process_pattern($1, chronyd_t)
+
+- chronyd_initrc_domtrans($1)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 chronyd_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
++
++ admin_pattern($1, chronyd_tmpfs_t)
++
++ admin_pattern($1, chronyd_unit_file_t)
++ chronyd_systemctl($1)
++ allow $1 chronyd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/chronyd.te b/chronyd.te
+index e5b621c..e8b9178 100644
+--- a/chronyd.te
++++ b/chronyd.te
+@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
+ type chronyd_tmpfs_t;
+ files_tmpfs_file(chronyd_tmpfs_t)
+
++type chronyd_unit_file_t;
++systemd_unit_file(chronyd_unit_file_t)
++
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+
+@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
+ # Local policy
+ #
+
+-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+-allow chronyd_t self:process { getcap setcap setrlimit signal };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
++allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
+ allow chronyd_t self:shm create_shm_perms;
++allow chronyd_t self:udp_socket create_socket_perms;
++allow chronyd_t self:unix_dgram_socket create_socket_perms;
+ allow chronyd_t self:fifo_file rw_fifo_file_perms;
+
++allow chronyd_t chronyd_keys_t:file append_file_perms;
++allow chronyd_t chronyd_keys_t:file setattr_file_perms;
+ allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+ manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+@@ -76,18 +83,30 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+ corenet_udp_bind_chronyd_port(chronyd_t)
+ corenet_udp_sendrecv_chronyd_port(chronyd_t)
+
++domain_dontaudit_getsession_all_domains(chronyd_t)
++
++dev_read_rand(chronyd_t)
++dev_read_urand(chronyd_t)
++dev_read_sysfs(chronyd_t)
++
+ dev_rw_realtime_clock(chronyd_t)
+
+ auth_use_nsswitch(chronyd_t)
+
+ logging_send_syslog_msg(chronyd_t)
+
+-miscfiles_read_localization(chronyd_t)
++mta_send_mail(chronyd_t)
+
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+ ')
+
+ optional_policy(`
+- mta_send_mail(chronyd_t)
++ timemaster_stream_connect(chronyd_t)
++ timemaster_read_pid_files(chronyd_t)
++ timemaster_rw_shm(chronyd_t)
++')
++
++optional_policy(`
++ ptp4l_rw_shm(chronyd_t)
+ ')
+diff --git a/cinder.fc b/cinder.fc
+new file mode 100644
+index 0000000..4b318b7
+--- /dev/null
++++ b/cinder.fc
+@@ -0,0 +1,16 @@
++
++/usr/bin/cinder-api -- gen_context(system_u:object_r:cinder_api_exec_t,s0)
++/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0)
++/usr/bin/cinder-scheduler -- gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
++/usr/bin/cinder-volume -- gen_context(system_u:object_r:cinder_volume_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-cinder-api.* -- gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-backup.* -- gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-scheduler.* -- gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-volume.* -- gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
++
++/var/lib/cinder(/.*)? gen_context(system_u:object_r:cinder_var_lib_t,s0)
++
++/var/log/cinder(/.*)? gen_context(system_u:object_r:cinder_log_t,s0)
++
++/var/run/cinder(/.*)? gen_context(system_u:object_r:cinder_var_run_t,s0)
+diff --git a/cinder.if b/cinder.if
+new file mode 100644
+index 0000000..fc9cae7
+--- /dev/null
++++ b/cinder.if
+@@ -0,0 +1,57 @@
++## openstack-cinder
++
++######################################
++##
++## Manage cinder lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cinder_manage_lib_files',`
++ gen_require(`
++ type cinder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
++')
++
++#######################################
++##
++## Creates types and rules for a basic
++## openstack-cinder systemd daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`cinder_domain_template',`
++ gen_require(`
++ attribute cinder_domain;
++ ')
++
++ type cinder_$1_t, cinder_domain;
++ type cinder_$1_exec_t;
++ init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
++
++ type cinder_$1_unit_file_t;
++ systemd_unit_file(cinder_$1_unit_file_t)
++
++ type cinder_$1_tmp_t;
++ files_tmp_file(cinder_$1_tmp_t)
++
++ manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
++ manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
++ files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
++ can_exec(cinder_$1_t, cinder_$1_tmp_t)
++
++ kernel_read_system_state(cinder_$1_t)
++
++ logging_send_syslog_msg(cinder_$1_t)
++
++')
+diff --git a/cinder.te b/cinder.te
+new file mode 100644
+index 0000000..f257547
+--- /dev/null
++++ b/cinder.te
+@@ -0,0 +1,167 @@
++policy_module(cinder, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++#
++# cinder-stack daemons contain security issue with using sudo in the code
++# we make this policy as unconfined until this issue is fixed
++#
++
++attribute cinder_domain;
++
++cinder_domain_template(api)
++cinder_domain_template(backup)
++cinder_domain_template(scheduler)
++cinder_domain_template(volume)
++
++type cinder_log_t;
++logging_log_file(cinder_log_t)
++
++type cinder_var_lib_t;
++files_type(cinder_var_lib_t)
++
++type cinder_var_run_t;
++files_pid_file(cinder_var_run_t)
++
++######################################
++#
++# cinder general domain local policy
++#
++
++allow cinder_domain self:process signal_perms;
++allow cinder_domain self:fifo_file rw_fifo_file_perms;
++allow cinder_domain self:tcp_socket create_stream_socket_perms;
++allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
++manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
++
++manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
++manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
++
++manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
++manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
++
++corenet_tcp_connect_amqp_port(cinder_domain)
++corenet_tcp_connect_mysqld_port(cinder_domain)
++
++kernel_read_network_state(cinder_domain)
++
++corecmd_exec_bin(cinder_domain)
++corecmd_exec_shell(cinder_domain)
++corenet_tcp_connect_mysqld_port(cinder_domain)
++
++auth_read_passwd(cinder_domain)
++
++dev_read_sysfs(cinder_domain)
++dev_read_urand(cinder_domain)
++
++fs_getattr_xattr_fs(cinder_domain)
++
++init_read_utmp(cinder_domain)
++
++libs_exec_ldconfig(cinder_domain)
++
++optional_policy(`
++ mysql_stream_connect(cinder_domain)
++ mysql_read_db_lnk_files(cinder_domain)
++')
++
++optional_policy(`
++ sysnet_read_config(cinder_domain)
++ sysnet_exec_ifconfig(cinder_domain)
++')
++
++#######################################
++#
++# cinder api local policy
++#
++
++allow cinder_api_t self:process setfscreate;
++allow cinder_api_t self:key write;
++allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
++allow cinder_api_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cinder_api_t)
++
++corenet_tcp_bind_generic_node(cinder_api_t)
++corenet_udp_bind_generic_node(cinder_api_t)
++# should be add to booleans
++corenet_tcp_connect_all_ports(cinder_api_t)
++corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
++
++auth_read_passwd(cinder_api_t)
++
++logging_send_syslog_msg(cinder_api_t)
++
++miscfiles_read_certs(cinder_api_t)
++
++optional_policy(`
++ iptables_domtrans(cinder_api_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(cinder_api_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(cinder_api_t)
++')
++
++optional_policy(`
++ unconfined_domain(cinder_api_t)
++')
++
++#######################################
++#
++# cinder backup local policy
++#
++
++allow cinder_backup_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(cinder_backup_t)
++
++optional_policy(`
++ unconfined_domain(cinder_backup_t)
++')
++
++#######################################
++#
++# cinder scheduler local policy
++#
++
++allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
++allow cinder_scheduler_t self:udp_socket create_socket_perms;
++
++auth_read_passwd(cinder_scheduler_t)
++
++init_read_utmp(cinder_scheduler_t)
++
++optional_policy(`
++ unconfined_domain(cinder_scheduler_t)
++')
++
++#######################################
++#
++# cinder volume local policy
++#
++
++allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow cinder_volume_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cinder_volume_t)
++
++logging_send_syslog_msg(cinder_volume_t)
++
++optional_policy(`
++ lvm_domtrans(cinder_volume_t)
++')
++
++optional_policy(`
++ unconfined_domain(cinder_volume_t)
++')
++
+diff --git a/cipe.te b/cipe.te
+index a0aa693..af571ed 100644
+--- a/cipe.te
++++ b/cipe.te
+@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
+ corecmd_exec_shell(ciped_t)
+ corecmd_exec_bin(ciped_t)
+
+-corenet_all_recvfrom_unlabeled(ciped_t)
+ corenet_all_recvfrom_netlabel(ciped_t)
+ corenet_udp_sendrecv_generic_if(ciped_t)
+ corenet_udp_sendrecv_generic_node(ciped_t)
+@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
+
+ domain_use_interactive_fds(ciped_t)
+
+-files_read_etc_files(ciped_t)
+ files_read_etc_runtime_files(ciped_t)
+ files_dontaudit_search_var(ciped_t)
+
+@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
+
+ logging_send_syslog_msg(ciped_t)
+
+-miscfiles_read_localization(ciped_t)
+-
+ sysnet_read_config(ciped_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ciped_t)
+diff --git a/clamav.fc b/clamav.fc
+index d72afcc..c53b80d 100644
+--- a/clamav.fc
++++ b/clamav.fc
+@@ -6,6 +6,8 @@
+ /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
++
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+ /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+diff --git a/clamav.if b/clamav.if
+index 4cc4a5c..a6c6322 100644
+--- a/clamav.if
++++ b/clamav.if
+@@ -1,4 +1,4 @@
+-## ClamAV Virus Scanner.
++## ClamAV Virus Scanner
+
+ ########################################
+ ##
+@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
+ type clamd_t, clamd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, clamd_exec_t, clamd_t)
+ ')
+
+ ########################################
+ ##
+-## Connect to clamd using a unix
+-## domain stream socket.
++## Connect to run clamd.
+ ##
+ ##
+ ##
+@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
+
+ ########################################
+ ##
+-## Append clamav log files.
++## Allow the specified domain to append
++## to clamav log files.
+ ##
+ ##
+ ##
+@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## clamav pid content.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`clamav_manage_pid_content',`
+- gen_require(`
+- type clamd_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+-')
+-
+-########################################
+-##
+ ## Read clamav configuration files.
+ ##
+ ##
+@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
+
+ ########################################
+ ##
+-## Search clamav library directories.
++## Search clamav libraries directories.
+ ##
+ ##
+ ##
+@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
+ type clamscan_t, clamscan_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, clamscan_exec_t, clamscan_t)
+ ')
+
+ ########################################
+ ##
+-## Execute clamscan in the caller domain.
++## Execute clamscan without a transition.
+ ##
+ ##
+ ##
+@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
+ type clamscan_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, clamscan_exec_t)
+ ')
+
+-#######################################
++########################################
+ ##
+-## Read clamd process state files.
++## Manage clamd pid content.
+ ##
+ ##
+ ##
+@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
+ ##
+ ##
+ #
+-interface(`clamav_read_state_clamd',`
++interface(`clamav_manage_clamd_pid',`
+ gen_require(`
+- type clamd_t;
++ type clamd_var_run_t;
+ ')
+
+- kernel_search_proc($1)
+- allow $1 clamd_t:dir list_dir_perms;
+- read_files_pattern($1, clamd_t, clamd_t)
+- read_lnk_files_pattern($1, clamd_t, clamd_t)
++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
++')
++
++#######################################
++##
++## Read clamd state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clamav_read_state_clamd',`
++ gen_require(`
++ type clamd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, clamd_t)
++')
++
++#######################################
++##
++## Execute clamd server in the clamd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`clamd_systemctl',`
++ gen_require(`
++ type clamd_t;
++ type clamd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 clamd_unit_file_t:file read_file_perms;
++ allow $1 clamd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, clamd_t)
+ ')
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an clamav environment.
++## All of the rules required to administrate
++## an clamav environment
+ ##
+ ##
+ ##
+@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
+ ##
+ ##
+ ##
+-## Role allowed access.
++## The role to be allowed to manage the clamav domain.
+ ##
+ ##
+ ##
+@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
+ interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
+- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
++ type clamd_unit_file_t;
+ ')
+
+- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
++ allow $1 clamd_t:process signal_perms;
++ ps_process_pattern($1, clamd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 clamd_t:process ptrace;
++ allow $1 clamscan_t:process ptrace;
++ allow $1 freshclam_t:process ptrace;
++ ')
++
++ allow $1 clamscan_t:process signal_perms;
++ ps_process_pattern($1, clamscan_t)
++
++ allow $1 freshclam_t:process signal_perms;
++ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ clamd_systemctl($1)
++ admin_pattern($1, clamd_unit_file_t)
++ allow $1 clamd_unit_file_t:service all_service_perms;
++
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+@@ -217,11 +252,21 @@ interface(`clamav_admin',`
+ admin_pattern($1, clamd_var_lib_t)
+
+ logging_list_logs($1)
+- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
++ admin_pattern($1, clamd_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, clamd_var_run_t)
+
+ files_list_tmp($1)
+- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
++ admin_pattern($1, clamd_tmp_t)
++
++ admin_pattern($1, clamscan_tmp_t)
++
++ admin_pattern($1, freshclam_var_log_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++
+ ')
+diff --git a/clamav.te b/clamav.te
+index ce3836a..94aa8a6 100644
+--- a/clamav.te
++++ b/clamav.te
+@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
+ type clamd_initrc_exec_t;
+ init_script_file(clamd_initrc_exec_t)
+
++type clamd_unit_file_t;
++systemd_unit_file(clamd_unit_file_t)
++
+ type clamd_tmp_t;
+ files_tmp_file(clamd_tmp_t)
+
+@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
+ allow clamd_t self:capability { kill setgid setuid dac_override };
+ dontaudit clamd_t self:capability sys_tty_config;
+ allow clamd_t self:process signal;
++
+ allow clamd_t self:fifo_file rw_fifo_file_perms;
+ allow clamd_t self:unix_stream_socket { accept connectto listen };
+ allow clamd_t self:tcp_socket { listen accept };
+@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
+
+ corecmd_exec_shell(clamd_t)
+
+-corenet_all_recvfrom_unlabeled(clamd_t)
+ corenet_all_recvfrom_netlabel(clamd_t)
+ corenet_tcp_sendrecv_generic_if(clamd_t)
+ corenet_tcp_sendrecv_generic_node(clamd_t)
+@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
+
+ corenet_sendrecv_generic_client_packets(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
++corenet_tcp_connect_clamd_port(clamd_t)
+
+ corenet_sendrecv_clamd_server_packets(clamd_t)
+ corenet_tcp_bind_clamd_port(clamd_t)
+@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
+
+ logging_send_syslog_msg(clamd_t)
+
+-miscfiles_read_localization(clamd_t)
+-
+-tunable_policy(`clamd_use_jit',`
+- allow clamd_t self:process execmem;
+-',`
+- dontaudit clamd_t self:process execmem;
+-')
+-
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
++ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
+ amavis_create_pid_files(clamd_t)
+ ')
+
+@@ -165,6 +161,31 @@ optional_policy(`
+ mta_send_mail(clamd_t)
+ ')
+
++optional_policy(`
++ spamd_stream_connect(clamd_t)
++ spamassassin_read_pid_files(clamd_t)
++')
++
++tunable_policy(`clamd_use_jit',`
++ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
++',`
++ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
++')
++
++optional_policy(`
++ antivirus_domain_template(clamd_t)
++')
++
++optional_policy(`
++ antivirus_domain_template(clamscan_t)
++')
++
++optional_policy(`
++ antivirus_domain_template(freshclam_t)
++')
++
+ ########################################
+ #
+ # Freshclam local policy
+@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
+
+ logging_send_syslog_msg(freshclam_t)
+
+-miscfiles_read_localization(freshclam_t)
+
+ tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+@@ -241,6 +261,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ clamd_systemctl(freshclam_t)
++')
++
++optional_policy(`
+ cron_system_entry(freshclam_t, freshclam_exec_t)
+ ')
+
+@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
+ kernel_read_kernel_sysctls(clamscan_t)
+ kernel_read_system_state(clamscan_t)
+
+-corenet_all_recvfrom_unlabeled(clamscan_t)
+ corenet_all_recvfrom_netlabel(clamscan_t)
+ corenet_tcp_sendrecv_generic_if(clamscan_t)
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+
+ corecmd_read_all_executables(clamscan_t)
+
+-files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
+ files_search_var_lib(clamscan_t)
+
+ init_read_utmp(clamscan_t)
+ init_dontaudit_write_utmp(clamscan_t)
+
+-miscfiles_read_localization(clamscan_t)
+ miscfiles_read_public_files(clamscan_t)
+
+ sysnet_dns_name_resolve(clamscan_t)
+@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
+ ')
+
+ optional_policy(`
+- amavis_read_spool_files(clamscan_t)
+-')
+-
+-optional_policy(`
+ apache_read_sys_content(clamscan_t)
+ ')
+
+diff --git a/clockspeed.te b/clockspeed.te
+index d3e2a67..f5b330c 100644
+--- a/clockspeed.te
++++ b/clockspeed.te
+@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
+
+ read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+ corenet_all_recvfrom_netlabel(clockspeed_cli_t)
+ corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+ corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+ corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+
+ files_list_var_lib(clockspeed_cli_t)
+-files_read_etc_files(clockspeed_cli_t)
+
+-miscfiles_read_localization(clockspeed_cli_t)
+
+-userdom_use_user_terminals(clockspeed_cli_t)
++userdom_use_inherited_user_terminals(clockspeed_cli_t)
+
+ ########################################
+ #
+@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+ manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+ manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+ corenet_all_recvfrom_netlabel(clockspeed_srv_t)
+ corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+ corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
+ corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
+
+ files_list_var_lib(clockspeed_srv_t)
+-files_read_etc_files(clockspeed_srv_t)
+
+-miscfiles_read_localization(clockspeed_srv_t)
+
+ optional_policy(`
+ daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+diff --git a/clogd.te b/clogd.te
+index 4a5b3d1..cd146bd 100644
+--- a/clogd.te
++++ b/clogd.te
+@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
+
+ logging_send_syslog_msg(clogd_t)
+
+-miscfiles_read_localization(clogd_t)
+-
+ optional_policy(`
+- aisexec_stream_connect(clogd_t)
+- corosync_stream_connect(clogd_t)
++ rhcs_stream_connect_cluster(clogd_t)
+ ')
+diff --git a/cloudform.fc b/cloudform.fc
+new file mode 100644
+index 0000000..3849f13
+--- /dev/null
++++ b/cloudform.fc
+@@ -0,0 +1,21 @@
++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
++
++/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
++
++/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
++
++/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
++
++/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
++/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
++/var/log/cloud-init.*\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
++
++/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
++/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
++
++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
+diff --git a/cloudform.if b/cloudform.if
+new file mode 100644
+index 0000000..a06f04b
+--- /dev/null
++++ b/cloudform.if
+@@ -0,0 +1,60 @@
++## cloudform policy
++
++#######################################
++##
++## Creates types and rules for a basic
++## cloudform daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`cloudform_domain_template',`
++ gen_require(`
++ attribute cloudform_domain;
++ ')
++
++ type $1_t, cloudform_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ kernel_read_system_state($1_t)
++')
++
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cloudform_exec_mongod',`
++ gen_require(`
++ type mongod_exec_t;
++ ')
++
++ can_exec($1, mongod_exec_t)
++')
++
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cloudform_dontaudit_write_cloud_log',`
++ gen_require(`
++ type cloud_log_t;
++ ')
++
++ dontaudit $1 cloud_log_t:file write_inherited_file_perms;
++')
+diff --git a/cloudform.te b/cloudform.te
+new file mode 100644
+index 0000000..21e071f
+--- /dev/null
++++ b/cloudform.te
+@@ -0,0 +1,236 @@
++policy_module(cloudform, 1.0)
++########################################
++#
++# Declarations
++#
++
++attribute cloudform_domain;
++
++cloudform_domain_template(deltacloudd)
++cloudform_domain_template(iwhd)
++cloudform_domain_template(cloud_init)
++
++type cloud_init_tmp_t;
++files_tmp_file(cloud_init_tmp_t)
++
++type cloud_init_unit_file_t;
++systemd_unit_file(cloud_init_unit_file_t)
++
++type cloud_var_lib_t;
++files_type(cloud_var_lib_t)
++
++type cloud_log_t;
++logging_log_file(cloud_log_t)
++
++type deltacloudd_log_t;
++logging_log_file(deltacloudd_log_t)
++
++type deltacloudd_var_run_t;
++files_pid_file(deltacloudd_var_run_t)
++
++type deltacloudd_tmp_t;
++files_tmp_file(deltacloudd_tmp_t)
++
++type iwhd_initrc_exec_t;
++init_script_file(iwhd_initrc_exec_t)
++
++type iwhd_var_lib_t;
++files_type(iwhd_var_lib_t)
++
++type iwhd_var_run_t;
++files_pid_file(iwhd_var_run_t)
++
++type iwhd_log_t;
++logging_log_file(iwhd_log_t)
++
++########################################
++#
++# cloudform_domain local policy
++#
++
++allow cloudform_domain self:fifo_file rw_fifo_file_perms;
++allow cloudform_domain self:tcp_socket create_stream_socket_perms;
++
++dev_read_rand(cloudform_domain)
++dev_read_urand(cloudform_domain)
++dev_read_sysfs(cloudform_domain)
++
++auth_read_passwd(cloudform_domain)
++
++miscfiles_read_certs(cloudform_domain)
++
++#################################
++#
++# cloud-init local policy
++#
++
++allow cloud_init_t self:capability { fowner chown fsetid dac_override };
++
++allow cloud_init_t self:udp_socket create_socket_perms;
++
++manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
++manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
++files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
++
++manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
++manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
++manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
++
++manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
++logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
++
++kernel_read_network_state(cloud_init_t)
++
++corenet_tcp_connect_http_port(cloud_init_t)
++
++corecmd_exec_bin(cloud_init_t)
++corecmd_exec_shell(cloud_init_t)
++
++domain_read_all_domains_state(cloud_init_t)
++
++fs_getattr_all_fs(cloud_init_t)
++
++storage_raw_read_fixed_disk(cloud_init_t)
++
++auth_use_nsswitch(cloud_init_t)
++
++libs_exec_ldconfig(cloud_init_t)
++
++logging_send_syslog_msg(cloud_init_t)
++
++miscfiles_read_localization(cloud_init_t)
++
++selinux_validate_context(cloud_init_t)
++
++systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_exec_systemctl(cloud_init_t)
++systemd_start_all_services(cloud_init_t)
++
++usermanage_domtrans_passwd(cloud_init_t)
++
++optional_policy(`
++ certmonger_dbus_chat(cloud_init_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(cloud_init_t)
++')
++
++optional_policy(`
++ dmidecode_domtrans(cloud_init_t)
++')
++
++optional_policy(`
++ fstools_domtrans(cloud_init_t)
++')
++
++optional_policy(`
++ hostname_exec(cloud_init_t)
++')
++
++optional_policy(`
++ mount_domtrans(cloud_init_t)
++')
++
++optional_policy(`
++ # it check file context and run restorecon
++ seutil_read_file_contexts(cloud_init_t)
++ seutil_domtrans_setfiles(cloud_init_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(cloud_init_t)
++ ssh_read_user_home_files(cloud_init_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(cloud_init_t)
++ sysnet_read_dhcpc_state(cloud_init_t)
++ sysnet_dns_name_resolve(cloud_init_t)
++')
++
++optional_policy(`
++ rpm_run(cloud_init_t, system_r)
++ unconfined_domain(cloud_init_t)
++')
++
++########################################
++#
++# deltacloudd local policy
++#
++
++allow deltacloudd_t self:capability { dac_override setuid setgid };
++
++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
++allow deltacloudd_t self:udp_socket create_socket_perms;
++
++allow deltacloudd_t self:process signal;
++
++allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
++allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
++
++manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
++
++manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
++
++kernel_read_kernel_sysctls(deltacloudd_t)
++kernel_read_system_state(deltacloudd_t)
++kernel_read_network_state(deltacloudd_t)
++
++corecmd_exec_bin(deltacloudd_t)
++
++corenet_tcp_bind_generic_node(deltacloudd_t)
++corenet_tcp_bind_generic_port(deltacloudd_t)
++corenet_tcp_connect_http_port(deltacloudd_t)
++corenet_tcp_connect_keystone_port(deltacloudd_t)
++
++auth_use_nsswitch(deltacloudd_t)
++
++logging_send_syslog_msg(deltacloudd_t)
++
++optional_policy(`
++ sysnet_read_config(deltacloudd_t)
++')
++
++########################################
++#
++# iwhd local policy
++#
++
++allow iwhd_t self:capability { chown kill };
++allow iwhd_t self:process { fork };
++
++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
++allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++
++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
++logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
++
++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
++
++kernel_read_system_state(iwhd_t)
++
++corenet_tcp_bind_generic_node(iwhd_t)
++corenet_tcp_bind_websm_port(iwhd_t)
++corenet_tcp_connect_all_ports(iwhd_t)
++
++dev_read_rand(iwhd_t)
++dev_read_urand(iwhd_t)
++
++userdom_home_manager(iwhd_t)
++
+diff --git a/cmirrord.if b/cmirrord.if
+index cc4e7cb..f348d27 100644
+--- a/cmirrord.if
++++ b/cmirrord.if
+@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
+ type cmirrord_t, cmirrord_tmpfs_t;
+ ')
+
+- allow $1 cmirrord_t:shm rw_shm_perms;
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+ ')
+@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
+
+- allow $1 cmirrord_t:process { ptrace signal_perms };
++ allow $1 cmirrord_t:process signal_perms;
+ ps_process_pattern($1, cmirrord_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cmirrord_t:process ptrace;
++ ')
++
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+diff --git a/cmirrord.te b/cmirrord.te
+index bbdd396..8328b95 100644
+--- a/cmirrord.te
++++ b/cmirrord.te
+@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+ # Local policy
+ #
+
+-allow cmirrord_t self:capability { net_admin kill };
++allow cmirrord_t self:capability { sys_admin net_admin kill };
+ dontaudit cmirrord_t self:capability sys_tty_config;
+ allow cmirrord_t self:process { setfscreate signal };
+ allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+ domain_use_interactive_fds(cmirrord_t)
+ domain_obj_id_change_exemption(cmirrord_t)
+
+-files_read_etc_files(cmirrord_t)
+-
+ storage_create_fixed_disk_dev(cmirrord_t)
++storage_raw_read_fixed_disk(cmirrord_t)
++storage_rw_inherited_fixed_disk_dev(cmirrord_t)
+
+ seutil_read_file_contexts(cmirrord_t)
+
+ logging_send_syslog_msg(cmirrord_t)
+
+-miscfiles_read_localization(cmirrord_t)
+-
+ optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+ ')
++
++optional_policy(`
++ rhcs_rw_cluster_tmpfs(cmirrord_t)
++')
+diff --git a/cobbler.fc b/cobbler.fc
+index 973d208..2b650a7 100644
+--- a/cobbler.fc
++++ b/cobbler.fc
+@@ -4,6 +4,7 @@
+
+ /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+ /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+ /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+diff --git a/cobbler.if b/cobbler.if
+index c223f81..8b567c1 100644
+--- a/cobbler.if
++++ b/cobbler.if
+@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+ ')
+
++
++
++########################################
++##
++## Read cobbler configuration dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cobbler_list_config',`
++ gen_require(`
++ type cobbler_etc_t;
++ ')
++
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ files_search_etc($1)
++')
++
++
+ ########################################
+ ##
+ ## Read cobbler configuration files.
+@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ ')
+
+ ########################################
+@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ ')
+
+ ########################################
+@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
+ interface(`cobbler_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
++ type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type cobbler_tmp_t;
+ ')
+
+ allow $1 cobblerd_t:process { ptrace signal_perms };
+@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
+
+ logging_search_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+-
+- apache_search_sys_content($1)
+- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+ ')
+diff --git a/cobbler.te b/cobbler.te
+index 5f306dd..e01156f 100644
+--- a/cobbler.te
++++ b/cobbler.te
+@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
++files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
+
+ append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
+ kernel_read_system_state(cobblerd_t)
+-kernel_dontaudit_search_network_state(cobblerd_t)
++kernel_read_network_state(cobblerd_t)
+
+ corecmd_exec_bin(cobblerd_t)
+ corecmd_exec_shell(cobblerd_t)
+@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
+ corenet_tcp_connect_http_port(cobblerd_t)
+ corenet_sendrecv_http_client_packets(cobblerd_t)
+
++dev_read_sysfs(cobblerd_t)
+ dev_read_urand(cobblerd_t)
+
+ files_list_boot(cobblerd_t)
+ files_list_tmp(cobblerd_t)
+ files_read_boot_files(cobblerd_t)
+-files_read_etc_files(cobblerd_t)
+ files_read_etc_runtime_files(cobblerd_t)
+-files_read_usr_files(cobblerd_t)
+
+ fs_getattr_all_fs(cobblerd_t)
+ fs_read_iso9660_files(cobblerd_t)
+@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
+
+ term_use_console(cobblerd_t)
+
++auth_use_nsswitch(cobblerd_t)
++
+ logging_send_syslog_msg(cobblerd_t)
+
+ miscfiles_read_localization(cobblerd_t)
+@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
+ ')
+
+ optional_policy(`
++ apache_domtrans(cobblerd_t)
+ apache_search_sys_content(cobblerd_t)
+ ')
+
+@@ -170,6 +173,7 @@ optional_policy(`
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
++ bind_systemctl(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -179,12 +183,22 @@ optional_policy(`
+ optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
++ dhcpd_systemctl(cobblerd_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
++')
++
++optional_policy(`
++ libs_exec_ldconfig(cobblerd_t)
++')
++
++optional_policy(`
++ mysql_stream_connect(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rsync_exec(cobblerd_t)
+ rsync_read_config(cobblerd_t)
+- rsync_manage_config_files(cobblerd_t)
++ rsync_manage_config(cobblerd_t)
+ rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
+ ')
+
+ optional_policy(`
+- tftp_manage_config_files(cobblerd_t)
+- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
++ tftp_manage_config(cobblerd_t)
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
+ ')
+diff --git a/cockpit.fc b/cockpit.fc
+new file mode 100644
+index 0000000..bb87537
+--- /dev/null
++++ b/cockpit.fc
+@@ -0,0 +1,10 @@
++# cockpit stuff
++
++/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
++
++/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
++
++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+diff --git a/cockpit.if b/cockpit.if
+new file mode 100644
+index 0000000..a8a678a
+--- /dev/null
++++ b/cockpit.if
+@@ -0,0 +1,189 @@
++## policy for cockpit
++
++########################################
++##
++## Execute TEMPLATE in the cockpit domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cockpit_ws_domtrans',`
++ gen_require(`
++ type cockpit_ws_t, cockpit_ws_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
++')
++
++########################################
++##
++## Execute TEMPLATE in the cockpit domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cockpit_session_domtrans',`
++ gen_require(`
++ type cockpit_session_t, cockpit_session_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
++')
++
++########################################
++##
++## Search cockpit lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_search_lib',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ allow $1 cockpit_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read cockpit lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_read_lib_files',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++##
++## Manage cockpit lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_manage_lib_files',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++##
++## Manage cockpit lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_manage_lib_dirs',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++##
++## Execute cockpit server in the cockpit domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cockpit_systemctl',`
++ gen_require(`
++ type cockpit_ws_t;
++ type cockpit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 cockpit_unit_file_t:file read_file_perms;
++ allow $1 cockpit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cockpit_ws_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an cockpit environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`cockpit_admin',`
++ gen_require(`
++ type cockpit_ws_t;
++ type cockpit_session_t;
++ type cockpit_var_lib_t;
++ type cockpit_unit_file_t;
++ ')
++
++ allow $1 cockpit_ws_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_ws_t)
++
++ allow $1 cockpit_session_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_session_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cockpit_ws_t:process ptrace;
++ allow $1 cockpit_session_t:process ptrace;
++ ')
++
++ files_search_var_lib($1)
++ admin_pattern($1, cockpit_var_lib_t)
++
++ cockpit_systemctl($1)
++ admin_pattern($1, cockpit_unit_file_t)
++ allow $1 cockpit_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/cockpit.te b/cockpit.te
+new file mode 100644
+index 0000000..4d89495
+--- /dev/null
++++ b/cockpit.te
+@@ -0,0 +1,98 @@
++policy_module(cockpit, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cockpit_ws_t;
++type cockpit_ws_exec_t;
++init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
++
++type cockpit_tmp_t;
++files_tmp_file(cockpit_tmp_t)
++
++type cockpit_unit_file_t;
++systemd_unit_file(cockpit_unit_file_t)
++
++type cockpit_var_lib_t;
++files_type(cockpit_var_lib_t)
++
++type cockpit_session_t;
++type cockpit_session_exec_t;
++domain_type(cockpit_session_t)
++domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
++
++########################################
++#
++# cockpit_ws_t local policy
++#
++
++allow cockpit_ws_t self:capability net_admin;
++allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
++
++# cockpit-ws can execute cockpit-session
++can_exec(cockpit_ws_t,cockpit_session_exec_t)
++
++# cockpit-ws can read from /dev/urandom
++dev_read_urand(cockpit_ws_t) # for authkey
++dev_read_rand(cockpit_ws_t) # for libssh
++
++corenet_tcp_bind_websm_port(cockpit_ws_t)
++
++# cockpit-ws can connect to other hosts via ssh
++corenet_tcp_connect_ssh_port(cockpit_ws_t)
++
++# cockpit-ws can write to its temp files
++manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
++manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
++files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
++
++read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
++list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
++
++auth_use_nsswitch(cockpit_ws_t)
++
++init_stream_connect(cockpit_ws_t)
++
++logging_send_syslog_msg(cockpit_ws_t)
++
++# cockpit-ws launches cockpit-session
++cockpit_session_domtrans(cockpit_ws_t)
++allow cockpit_ws_t cockpit_session_t:process signal_perms;
++
++# cockpit-session communicates back with cockpit-ws
++allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
++
++optional_policy(`
++ kerberos_use(cockpit_ws_t)
++ kerberos_etc_filetrans_keytab(cockpit_ws_t)
++')
++
++optional_policy(`
++ ssh_read_user_home_files(cockpit_ws_t)
++')
++
++#########################################################
++#
++# cockpit-session local policy
++#
++
++# cockpit-session changes to the actual logged in user
++allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
++allow cockpit_session_t self:process { setexec setsched signal_perms };
++
++# cockpit-session runs a full pam stack, including pam_selinux.so
++auth_login_pgm_domain(cockpit_session_t)
++auth_write_login_records(cockpit_session_t)
++
++# cockpit-session can execute cockpit-agent as the user
++userdom_spec_domtrans_all_users(cockpit_session_t)
++
++optional_policy(`
++ userdom_signal_all_users(cockpit_session_t)
++')
++
++optional_policy(`
++ unconfined_domtrans(cockpit_session_t)
++')
+diff --git a/collectd.fc b/collectd.fc
+index 79a3abe..3237fb0 100644
+--- a/collectd.fc
++++ b/collectd.fc
+@@ -1,9 +1,12 @@
+ /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
++
+ /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
+ /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
+
+ /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
++/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
+
+-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
+diff --git a/collectd.if b/collectd.if
+index 954309e..6780142 100644
+--- a/collectd.if
++++ b/collectd.if
+@@ -2,8 +2,145 @@
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an collectd environment.
++## Transition to collectd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`collectd_domtrans',`
++ gen_require(`
++ type collectd_t, collectd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, collectd_exec_t, collectd_t)
++')
++
++########################################
++##
++## Execute collectd server in the collectd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_initrc_domtrans',`
++ gen_require(`
++ type collectd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
++')
++
++########################################
++##
++## Search collectd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_search_lib',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ allow $1 collectd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read collectd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_read_lib_files',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++##
++## Manage collectd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_manage_lib_files',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++##
++## Manage collectd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_manage_lib_dirs',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++##
++## Execute collectd server in the collectd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`collectd_systemctl',`
++ gen_require(`
++ type collectd_t;
++ type collectd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 collectd_unit_file_t:file read_file_perms;
++ allow $1 collectd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, collectd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an collectd environment
+ ##
+ ##
+ ##
+@@ -20,13 +157,17 @@
+ interface(`collectd_admin',`
+ gen_require(`
+ type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
+- type collectd_var_lib_t;
++ type collectd_var_lib_t, collectd_unit_file_t;
+ ')
+
+- allow $1 collectd_t:process { ptrace signal_perms };
++ allow $1 collectd_t:process signal_perms;
+ ps_process_pattern($1, collectd_t)
+
+- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 collectd_t:process ptrace;
++ ')
++
++ collectd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 collectd_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -36,4 +177,9 @@ interface(`collectd_admin',`
+
+ files_search_var_lib($1)
+ admin_pattern($1, collectd_var_lib_t)
++
++ collectd_systemctl($1)
++ admin_pattern($1, collectd_unit_file_t)
++ allow $1 collectd_unit_file_t:service all_service_perms;
+ ')
++
+diff --git a/collectd.te b/collectd.te
+index 6471fa8..74ffeda 100644
+--- a/collectd.te
++++ b/collectd.te
+@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
+ type collectd_var_run_t;
+ files_pid_file(collectd_var_run_t)
+
++type collectd_unit_file_t;
++systemd_unit_file(collectd_unit_file_t)
++
+ apache_content_template(collectd)
++apache_content_alias_template(collectd, collectd)
++
++type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
++files_tmp_file(collectd_script_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
+ allow collectd_t self:process { getsched setsched signal };
+ allow collectd_t self:fifo_file rw_fifo_file_perms;
+ allow collectd_t self:packet_socket create_socket_perms;
+ allow collectd_t self:unix_stream_socket { accept listen };
++allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow collectd_t self:udp_socket create_socket_perms;
++allow collectd_t self:rawip_socket create_socket_perms;
+
+ manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+
+ manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
++manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
+
+-domain_use_interactive_fds(collectd_t)
++kernel_read_all_sysctls(collectd_t)
++kernel_read_all_proc(collectd_t)
++kernel_list_all_proc(collectd_t)
+
+-kernel_read_network_state(collectd_t)
+-kernel_read_net_sysctls(collectd_t)
+-kernel_read_system_state(collectd_t)
++auth_use_nsswitch(collectd_t)
++
++corenet_udp_bind_generic_node(collectd_t)
++corenet_udp_bind_collectd_port(collectd_t)
+
+ dev_read_rand(collectd_t)
+ dev_read_sysfs(collectd_t)
+ dev_read_urand(collectd_t)
+
++domain_use_interactive_fds(collectd_t)
++domain_read_all_domains_state(collectd_t)
++
+ files_getattr_all_dirs(collectd_t)
+-files_read_etc_files(collectd_t)
+-files_read_usr_files(collectd_t)
+
+ fs_getattr_all_fs(collectd_t)
++fs_getattr_all_dirs(collectd_t)
+
+-miscfiles_read_localization(collectd_t)
++init_read_utmp(collectd_t)
+
+ logging_send_syslog_msg(collectd_t)
+
+@@ -75,16 +91,31 @@ tunable_policy(`collectd_tcp_network_connect',`
+ ')
+
+ optional_policy(`
++ mysql_stream_connect(collectd_t)
++')
++
++optional_policy(`
++ netutils_domtrans_ping(collectd_t)
++')
++
++optional_policy(`
+ virt_read_config(collectd_t)
++ virt_stream_connect(collectd_t)
+ ')
+
+ ########################################
+ #
+-# Web local policy
++# Web collectd local policy
+ #
+
+-optional_policy(`
+- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+-')
++
++files_search_var_lib(collectd_script_t)
++read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
++
++manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
++
++auth_read_passwd(collectd_script_t)
+diff --git a/colord.fc b/colord.fc
+index 71639eb..08ab891 100644
+--- a/colord.fc
++++ b/colord.fc
+@@ -7,5 +7,7 @@
+ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+ /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
++/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
++
+ /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+ /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/colord.if b/colord.if
+index 8e27a37..c69be28 100644
+--- a/colord.if
++++ b/colord.if
+@@ -1,4 +1,4 @@
+-## GNOME color manager.
++## GNOME color manager
+
+ ########################################
+ ##
+@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
+ type colord_t, colord_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, colord_exec_t, colord_t)
+ ')
+
+@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
+
+ allow $1 colord_t:dbus send_msg;
+ allow colord_t $1:dbus send_msg;
++ ps_process_pattern(colord_t, $1)
+ ')
+
+ ######################################
+@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+ ')
++
++########################################
++##
++## Execute colord server in the colord domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`colord_systemctl',`
++ gen_require(`
++ type colord_t;
++ type colord_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 colord_unit_file_t:file read_file_perms;
++ allow $1 colord_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, colord_t)
++')
+diff --git a/colord.te b/colord.te
+index 9f2dfb2..3d5988c 100644
+--- a/colord.te
++++ b/colord.te
+@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
+ type colord_t;
+ type colord_exec_t;
+ dbus_system_domain(colord_t, colord_exec_t)
++init_daemon_domain(colord_t, colord_exec_t)
+
+ type colord_tmp_t;
+ files_tmp_file(colord_tmp_t)
+@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
+ type colord_var_lib_t;
+ files_type(colord_var_lib_t)
+
++type colord_unit_file_t;
++systemd_unit_file(colord_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
+ allow colord_t self:capability { dac_read_search dac_override };
+ dontaudit colord_t self:capability sys_admin;
+ allow colord_t self:process signal;
++
+ allow colord_t self:fifo_file rw_fifo_file_perms;
+ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+-allow colord_t self:tcp_socket { accept listen };
++allow colord_t self:tcp_socket create_stream_socket_perms;
+ allow colord_t self:shm create_shm_perms;
++allow colord_t self:udp_socket create_socket_perms;
++allow colord_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+ manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
+ dev_write_video_dev(colord_t)
+ dev_rw_printer(colord_t)
+ dev_read_rand(colord_t)
+-dev_read_sysfs(colord_t)
+ dev_read_urand(colord_t)
+-dev_list_sysfs(colord_t)
++dev_read_sysfs(colord_t)
+ dev_rw_generic_usb_dev(colord_t)
+
+ domain_use_interactive_fds(colord_t)
+
+ files_list_mnt(colord_t)
+-files_read_usr_files(colord_t)
+
+-fs_getattr_noxattr_fs(colord_t)
+-fs_getattr_tmpfs(colord_t)
++fs_getattr_all_fs(colord_t)
+ fs_list_noxattr_fs(colord_t)
+ fs_read_noxattr_fs_files(colord_t)
+ fs_search_all(colord_t)
+ fs_dontaudit_getattr_all_fs(colord_t)
++fs_getattr_tmpfs(colord_t)
++fs_read_cgroup_files(colord_t)
+
+ storage_getattr_fixed_disk_dev(colord_t)
+ storage_getattr_removable_dev(colord_t)
+@@ -100,19 +106,16 @@ init_read_state(colord_t)
+
+ auth_use_nsswitch(colord_t)
+
++init_read_state(colord_t)
++
+ logging_send_syslog_msg(colord_t)
+
+-miscfiles_read_localization(colord_t)
++systemd_read_logind_sessions_files(colord_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_getattr_nfs(colord_t)
+- fs_read_nfs_files(colord_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_getattr_cifs(colord_t)
+- fs_read_cifs_files(colord_t)
+-')
++userdom_rw_user_tmp_files(colord_t)
++userdom_home_reader(colord_t)
++userdom_list_user_home_content(colord_t)
++userdom_read_inherited_user_home_content_files(colord_t)
+
+ optional_policy(`
+ cups_read_config(colord_t)
+@@ -120,6 +123,13 @@ optional_policy(`
+ cups_read_state(colord_t)
+ cups_stream_connect(colord_t)
+ cups_dbus_chat(colord_t)
++ cups_read_state(colord_t)
++')
++
++optional_policy(`
++ gnome_read_home_icc_data_content(colord_t)
++ # Fixes lots of breakage in F16 on upgrade
++ gnome_read_generic_data_home_files(colord_t)
+ ')
+
+ optional_policy(`
+@@ -137,3 +147,16 @@ optional_policy(`
+ udev_read_db(colord_t)
+ udev_read_pid_files(colord_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(colord_t)
++ xserver_read_xdm_state(colord_t)
++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
++ xserver_read_inherited_xdm_lib_files(colord_t)
++ # allow to read /run/initial-setup-$username
++ xserver_read_xdm_pid(colord_t)
++')
++
++optional_policy(`
++ zoneminder_rw_tmpfs_files(colord_t)
++')
+diff --git a/comsat.te b/comsat.te
+index c63cf85..dc6998b 100644
+--- a/comsat.te
++++ b/comsat.te
+@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
+ kernel_read_network_state(comsat_t)
+ kernel_read_system_state(comsat_t)
+
++corenet_all_recvfrom_netlabel(comsat_t)
++corenet_tcp_sendrecv_generic_if(comsat_t)
++corenet_udp_sendrecv_generic_if(comsat_t)
++corenet_tcp_sendrecv_generic_node(comsat_t)
++corenet_udp_sendrecv_generic_node(comsat_t)
++corenet_udp_sendrecv_all_ports(comsat_t)
++
+ dev_read_urand(comsat_t)
+
+ fs_getattr_xattr_fs(comsat_t)
+@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
+
+ logging_send_syslog_msg(comsat_t)
+
+-miscfiles_read_localization(comsat_t)
+-
+ userdom_dontaudit_getattr_user_ttys(comsat_t)
+
+ mta_getattr_spool(comsat_t)
+diff --git a/condor.fc b/condor.fc
+index ad2b696..28d1af0 100644
+--- a/condor.fc
++++ b/condor.fc
+@@ -1,6 +1,7 @@
+ /etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
+
+ /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
++/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
+
+ /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
+ /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
+diff --git a/condor.if b/condor.if
+index 881d92f..a2d588a 100644
+--- a/condor.if
++++ b/condor.if
+@@ -1,75 +1,391 @@
+-## High-Throughput Computing System.
++
++## policy for condor
++
++#####################################
++##
++## Creates types and rules for a basic
++## condor init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`condor_domain_template',`
++ gen_require(`
++ type condor_master_t;
++ attribute condor_domain;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type condor_$1_t, condor_domain;
++ type condor_$1_exec_t;
++ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
++ role system_r types condor_$1_t;
++
++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
++ allow condor_master_t condor_$1_exec_t:file ioctl;
++
++ kernel_read_system_state(condor_$1_t)
++
++ corenet_all_recvfrom_netlabel(condor_$1_t)
++ corenet_all_recvfrom_unlabeled(condor_$1_t)
++
++ auth_use_nsswitch(condor_$1_t)
++
++ logging_send_syslog_msg(condor_$1_t)
++')
++
++########################################
++##
++## Transition to condor.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`condor_domtrans_master',`
++ gen_require(`
++ type condor_master_t, condor_master_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
++')
++
++#######################################
++##
++## Allows to start userland processes
++## by transitioning to the specified domain,
++## with a range transition.
++##
++##
++##
++## The process type entered by condor_startd.
++##
++##
++##
++##
++## The executable type for the entrypoint.
++##
++##
++##
++##
++## Range for the domain.
++##
++##
++#
++interface(`condor_startd_ranged_domtrans_to',`
++ gen_require(`
++ type sshd_t;
++ ')
++ condor_startd_domtrans_to($1, $2)
++
++
++ ifdef(`enable_mcs',`
++ range_transition condor_startd_t $2:process $3;
++ ')
++
++')
+
+ #######################################
+ ##
+-## The template to define a condor domain.
++## Allows to start userlandprocesses
++## by transitioning to the specified domain.
+ ##
+-##
++##
++##
++## The process type entered by condor_startd.
++##
++##
++##
++##
++## The executable type for the entrypoint.
++##
++##
++#
++interface(`condor_startd_domtrans_to',`
++ gen_require(`
++ type condor_startd_t;
++ ')
++
++ domtrans_pattern(condor_startd_t, $2, $1)
++')
++
++########################################
++##
++## Read condor's log files.
++##
++##
+ ##
+-## Domain prefix to be used.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-template(`condor_domain_template',`
++interface(`condor_read_log',`
+ gen_require(`
+- attribute condor_domain;
+- type condor_master_t;
++ type condor_log_t;
+ ')
+
+- #############################
+- #
+- # Declarations
+- #
++ logging_search_logs($1)
++ read_files_pattern($1, condor_log_t, condor_log_t)
++')
+
+- type condor_$1_t, condor_domain;
+- type condor_$1_exec_t;
+- domain_type(condor_$1_t)
+- domain_entry_file(condor_$1_t, condor_$1_exec_t)
+- role system_r types condor_$1_t;
++########################################
++##
++## Append to condor log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_append_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
+
+- #############################
+- #
+- # Policy
+- #
++ logging_search_logs($1)
++ append_files_pattern($1, condor_log_t, condor_log_t)
++')
+
+- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+- allow condor_master_t condor_$1_exec_t:file ioctl;
++########################################
++##
++## Manage condor log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_manage_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
+
+- auth_use_nsswitch(condor_$1_t)
++ logging_search_logs($1)
++ manage_dirs_pattern($1, condor_log_t, condor_log_t)
++ manage_files_pattern($1, condor_log_t, condor_log_t)
++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
+ ')
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an condor environment.
++## Search condor lib directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`condor_search_lib',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ allow $1 condor_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read condor lib files.
++##
++##
+ ##
+-## Role allowed access.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`condor_admin',`
++interface(`condor_read_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++######################################
++##
++## Read and write condor lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_rw_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++##
++## Manage condor lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_manage_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++##
++## Manage condor lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_manage_lib_dirs',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++##
++## Read condor PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_read_pid_files',`
+ gen_require(`
+- attribute condor_domain;
+- type condor_initrc_exec_config_t, condor_log_t;
+- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
++ type condor_var_run_t;
+ ')
+
+- allow $1 condor_domain:process { ptrace signal_perms };
++ files_search_pids($1)
++ allow $1 condor_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute condor server in the condor domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`condor_systemctl',`
++ gen_require(`
++ type condor_domain;
++ type condor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 condor_unit_file_t:file read_file_perms;
++ allow $1 condor_unit_file_t:service manage_service_perms;
++
+ ps_process_pattern($1, condor_domain)
++')
++
++#######################################
++##
++## Read and write condor_startd server TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_rw_tcp_sockets_startd',`
++ gen_require(`
++ type condor_startd_t;
++ ')
+
+- init_labeled_script_domtrans($1, condor_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 condor_initrc_exec_t system_r;
+- allow $2 system_r;
++ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
++')
++
++######################################
++##
++## Read and write condor_schedd server TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_rw_tcp_sockets_schedd',`
++ gen_require(`
++ type condor_schedd_t;
++ ')
++
++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an condor environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_admin',`
++ gen_require(`
++ attribute condor_domain;
++ type condor_initrc_exec_t, condor_log_t, condor_conf_t;
++ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
++ type condor_var_run_t, condor_startd_tmp_t;
++ type condor_unit_file_t;
++ ')
++
++ allow $1 condor_domain:process { signal_perms };
++ ps_process_pattern($1, condor_domain)
++
++ init_labeled_script_domtrans($1, condor_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 condor_initrc_exec_t system_r;
++ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, condor_conf_t)
+@@ -77,8 +393,8 @@ interface(`condor_admin',`
+ logging_search_logs($1)
+ admin_pattern($1, condor_log_t)
+
+- files_search_locks($1)
+- admin_pattern($1, condor_var_lock_t)
++ files_search_locks($1)
++ admin_pattern($1, condor_var_lock_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, condor_var_lib_t)
+@@ -88,4 +404,13 @@ interface(`condor_admin',`
+
+ files_search_tmp($1)
+ admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
++
++ condor_systemctl($1)
++ admin_pattern($1, condor_unit_file_t)
++ allow $1 condor_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/condor.te b/condor.te
+index ce9f040..32ebb0c 100644
+--- a/condor.te
++++ b/condor.te
+@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
+ type condor_startd_tmpfs_t;
+ files_tmpfs_file(condor_startd_tmpfs_t)
+
+-type condor_conf_t;
++type condor_conf_t alias condor_etc_rw_t;
+ files_config_file(condor_conf_t)
+
+ type condor_log_t;
+@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
+ type condor_var_run_t;
+ files_pid_file(condor_var_run_t)
+
++type condor_unit_file_t;
++systemd_unit_file(condor_unit_file_t)
++
+ condor_domain_template(collector)
+ condor_domain_template(negotiator)
+ condor_domain_template(procd)
+@@ -60,10 +63,18 @@ condor_domain_template(startd)
+ # Global local policy
+ #
+
++allow condor_domain self:capability dac_override;
++allow condor_domain self:capability2 block_suspend;
++
+ allow condor_domain self:process signal_perms;
+ allow condor_domain self:fifo_file rw_fifo_file_perms;
+-allow condor_domain self:tcp_socket { accept listen };
+-allow condor_domain self:unix_stream_socket { accept listen };
++allow condor_domain self:tcp_socket create_stream_socket_perms;
++allow condor_domain self:udp_socket create_socket_perms;
++allow condor_domain self:unix_stream_socket create_stream_socket_perms;
++allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
++
++allow condor_domain condor_etc_rw_t:dir list_dir_perms;
++rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+
+ rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
+
+@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+
+ allow condor_domain condor_master_t:process signull;
+ allow condor_domain condor_master_t:tcp_socket getattr;
++allow condor_domain condor_master_t:udp_socket { read write };
+
+ kernel_read_kernel_sysctls(condor_domain)
+ kernel_read_network_state(condor_domain)
+-kernel_read_system_state(condor_domain)
+
+ corecmd_exec_bin(condor_domain)
+ corecmd_exec_shell(condor_domain)
+
+-corenet_all_recvfrom_netlabel(condor_domain)
+-corenet_all_recvfrom_unlabeled(condor_domain)
+ corenet_tcp_sendrecv_generic_if(condor_domain)
+ corenet_tcp_sendrecv_generic_node(condor_domain)
+
+@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
+ dev_read_sysfs(condor_domain)
+ dev_read_urand(condor_domain)
+
+-logging_send_syslog_msg(condor_domain)
++auth_read_passwd(condor_domain)
+
+-miscfiles_read_localization(condor_domain)
++sysnet_dns_name_resolve(condor_domain)
+
+ sysnet_dns_name_resolve(condor_domain)
+
+@@ -130,7 +139,7 @@ optional_policy(`
+ # Master local policy
+ #
+
+-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
++allow condor_master_t self:capability { setuid setgid sys_ptrace };
+
+ allow condor_master_t condor_domain:process { sigkill signal };
+
+@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+ manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+ files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+
++can_exec(condor_master_t, condor_master_exec_t)
++
++kernel_read_system_state(condor_master_t)
++
+ corenet_udp_sendrecv_generic_if(condor_master_t)
+ corenet_udp_sendrecv_generic_node(condor_master_t)
+ corenet_tcp_bind_generic_node(condor_master_t)
+@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
+
+ auth_use_nsswitch(condor_master_t)
+
++logging_send_syslog_msg(condor_master_t)
++
+ optional_policy(`
+ mta_send_mail(condor_master_t)
+ mta_read_config(condor_master_t)
+@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+
+ kernel_read_network_state(condor_collector_t)
+
++corenet_tcp_bind_http_port(condor_collector_t)
++
+ #####################################
+ #
+ # Negotiator local policy
+@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+ allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
+ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+
++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
++
+ ######################################
+ #
+ # Procd local policy
+@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+
+ allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+
++allow condor_schedd_t condor_master_tmp_t:dir getattr;
++
+ domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
+ domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
+
+@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+ relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+
++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
++
+ #####################################
+ #
+ # Startd local policy
+@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t)
+ mcs_process_set_categories(condor_startd_t)
+
+ init_domtrans_script(condor_startd_t)
++init_initrc_domain(condor_startd_t)
+
+ libs_exec_lib_files(condor_startd_t)
+
+-files_read_usr_files(condor_startd_t)
+-
+ optional_policy(`
+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
+ ssh_domtrans(condor_startd_t)
+@@ -254,3 +276,7 @@ optional_policy(`
+ kerberos_use(condor_startd_ssh_t)
+ ')
+ ')
++
++optional_policy(`
++ unconfined_domain(condor_startd_t)
++')
+diff --git a/conman.fc b/conman.fc
+new file mode 100644
+index 0000000..d2f5c80
+--- /dev/null
++++ b/conman.fc
+@@ -0,0 +1,8 @@
++/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
++
++/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
++
++/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++
++/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
+diff --git a/conman.if b/conman.if
+new file mode 100644
+index 0000000..1cc5fa4
+--- /dev/null
++++ b/conman.if
+@@ -0,0 +1,143 @@
++## Conman is a program for connecting to remote consoles being managed by conmand
++
++########################################
++##
++## Execute conman in the conman domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`conman_domtrans',`
++ gen_require(`
++ type conman_t, conman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, conman_exec_t, conman_t)
++')
++
++########################################
++##
++## Read conman's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`conman_read_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++##
++## Append to conman log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`conman_append_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++##
++## Manage conman log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`conman_manage_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, conman_log_t, conman_log_t)
++ manage_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++##
++## Execute conman server in the conman domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`conman_systemctl',`
++ gen_require(`
++ type conman_t;
++ type conman_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 conman_unit_file_t:file read_file_perms;
++ allow $1 conman_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, conman_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an conman environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`conman_admin',`
++ gen_require(`
++ type conman_t;
++ type conman_log_t;
++ type conman_unit_file_t;
++ ')
++
++ allow $1 conman_t:process { signal_perms };
++ ps_process_pattern($1, conman_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 conman_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, conman_log_t)
++
++ conman_systemctl($1)
++ admin_pattern($1, conman_unit_file_t)
++ allow $1 conman_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/conman.te b/conman.te
+new file mode 100644
+index 0000000..3bc9494
+--- /dev/null
++++ b/conman.te
+@@ -0,0 +1,78 @@
++policy_module(conman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Determine whether conman can
++## connect to all TCP ports
++##
++##
++gen_tunable(conman_can_network, false)
++
++type conman_t;
++type conman_exec_t;
++init_daemon_domain(conman_t, conman_exec_t)
++
++type conman_log_t;
++logging_log_file(conman_log_t)
++
++type conman_tmp_t;
++files_tmp_file(conman_tmp_t)
++
++type conman_var_run_t;
++files_pid_file(conman_var_run_t)
++
++type conman_unit_file_t;
++systemd_unit_file(conman_unit_file_t)
++
++########################################
++#
++# conman local policy
++#
++
++allow conman_t self:capability { sys_tty_config };
++allow conman_t self:process { setrlimit signal_perms };
++
++allow conman_t self:fifo_file rw_fifo_file_perms;
++allow conman_t self:unix_stream_socket create_stream_socket_perms;
++allow conman_t self:tcp_socket { accept listen create_socket_perms };
++
++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
++manage_files_pattern(conman_t, conman_log_t, conman_log_t)
++logging_log_filetrans(conman_t, conman_log_t, { dir })
++
++manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
++manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
++files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
++
++manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
++files_pid_filetrans(conman_t, conman_var_run_t, file)
++
++auth_use_nsswitch(conman_t)
++
++corenet_tcp_bind_generic_node(conman_t)
++corenet_tcp_bind_conman_port(conman_t)
++
++corenet_tcp_connect_all_ephemeral_ports(conman_t)
++
++corecmd_exec_bin(conman_t)
++
++logging_send_syslog_msg(conman_t)
++
++sysnet_dns_name_resolve(conman_t)
++
++userdom_use_user_ptys(conman_t)
++
++tunable_policy(`conman_can_network',`
++ corenet_sendrecv_all_client_packets(conman_t)
++ corenet_tcp_connect_all_ports(conman_t)
++ corenet_tcp_sendrecv_all_ports(conman_t)
++')
++
++optional_policy(`
++ freeipmi_stream_connect(conman_t)
++')
+diff --git a/consolekit.fc b/consolekit.fc
+index 23c9558..29e5fd3 100644
+--- a/consolekit.fc
++++ b/consolekit.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
++
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+diff --git a/consolekit.if b/consolekit.if
+index 5b830ec..78025c5 100644
+--- a/consolekit.if
++++ b/consolekit.if
+@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## consolekit over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++ gen_require(`
++ type consolekit_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Send and receive messages from
+ ## consolekit over dbus.
+ ##
+@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
+
+ ########################################
+ ##
++## Dontaudit attempts to read consolekit log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Read consolekit log files.
+ ##
+ ##
+@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
++
++########################################
++##
++## List consolekit PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_list_pid_files',`
++ gen_require(`
++ type consolekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
++')
++
++########################################
++##
++## Allow the domain to read consolekit state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_read_state',`
++ gen_require(`
++ type consolekit_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, consolekit_t)
++')
++
++########################################
++##
++## Execute consolekit server in the consolekit domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`consolekit_systemctl',`
++ gen_require(`
++ type consolekit_t;
++ type consolekit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 consolekit_unit_file_t:file read_file_perms;
++ allow $1 consolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, consolekit_t)
++')
+diff --git a/consolekit.te b/consolekit.te
+index bd18063..47c8fd0 100644
+--- a/consolekit.te
++++ b/consolekit.te
+@@ -19,21 +19,23 @@ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+ init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+
++type consolekit_unit_file_t;
++systemd_unit_file(consolekit_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++
+ allow consolekit_t self:process { getsched signal };
+ allow consolekit_t self:fifo_file rw_fifo_file_perms;
+ allow consolekit_t self:unix_stream_socket { accept listen };
+
+-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
+
+ manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+ manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
+
+ domain_read_all_domains_state(consolekit_t)
+ domain_use_interactive_fds(consolekit_t)
+-domain_dontaudit_ptrace_all_domains(consolekit_t)
+
+-files_read_usr_files(consolekit_t)
++# needs to read /var/lib/dbus/machine-id
+ files_read_var_lib_files(consolekit_t)
+ files_search_all_mountpoints(consolekit_t)
+
+ fs_list_inotifyfs(consolekit_t)
+
+-mcs_ptrace_all(consolekit_t)
+-
+ term_use_all_terms(consolekit_t)
+
+ auth_use_nsswitch(consolekit_t)
+ auth_manage_pam_console_data(consolekit_t)
+ auth_write_login_records(consolekit_t)
+ auth_create_pam_console_data_dirs(consolekit_t)
+-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
++
++init_read_utmp(consolekit_t)
+
+ logging_send_syslog_msg(consolekit_t)
+ logging_send_audit_msgs(consolekit_t)
+
+-miscfiles_read_localization(consolekit_t)
++systemd_exec_systemctl(consolekit_t)
++systemd_start_power_services(consolekit_t)
+
++userdom_read_all_users_state(consolekit_t)
+ userdom_dontaudit_read_user_home_content_files(consolekit_t)
++userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(consolekit_t)
+-')
++userdom_home_reader(consolekit_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(consolekit_t)
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
+ ')
+
+ optional_policy(`
+@@ -109,13 +110,6 @@ optional_policy(`
+ ')
+ ')
+
+-optional_policy(`
+- hal_ptrace(consolekit_t)
+-')
+-
+-optional_policy(`
+- networkmanager_append_log_files(consolekit_t)
+-')
+
+ optional_policy(`
+ policykit_domtrans_auth(consolekit_t)
+diff --git a/corosync.fc b/corosync.fc
+index da39f0f..6a96733 100644
+--- a/corosync.fc
++++ b/corosync.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
++
+ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+ /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+diff --git a/corosync.if b/corosync.if
+index 694a037..d859681 100644
+--- a/corosync.if
++++ b/corosync.if
+@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
+ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+ ')
+
++#######################################
++##
++## Setattr corosync log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_setattr_log',`
++ gen_require(`
++ type corosync_var_log_t;
++ ')
++
++ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
++')
++
++
+ #####################################
+ ##
+ ## Connect to corosync over a unix
+@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
+ interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
++ type corosync_var_lib_t;
+ ')
+
+ files_search_pids($1)
++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+ ')
+
+ ######################################
+ ##
+-## Read and write corosync tmpfs files.
++## Allow the specified domain to read/write corosync's tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_rw_tmpfs',`
++ gen_require(`
++ type corosync_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
++
++')
++
++########################################
++##
++## Execute corosync server in the corosync domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`corosync_rw_tmpfs',`
++interface(`corosync_systemctl',`
+ gen_require(`
+- type corosync_tmpfs_t;
++ type corosync_t;
++ type corosync_unit_file_t;
+ ')
+
+- fs_search_tmpfs($1)
+- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 corosync_unit_file_t:file read_file_perms;
++ allow $1 corosync_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, corosync_t)
+ ')
+
+ ######################################
+@@ -160,12 +205,17 @@ interface(`corosync_admin',`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+ type corosync_initrc_exec_t;
++ type corosync_unit_file_t;
+ ')
+
+- allow $1 corosync_t:process { ptrace signal_perms };
++ allow $1 corosync_t:process signal_perms;
+ ps_process_pattern($1, corosync_t)
+
+- corosync_initrc_domtrans($1)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 corosync_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -183,4 +233,8 @@ interface(`corosync_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
++
++ corosync_systemctl($1)
++ admin_pattern($1, corosync_unit_file_t)
++ allow $1 corosync_unit_file_t:service all_service_perms;
+ ')
+diff --git a/corosync.te b/corosync.te
+index d5aa1e4..837e0a8 100644
+--- a/corosync.te
++++ b/corosync.te
+@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
+ type corosync_var_run_t;
+ files_pid_file(corosync_var_run_t)
+
++type corosync_unit_file_t;
++systemd_unit_file(corosync_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
+ domain_read_all_domains_state(corosync_t)
+
+ files_manage_mounttab(corosync_t)
+-files_read_usr_files(corosync_t)
+
+ auth_use_nsswitch(corosync_t)
+
+@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
+ miscfiles_read_localization(corosync_t)
+
+ userdom_read_user_tmp_files(corosync_t)
+-userdom_manage_user_tmpfs_files(corosync_t)
++userdom_delete_user_tmp_files(corosync_t)
++userdom_rw_user_tmp_files(corosync_t)
++
++optional_policy(`
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
++')
+
+ optional_policy(`
+ ccs_read_config(corosync_t)
+@@ -129,20 +137,29 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++ lvm_delete_clvmd_tmpfs_files(corosync_t)
++')
++
++optional_policy(`
+ qpidd_rw_shm(corosync_t)
+ ')
+
+ optional_policy(`
+- rhcs_getattr_fenced_exec_files(corosync_t)
++ rhcs_getattr_fenced(corosync_t)
++ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
++ rhcs_manage_cluster_lib_files(corosync_t)
++ rhcs_relabel_cluster_lib_files(corosync_t)
+ ')
+
+ optional_policy(`
+- rgmanager_manage_tmpfs_files(corosync_t)
++ rpc_search_nfs_state_data(corosync_t)
+ ')
+
+ optional_policy(`
+- rpc_search_nfs_state_data(corosync_t)
+-')
+\ No newline at end of file
++ wdmd_rw_tmpfs(corosync_t)
++')
+diff --git a/couchdb.fc b/couchdb.fc
+index c086302..5380ab6 100644
+--- a/couchdb.fc
++++ b/couchdb.fc
+@@ -1,8 +1,10 @@
+-/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
+-
+ /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
+
+-/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
++/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
++
++/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
++
++/usr/libexec/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+
+ /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
+
+diff --git a/couchdb.if b/couchdb.if
+index 715a826..a1cbdb2 100644
+--- a/couchdb.if
++++ b/couchdb.if
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ##
+-## Read couchdb log files.
++## Allow to read couchdb log files.
+ ##
+ ##
+ ##
+@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
+ type couchdb_log_t;
+ ')
+
+- logging_search_logs($1)
++ files_search_var_lib($1)
+ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ ')
+
+ ########################################
+ ##
+-## Read, write, and create couchdb lib files.
++## Allow to read couchdb lib files.
+ ##
+ ##
+ ##
+@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
+ ##
+ ##
+ #
+-interface(`couchdb_manage_lib_files',`
++interface(`couchdb_read_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
+
+ ########################################
+ ##
+-## Read couchdb config files.
++## All of the rules required to
++## administrate an couchdb environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_manage_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++##
++## Manage couchdb lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_manage_lib_dirs',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++##
++## Allow to read couchdb conf files.
+ ##
+ ##
+ ##
+@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
+ type couchdb_conf_t;
+ ')
+
+- files_search_etc($1)
++ files_search_var_lib($1)
+ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+ ')
+
+ ########################################
+ ##
+-## Read couchdb pid files.
++## Read couchdb PID files.
+ ##
+ ##
+ ##
+@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
+ ')
+
+ files_search_pids($1)
+- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++ allow $1 couchdb_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Search couchdb PID dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_search_pid_dirs',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:dir search_dir_perms;
++')
++
++#######################################
++##
++## Allow domain to manage couchdb content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_manage_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ type couchdb_log_t;
++ type couchdb_var_lib_t;
++ type couchdb_conf_t;
++ ')
++
++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+ ')
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an couchdb environment.
++## Execute couchdb server in the couchdb domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
++#
++interface(`couchdb_systemctl',`
++ gen_require(`
++ type couchdb_t;
++ type couchdb_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 couchdb_unit_file_t:file read_file_perms;
++ allow $1 couchdb_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, couchdb_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an couchdb environment
++##
++##
++##
++## Domain allowed access.
++##
++##
+ ##
+ ##
+ ## Role allowed access.
+@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
+ #
+ interface(`couchdb_admin',`
+ gen_require(`
++ type couchdb_unit_file_t;
+ type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
+ type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
+ type couchdb_tmp_t;
+ ')
+
+- allow $1 couchdb_t:process { ptrace signal_perms };
++ allow $1 couchdb_t:process { signal_perms };
+ ps_process_pattern($1, couchdb_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 couchdb_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 couchdb_initrc_exec_t system_r;
+@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
+
+ files_search_pids($1)
+ admin_pattern($1, couchdb_var_run_t)
++
++ admin_pattern($1, couchdb_unit_file_t)
++ couchdb_systemctl($1)
++ allow $1 couchdb_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/couchdb.te b/couchdb.te
+index ae1c1b1..6238c82 100644
+--- a/couchdb.te
++++ b/couchdb.te
+@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
+ type couchdb_var_run_t;
+ files_pid_file(couchdb_var_run_t)
+
++type couchdb_unit_file_t;
++systemd_unit_file(couchdb_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow couchdb_t self:process { setsched signal signull sigkill };
++allow couchdb_t self:process { execmem setsched signal signull sigkill };
+ allow couchdb_t self:fifo_file rw_fifo_file_perms;
+ allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
++allow couchdb_t self:unix_dgram_socket create_socket_perms;
+ allow couchdb_t self:tcp_socket { accept listen };
+
+-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
+-allow couchdb_t couchdb_conf_t:file read_file_perms;
++manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
+
+ manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
+ append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
+@@ -56,11 +59,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+
+ manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
+-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
++files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
+
+ can_exec(couchdb_t, couchdb_exec_t)
+
+ kernel_read_system_state(couchdb_t)
++kernel_read_fs_sysctls(couchdb_t)
+
+ corecmd_exec_bin(couchdb_t)
+ corecmd_exec_shell(couchdb_t)
+@@ -75,14 +79,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+ corenet_tcp_bind_couchdb_port(couchdb_t)
+ corenet_tcp_sendrecv_couchdb_port(couchdb_t)
+
++# disksup tries to monitor the local disks
++fs_getattr_all_files(couchdb_t)
++fs_getattr_all_dirs(couchdb_t)
++fs_getattr_all_fs(couchdb_t)
++files_getattr_all_mountpoints(couchdb_t)
++files_search_all_mountpoints(couchdb_t)
++files_getattr_lost_found_dirs(couchdb_t)
++files_dontaudit_list_var(couchdb_t)
++
+ dev_list_sysfs(couchdb_t)
+ dev_read_sysfs(couchdb_t)
+ dev_read_urand(couchdb_t)
+
+-files_read_usr_files(couchdb_t)
++auth_use_nsswitch(couchdb_t)
+
+-fs_getattr_xattr_fs(couchdb_t)
++optional_policy(`
++ rpc_read_nfs_state_data(couchdb_t)
++')
+
+-auth_use_nsswitch(couchdb_t)
+
+-miscfiles_read_localization(couchdb_t)
+diff --git a/courier.fc b/courier.fc
+index 2f017a0..defdc87 100644
+--- a/courier.fc
++++ b/courier.fc
+@@ -11,17 +11,18 @@
+ /usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
+ /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+
++ifdef(`distro_gentoo',`
++/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++')
+
+ /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
+ /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
+diff --git a/courier.if b/courier.if
+index 10f820f..acdb179 100644
+--- a/courier.if
++++ b/courier.if
+@@ -1,12 +1,12 @@
+-## Courier IMAP and POP3 email servers.
++## Courier IMAP and POP3 email servers
+
+-#######################################
++########################################
+ ##
+-## The template to define a courier domain.
++## Template for creating courier server processes.
+ ##
+-##
++##
+ ##
+-## Domain prefix to be used.
++## Prefix name of the server process.
+ ##
+ ##
+ #
+@@ -15,7 +15,7 @@ template(`courier_domain_template',`
+ attribute courier_domain;
+ ')
+
+- ########################################
++ ##############################
+ #
+ # Declarations
+ #
+@@ -24,18 +24,30 @@ template(`courier_domain_template',`
+ type courier_$1_exec_t;
+ init_daemon_domain(courier_$1_t, courier_$1_exec_t)
+
+- ########################################
++ ##############################
+ #
+- # Policy
++ # Declarations
+ #
+
+ can_exec(courier_$1_t, courier_$1_exec_t)
++
++ kernel_read_system_state(courier_$1_t)
++
++ corenet_all_recvfrom_netlabel(courier_$1_t)
++ corenet_tcp_sendrecv_generic_if(courier_$1_t)
++ corenet_udp_sendrecv_generic_if(courier_$1_t)
++ corenet_tcp_sendrecv_generic_node(courier_$1_t)
++ corenet_udp_sendrecv_generic_node(courier_$1_t)
++ corenet_tcp_sendrecv_all_ports(courier_$1_t)
++ corenet_udp_sendrecv_all_ports(courier_$1_t)
++
++ logging_send_syslog_msg(courier_$1_t)
+ ')
+
+ ########################################
+ ##
+-## Execute the courier authentication
+-## daemon with a domain transition.
++## Execute the courier authentication daemon with
++## a domain transition.
+ ##
+ ##
+ ##
+@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
+ type courier_authdaemon_t, courier_authdaemon_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+ ')
+
+ #######################################
+ ##
+-## Connect to courier-authdaemon over
+-## a unix stream socket.
++## Connect to courier-authdaemon over a unix stream socket.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`courier_stream_connect_authdaemon',`
+- gen_require(`
+- type courier_authdaemon_t, courier_spool_t;
+- ')
++ gen_require(`
++ type courier_authdaemon_t, courier_spool_t;
++ ')
+
+ files_search_spool($1)
+- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ ')
+
+ ########################################
+ ##
+-## Execute the courier POP3 and IMAP
+-## server with a domain transition.
++## Execute the courier POP3 and IMAP server with
++## a domain transition.
+ ##
+ ##
+ ##
+@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
+ type courier_pop_t, courier_pop_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
+ ')
+
+ ########################################
+ ##
+-## Read courier config files.
++## Read courier config files
+ ##
+ ##
+ ##
+@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
+ type courier_spool_t;
+ ')
+
+- files_search_var($1)
++ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
+ ## Create, read, write, and delete courier
+ ## spool files.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
+ type courier_spool_t;
+ ')
+
+- files_search_var($1)
++ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
+ type courier_spool_t;
+ ')
+
+- files_search_var($1)
++ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write courier spool pipes.
++## Read and write to courier spool pipes.
+ ##
+ ##
+ ##
+@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
+ type courier_spool_t;
+ ')
+
+- files_search_var($1)
+ allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+ ')
+diff --git a/courier.te b/courier.te
+index ae3bc70..9090d75 100644
+--- a/courier.te
++++ b/courier.te
+@@ -18,7 +18,7 @@ type courier_etc_t;
+ files_config_file(courier_etc_t)
+
+ type courier_spool_t;
+-files_type(courier_spool_t)
++files_spool_file(courier_spool_t)
+
+ type courier_var_lib_t;
+ files_type(courier_var_lib_t)
+@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
+ files_pid_filetrans(courier_domain, courier_var_run_t, dir)
+
+ kernel_read_kernel_sysctls(courier_domain)
+-kernel_read_system_state(courier_domain)
+
+ corecmd_exec_bin(courier_domain)
+
+@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
+
+ domain_use_interactive_fds(courier_domain)
+
+-files_read_etc_files(courier_domain)
+ files_read_etc_runtime_files(courier_domain)
+-files_read_usr_files(courier_domain)
+
+ fs_getattr_xattr_fs(courier_domain)
+ fs_search_auto_mountpoints(courier_domain)
+
+-logging_send_syslog_msg(courier_domain)
+-
+ sysnet_read_config(courier_domain)
+
+ userdom_dontaudit_use_unpriv_user_fds(courier_domain)
+@@ -77,6 +72,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_stream_connect(courier_domain)
++')
++
++optional_policy(`
+ udev_read_db(courier_domain)
+ ')
+
+@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
+ create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+ manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+
++manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+ manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+
+ allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
+
+ libs_read_lib_files(courier_authdaemon_t)
+
+-miscfiles_read_localization(courier_authdaemon_t)
+
+ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
+
+@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+-allow courier_pop_t courier_var_lib_t:file { read write };
++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+
+ domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+
+@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
+ dev_read_rand(courier_tcpd_t)
+ dev_read_urand(courier_tcpd_t)
+
+-miscfiles_read_localization(courier_tcpd_t)
+
+ ########################################
+ #
+diff --git a/cpucontrol.te b/cpucontrol.te
+index af72c4e..afab036 100644
+--- a/cpucontrol.te
++++ b/cpucontrol.te
+@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
+ init_use_fds(cpucontrol_domain)
+ init_use_script_ptys(cpucontrol_domain)
+
+-logging_send_syslog_msg(cpucontrol_domain)
+-
+ userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
+
+ optional_policy(`
+@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
+ read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+ read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+
+-kernel_list_proc(cpucontrol_t)
+ kernel_read_proc_symlinks(cpucontrol_t)
+
+ dev_read_sysfs(cpucontrol_t)
+ dev_rw_cpu_microcode(cpucontrol_t)
+
++logging_send_syslog_msg(cpucontrol_t)
++
+ optional_policy(`
+ rhgb_use_ptys(cpucontrol_t)
+ ')
+@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
+
+ domain_read_all_domains_state(cpuspeed_t)
+
+-files_read_etc_files(cpuspeed_t)
+ files_read_etc_runtime_files(cpuspeed_t)
+
+-miscfiles_read_localization(cpuspeed_t)
++logging_send_syslog_msg(cpuspeed_t)
+diff --git a/cpufreqselector.te b/cpufreqselector.te
+index 6cedb87..530e250 100644
+--- a/cpufreqselector.te
++++ b/cpufreqselector.te
+@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+ # Local policy
+ #
+
+-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:capability sys_nice;
+ allow cpufreqselector_t self:process getsched;
+ allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
++allow cpufreqselector_t self:process getsched;
+
+ kernel_read_system_state(cpufreqselector_t)
+
+-files_read_etc_files(cpufreqselector_t)
+-files_read_usr_files(cpufreqselector_t)
+-
+ dev_rw_sysfs(cpufreqselector_t)
+
+-miscfiles_read_localization(cpufreqselector_t)
+-
+ userdom_read_all_users_state(cpufreqselector_t)
+-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
++userdom_dontaudit_search_admin_dir(cpufreqselector_t)
+
+ optional_policy(`
+ dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
+@@ -51,3 +47,7 @@ optional_policy(`
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(cpufreqselector_t)
++')
+diff --git a/cpuplug.fc b/cpuplug.fc
+new file mode 100644
+index 0000000..be203ff
+--- /dev/null
++++ b/cpuplug.fc
+@@ -0,0 +1,3 @@
++/etc/rc.d/init.d/cpuplugd -- gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
++
++/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0)
+diff --git a/cpuplug.if b/cpuplug.if
+new file mode 100644
+index 0000000..c68d1d3
+--- /dev/null
++++ b/cpuplug.if
+@@ -0,0 +1,20 @@
++## cpuplugd - Linux on System z CPU and memory hotplug daemon
++
++########################################
++##
++## Execute cpuplug in the cpuplug domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cpuplug_domtrans',`
++ gen_require(`
++ type cpuplug_t, cpuplug_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
++')
+diff --git a/cpuplug.te b/cpuplug.te
+new file mode 100644
+index 0000000..074f3e0
+--- /dev/null
++++ b/cpuplug.te
+@@ -0,0 +1,40 @@
++policy_module(cpuplug, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cpuplug_t;
++type cpuplug_exec_t;
++init_daemon_domain(cpuplug_t, cpuplug_exec_t)
++
++type cpuplug_initrc_exec_t;
++init_script_file(cpuplug_initrc_exec_t)
++
++type cpuplug_lock_t;
++files_lock_file(cpuplug_lock_t)
++
++type cpuplug_var_run_t;
++files_pid_file(cpuplug_var_run_t)
++
++########################################
++#
++# cpuplug local policy
++#
++allow cpuplug_t self:fifo_file rw_fifo_file_perms;
++allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
++files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
++
++manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
++files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
++
++kernel_read_system_state(cpuplug_t)
++kernel_rw_vm_sysctls(cpuplug_t)
++
++dev_rw_sysfs(cpuplug_t)
++
++logging_send_syslog_msg(cpuplug_t)
++
+diff --git a/cron.fc b/cron.fc
+index ad0bae9..615a947 100644
+--- a/cron.fc
++++ b/cron.fc
+@@ -1,66 +1,77 @@
+-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
++/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+
+-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
++/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
++/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+-/var/spool/cron/[^/]* -- <>
++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
++#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
++/var/spool/cron/[^/]* -- <>
+
+-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/crontabs/.* -- <>
+ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+
+-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/fcron/.* <>
++/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/fcron/.* <>
+ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++
++ifdef(`distro_gentoo',`
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun/[^/]* -- <>
++')
++
++ifdef(`distro_suse', `
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun/[^/]* -- <>
++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++')
+
+ ifdef(`distro_debian',`
+-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
++
++/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/atjobs/[^/]* -- <>
+-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+ ')
+
+ ifdef(`distro_gentoo',`
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ /var/spool/cron/lastrun/[^/]* -- <>
+ ')
+
+-ifdef(`distro_suse',`
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++ifdef(`distro_suse', `
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ /var/spool/cron/lastrun/[^/]* -- <>
+-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ ')
+diff --git a/cron.if b/cron.if
+index 1303b30..759412f 100644
+--- a/cron.if
++++ b/cron.if
+@@ -2,11 +2,12 @@
+
+ #######################################
+ ##
+-## The template to define a crontab domain.
++## The common rules for a crontab domain.
+ ##
+-##
++##
+ ##
+-## Domain prefix to be used.
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
+ ##
+ ##
+ #
+@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+
++ kernel_read_system_state($1_t)
++
+ auth_domtrans_chk_passwd($1_t)
+ auth_use_nsswitch($1_t)
++
++ logging_send_syslog_msg($1_t)
++
++ userdom_home_reader($1_t)
++
+ ')
+
+ ########################################
+ ##
+-## Role access for cron.
++## Role access for cron
+ ##
+ ##
+ ##
+-## Role allowed access.
++## Role allowed access
+ ##
+ ##
+ ##
+ ##
+-## User domain for the role.
++## User domain for the role
+ ##
+ ##
+ ##
+@@ -60,56 +68,66 @@ interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t, crond_t;
+- bool cron_userdomain_transition;
++ bool cron_userdomain_transition;
+ ')
+
+- ##############################
+- #
+- # Declarations
+- #
++ ##############################
++ #
++ # Declarations
++ #
+
+ role $1 types { cronjob_t crontab_t };
+
+- ##############################
+- #
+- # Local policy
+- #
++ ##############################
++ #
++ # Local policy
++ #
+
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
++ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
+- allow $2 crontab_t:process { ptrace signal_perms };
++ # crontab shows up in user ps
++ allow $2 crontab_t:process signal_perms;
+ ps_process_pattern($2, crontab_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 crontab_t:process ptrace;
++ ')
++
++ # Run helper programs as the user domain
++ #corecmd_bin_domtrans(crontab_t, $2)
++ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+- tunable_policy(`cron_userdomain_transition',`
+- allow crond_t $2:process transition;
+- allow crond_t $2:fd use;
+- allow crond_t $2:key manage_key_perms;
++ tunable_policy(`cron_userdomain_transition',`
++ allow crond_t $2:process transition;
++ allow crond_t $2:fd use;
++ allow crond_t $2:key manage_key_perms;
+
+- allow $2 user_cron_spool_t:file entrypoint;
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file entrypoint;
++ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ allow $2 cronjob_t:process { signal_perms };
+
+- allow $2 cronjob_t:process { ptrace signal_perms };
+- ps_process_pattern($2, cronjob_t)
+- ',`
+- dontaudit crond_t $2:process transition;
+- dontaudit crond_t $2:fd use;
+- dontaudit crond_t $2:key manage_key_perms;
++ ps_process_pattern($2, cronjob_t)
++ ',`
++ dontaudit crond_t $2:process transition;
++ dontaudit crond_t $2:fd use;
++ dontaudit crond_t $2:key manage_key_perms;
+
+- dontaudit $2 user_cron_spool_t:file entrypoint;
++ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
++ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+- dontaudit $2 cronjob_t:process { ptrace signal_perms };
+- ')
++ dontaudit $2 cronjob_t:process { signal_perms };
++ ')
+
+ optional_policy(`
+ gen_require(`
+@@ -119,78 +137,75 @@ interface(`cron_role',`
+ dbus_stub(cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+ ##
+-## Role access for unconfined cron.
++## Role access for unconfined cronjobs
+ ##
+ ##
+ ##
+-## Role allowed access.
++## Role allowed access
+ ##
+ ##
+ ##
+ ##
+-## User domain for the role.
++## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_unconfined_role',`
+ gen_require(`
+ type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+- type crond_t, user_cron_spool_t;
+- bool cron_userdomain_transition;
++ type crond_t, user_cron_spool_t;
++ bool cron_userdomain_transition;
+ ')
+
+- ##############################
+- #
+- # Declarations
+- #
+-
+- role $1 types { unconfined_cronjob_t crontab_t };
+-
+- ##############################
+- #
+- # Local policy
+- #
+-
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
++ ##############################
++ #
++ # Declarations
++ #
++
++ role $1 types unconfined_cronjob_t;
+
+- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
++ ##############################
++ #
++ # Local policy
++ #
+
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+
+- allow $2 crontab_t:process { ptrace signal_perms };
+- ps_process_pattern($2, crontab_t)
++ allow $2 crond_t:process sigchld;
+
+- corecmd_exec_bin(crontab_t)
+- corecmd_exec_shell(crontab_t)
++ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
+- tunable_policy(`cron_userdomain_transition',`
+- allow crond_t $2:process transition;
+- allow crond_t $2:fd use;
+- allow crond_t $2:key manage_key_perms;
++ # cronjob shows up in user ps
++ ps_process_pattern($2, unconfined_cronjob_t)
++ allow $2 unconfined_cronjob_t:process signal_perms;
+
+- allow $2 user_cron_spool_t:file entrypoint;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 unconfined_cronjob_t:process ptrace;
++ ')
+
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ tunable_policy(`cron_userdomain_transition',`
++ allow crond_t $2:process transition;
++ allow crond_t $2:fd use;
++ allow crond_t $2:key manage_key_perms;
+
+- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+- ps_process_pattern($2, unconfined_cronjob_t)
+- ',`
+- dontaudit crond_t $2:process transition;
+- dontaudit crond_t $2:fd use;
+- dontaudit crond_t $2:key manage_key_perms;
++ allow $2 user_cron_spool_t:file entrypoint;
+
+- dontaudit $2 user_cron_spool_t:file entrypoint;
++ allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ ',`
++ dontaudit crond_t $2:process transition;
++ dontaudit crond_t $2:fd use;
++ dontaudit crond_t $2:key manage_key_perms;
+
+- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
++ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
+-')
++ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
++ ')
+
+ optional_policy(`
+ gen_require(`
+@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',`
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+-
+ allow unconfined_cronjob_t $2:dbus send_msg;
+ ')
+ ')
+
+ ########################################
+ ##
+-## Role access for admin cron.
++## Role access for cron
+ ##
+ ##
+ ##
+-## Role allowed access.
++## Role allowed access
+ ##
+ ##
+ ##
+ ##
+-## User domain for the role.
++## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_admin_role',`
+ gen_require(`
+- type cronjob_t, crontab_exec_t, admin_crontab_t;
++ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
++ type user_cron_spool_t, crond_t;
+ class passwd crontab;
+- type crond_t, user_cron_spool_t;
+- bool cron_userdomain_transition;
++ bool cron_userdomain_transition;
+ ')
+
+- ##############################
+- #
+- # Declarations
+- #
++ ##############################
++ #
++ # Declarations
++ #
+
+- role $1 types { cronjob_t admin_crontab_t };
++ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
+
+- ##############################
+- #
+- # Local policy
+- #
++ ##############################
++ #
++ # Local policy
++ #
+
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
+
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
++ allow $2 crond_t:process sigchld;
+
+- allow $2 admin_crontab_t:process { ptrace signal_perms };
++ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
++ allow $2 admin_crontab_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 admin_crontab_t:process ptrace;
++ ')
+
+ # Manipulate other users crontab.
+ allow $2 self:passwd crontab;
+@@ -254,28 +274,26 @@ interface(`cron_admin_role',`
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
+
+- tunable_policy(`cron_userdomain_transition',`
+- allow crond_t $2:process transition;
+- allow crond_t $2:fd use;
+- allow crond_t $2:key manage_key_perms;
++ tunable_policy(`cron_userdomain_transition',`
++ allow crond_t $2:process transition;
++ allow crond_t $2:fd use;
++ allow crond_t $2:key manage_key_perms;
+
+- allow $2 user_cron_spool_t:file entrypoint;
++ allow $2 user_cron_spool_t:file entrypoint;
+
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+- allow $2 cronjob_t:process { ptrace signal_perms };
+- ps_process_pattern($2, cronjob_t)
+- ',`
+- dontaudit crond_t $2:process transition;
+- dontaudit crond_t $2:fd use;
+- dontaudit crond_t $2:key manage_key_perms;
++ allow $2 cronjob_t:process { signal_perms };
++ ps_process_pattern($2, cronjob_t)
++ ',`
++ dontaudit crond_t $2:process transition;
++ dontaudit crond_t $2:fd use;
++ dontaudit crond_t $2:key manage_key_perms;
+
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
+- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- dontaudit $2 cronjob_t:process { ptrace signal_perms };
+- ')
++ dontaudit $2 user_cron_spool_t:file entrypoint;
++ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
++ dontaudit $2 cronjob_t:process { signal_perms };
++ ')
+
+ optional_policy(`
+ gen_require(`
+@@ -285,13 +303,13 @@ interface(`cron_admin_role',`
+ dbus_stub(admin_cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+ ##
+-## Make the specified program domain
+-## accessable from the system cron jobs.
++## Make the specified program domain accessable
++## from the system cron jobs.
+ ##
+ ##
+ ##
+@@ -307,15 +325,15 @@ interface(`cron_admin_role',`
+ interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_cronjob_t;
+- type user_cron_spool_log_t;
+ ')
+
+- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
+-
+ domtrans_pattern(system_cronjob_t, $2, $1)
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
++
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -333,13 +351,12 @@ interface(`cron_domtrans',`
+ type system_cronjob_t, crond_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+ ')
+
+ ########################################
+ ##
+-## Execute crond in the caller domain.
++## Execute crond_exec_t
+ ##
+ ##
+ ##
+@@ -352,7 +369,6 @@ interface(`cron_exec',`
+ type crond_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, crond_exec_t)
+ ')
+
+@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
+
+ ########################################
+ ##
+-## Use crond file descriptors.
++## Execute crond server in the crond domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cron_systemctl',`
++ gen_require(`
++ type crond_unit_file_t;
++ type crond_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 crond_unit_file_t:file read_file_perms;
++ allow $1 crond_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, crond_t)
++')
++
++########################################
++##
++## Inherit and use a file descriptor
++## from the cron daemon.
+ ##
+ ##
+ ##
+@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
+
+ ########################################
+ ##
+-## Send child terminated signals to crond.
++## Send a SIGCHLD signal to the cron daemon.
+ ##
+ ##
+ ##
+@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
+
+ ########################################
+ ##
+-## Set the attributes of cron log files.
++## Send a generic signal to cron daemon.
+ ##
+ ##
+ ##
+@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
+ ##
+ ##
+ #
+-interface(`cron_setattr_log_files',`
++interface(`cron_signal',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
+
+- allow $1 cron_log_t:file setattr_file_perms;
++ allow $1 crond_t:process signal;
+ ')
+
+ ########################################
+ ##
+-## Create cron log files.
++## Read a cron daemon unnamed pipe.
+ ##
+ ##
+ ##
+@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
+ ##
+ ##
+ #
+-interface(`cron_create_log_files',`
++interface(`cron_read_pipes',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
+
+- create_files_pattern($1, cron_log_t, cron_log_t)
++ allow $1 crond_t:fifo_file read_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Write to cron log files.
++## Read crond state files.
+ ##
+ ##
+ ##
+@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
+ ##
+ ##
+ #
+-interface(`cron_write_log_files',`
++interface(`cron_read_state_crond',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
+
+- allow $1 cron_log_t:file write_file_perms;
++ kernel_search_proc($1)
++ ps_process_pattern($1, crond_t)
+ ')
+
++
+ ########################################
+ ##
+-## Create, read, write and delete
+-## cron log files.
++## Send and receive messages from
++## crond over dbus.
+ ##
+ ##
+ ##
+@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
+ ##
+ ##
+ #
+-interface(`cron_manage_log_files',`
++interface(`cron_dbus_chat_crond',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
++ class dbus send_msg;
+ ')
+
+- manage_files_pattern($1, cron_log_t, cron_log_t)
+-
+- logging_search_logs($1)
++ allow $1 crond_t:dbus send_msg;
++ allow crond_t $1:dbus send_msg;
+ ')
+
+ ########################################
+ ##
+-## Create specified objects in generic
+-## log directories with the cron log file type.
++## Do not audit attempts to write cron daemon unnamed pipes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
+-##
+-##
+-##
+-##
+-## Class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`cron_generic_log_filetrans_log',`
++interface(`cron_dontaudit_write_pipes',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
+
+- logging_log_filetrans($1, cron_log_t, $2, $3)
++ dontaudit $1 crond_t:fifo_file write;
+ ')
+
+ ########################################
+ ##
+-## Read cron daemon unnamed pipes.
++## Read and write a cron daemon unnamed pipe.
+ ##
+ ##
+ ##
+@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
+ ##
+ ##
+ #
+-interface(`cron_read_pipes',`
++interface(`cron_rw_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+- allow $1 crond_t:fifo_file read_fifo_file_perms;
++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write
+-## cron daemon unnamed pipes.
++## Do not audit attempts to setattr cron daemon unnamed pipes.
+ ##
+ ##
+ ##
+@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
+ ##
+ ##
+ #
+-interface(`cron_dontaudit_write_pipes',`
++interface(`cron_dontaudit_setattr_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+- dontaudit $1 crond_t:fifo_file write;
++ dontaudit $1 crond_t:fifo_file setattr;
+ ')
+
+ ########################################
+ ##
+-## Read and write crond unnamed pipes.
++## Read and write inherited user spool files.
+ ##
+ ##
+ ##
+@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
+ ##
+ ##
+ #
+-interface(`cron_rw_pipes',`
++interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+- type crond_t;
++ type user_cron_spool_t;
+ ')
+
+- allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write crond TCP sockets.
++## Read and write inherited spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_spool_files',`
++ gen_require(`
++ type cron_spool_t;
++ ')
++
++ allow $1 cron_spool_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Read, and write cron daemon TCP sockets.
+ ##
+ ##
+ ##
+@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
+
+ ########################################
+ ##
+-## Do not audit attempts to read and
+-## write cron daemon TCP sockets.
++## Dontaudit Read, and write cron daemon TCP sockets.
+ ##
+ ##
+ ##
+@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
+
+ ########################################
+ ##
+-## Search cron spool directories.
++## Search the directory containing user cron tables.
+ ##
+ ##
+ ##
+@@ -627,8 +675,26 @@ interface(`cron_search_spool',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## crond pid files.
++## Search the directory containing user cron tables.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_manage_system_spool',`
++ gen_require(`
++ type cron_system_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
++')
++
++########################################
++##
++## Manage pid files used by cron
+ ##
+ ##
+ ##
+@@ -641,13 +707,13 @@ interface(`cron_manage_pid_files',`
+ type crond_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
+
+ ########################################
+ ##
+-## Execute anacron in the cron
+-## system domain.
++## Execute anacron in the cron system domain.
+ ##
+ ##
+ ##
+@@ -660,13 +726,13 @@ interface(`cron_anacron_domtrans_system_job',`
+ type system_cronjob_t, anacron_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+ ')
+
+ ########################################
+ ##
+-## Use system cron job file descriptors.
++## Inherit and use a file descriptor
++## from system cron jobs.
+ ##
+ ##
+ ##
+@@ -684,7 +750,7 @@ interface(`cron_use_system_job_fds',`
+
+ ########################################
+ ##
+-## Read system cron job lib files.
++## Write a system cron job unnamed pipe.
+ ##
+ ##
+ ##
+@@ -692,19 +758,17 @@ interface(`cron_use_system_job_fds',`
+ ##
+ ##
+ #
+-interface(`cron_read_system_job_lib_files',`
++interface(`cron_write_system_job_pipes',`
+ gen_require(`
+- type system_cronjob_var_lib_t;
++ type system_cronjob_t;
+ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++ allow $1 system_cronjob_t:fifo_file write;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## system cron job lib files.
++## Read and write a system cron job unnamed pipe.
+ ##
+ ##
+ ##
+@@ -712,18 +776,17 @@ interface(`cron_read_system_job_lib_files',`
+ ##
+ ##
+ #
+-interface(`cron_manage_system_job_lib_files',`
++interface(`cron_rw_system_job_pipes',`
+ gen_require(`
+- type system_cronjob_var_lib_t;
++ type system_cronjob_t;
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Write system cron job unnamed pipes.
++## Allow read/write unix stream sockets from the system cron jobs.
+ ##
+ ##
+ ##
+@@ -731,18 +794,17 @@ interface(`cron_manage_system_job_lib_files',`
+ ##
+ ##
+ #
+-interface(`cron_write_system_job_pipes',`
++interface(`cron_rw_system_job_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:file write;
++ allow $1 system_cronjob_t:unix_stream_socket { read write };
+ ')
+
+ ########################################
+ ##
+-## Read and write system cron job
+-## unnamed pipes.
++## Read temporary files from the system cron jobs.
+ ##
+ ##
+ ##
+@@ -750,86 +812,142 @@ interface(`cron_write_system_job_pipes',`
+ ##
+ ##
+ #
+-interface(`cron_rw_system_job_pipes',`
++interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_t;
++ type system_cronjob_tmp_t, cron_var_run_t;
+ ')
+
+- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
++ files_search_tmp($1)
++ allow $1 system_cronjob_tmp_t:file read_file_perms;
++
++ files_search_pids($1)
++ allow $1 cron_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write inherited system cron
+-## job unix domain stream sockets.
++## Do not audit attempts to append temporary
++## files from the system cron jobs.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`cron_rw_system_job_stream_sockets',`
++interface(`cron_dontaudit_append_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_t;
++ type system_cronjob_tmp_t;
+ ')
+
+- allow $1 system_cronjob_t:unix_stream_socket { read write };
++ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read system cron job temporary files.
++## Do not audit attempts to write temporary
++## files from the system cron jobs.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`cron_read_system_job_tmp_files',`
++interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
++ type cron_var_run_t;
+ ')
+
+- files_search_tmp($1)
+- allow $1 system_cronjob_tmp_t:file read_file_perms;
++ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ dontaudit $1 cron_var_run_t:file write_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to append temporary
+-## system cron job files.
++## Read temporary files from the system cron jobs.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`cron_dontaudit_append_system_job_tmp_files',`
++interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+- type system_cronjob_tmp_t;
++ type system_cronjob_var_lib_t;
+ ')
+
+- dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
++ files_search_var_lib($1)
++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write temporary
+-## system cron job files.
++## Manage files from the system cron jobs.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`cron_dontaudit_write_system_job_tmp_files',`
++interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+- type system_cronjob_tmp_t;
++ type system_cronjob_var_lib_t;
+ ')
+
+- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++#######################################
++##
++## Create, read, write and delete
++## cron log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_manage_log_files',`
++ gen_require(`
++ type cron_log_t;
++ ')
++
++ manage_files_pattern($1, cron_log_t, cron_log_t)
++
++ logging_search_logs($1)
++')
++
++#######################################
++##
++## Create specified objects in generic
++## log directories with the cron log file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`cron_generic_log_filetrans_log',`
++ gen_require(`
++ type cron_log_t;
++ ')
++
++ logging_log_filetrans($1, cron_log_t, $2, $3)
+ ')
+diff --git a/cron.te b/cron.te
+index 7de3859..0ee059a 100644
+--- a/cron.te
++++ b/cron.te
+@@ -11,46 +11,46 @@ gen_require(`
+
+ ##
+ ##
+-## Determine whether system cron jobs
+-## can relabel filesystem for
+-## restoring file contexts.
++## Allow system cron jobs to relabel filesystem
++## for restoring file contexts.
+ ##
+ ##
+ gen_tunable(cron_can_relabel, false)
+
+ ##
+-##
+-## Determine whether crond can execute jobs
+-## in the user domain as opposed to the
+-## the generic cronjob domain.
+-##
++##
++## Determine whether crond can execute jobs
++## in the user domain as opposed to the
++## the generic cronjob domain.
++##
+ ##
+-gen_tunable(cron_userdomain_transition, false)
++gen_tunable(cron_userdomain_transition, true)
+
+ ##
+ ##
+-## Determine whether extra rules
+-## should be enabled to support fcron.
++## Enable extra rules in the cron domain
++## to support fcron.
+ ##
+ ##
+ gen_tunable(fcron_crond, false)
+
+-attribute cron_spool_type;
+ attribute crontab_domain;
++attribute cron_spool_type;
+
+ type anacron_exec_t;
+ application_executable_file(anacron_exec_t)
+
+ type cron_spool_t;
+-files_type(cron_spool_t)
+-mta_system_content(cron_spool_t)
++files_spool_file(cron_spool_t)
+
++# var/lib files
+ type cron_var_lib_t;
+ files_type(cron_var_lib_t)
+
+ type cron_var_run_t;
+ files_pid_file(cron_var_run_t)
+
++# var/log files
+ type cron_log_t;
+ logging_log_file(cron_log_t)
+
+@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
+ type crond_initrc_exec_t;
+ init_script_file(crond_initrc_exec_t)
+
++type crond_unit_file_t;
++systemd_unit_file(crond_unit_file_t)
++
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
+ files_poly_parent(crond_tmp_t)
+@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+ typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
++allow admin_crontab_t crond_t:process signal;
+
+ type system_cron_spool_t, cron_spool_type;
+-files_type(system_cron_spool_t)
+-mta_system_content(system_cron_spool_t)
++files_spool_file(system_cron_spool_t)
+
+ type system_cronjob_t alias system_crond_t;
+ init_daemon_domain(system_cronjob_t, anacron_exec_t)
+ corecmd_shell_entry_type(system_cronjob_t)
+-domain_entry_file(system_cronjob_t, system_cron_spool_t)
++corecmd_bin_entry_type(system_cronjob_t)
++role system_r types system_cronjob_t;
++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+
+ type system_cronjob_lock_t alias system_crond_lock_t;
+ files_lock_file(system_cronjob_lock_t)
+@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t)
+ type system_cronjob_tmp_t alias system_crond_tmp_t;
+ files_tmp_file(system_cronjob_tmp_t)
+
+-type system_cronjob_var_lib_t;
+-files_type(system_cronjob_var_lib_t)
+-
+-type system_cronjob_var_run_t;
+-files_pid_file(system_cronjob_var_run_t)
+-
++# Type of user crontabs once moved to cron spool.
+ type user_cron_spool_t, cron_spool_type;
+ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+-files_type(user_cron_spool_t)
++files_spool_file(user_cron_spool_t)
+ ubac_constrained(user_cron_spool_t)
+ mta_system_content(user_cron_spool_t)
+
+-type user_cron_spool_log_t;
+-logging_log_file(user_cron_spool_log_t)
+-ubac_constrained(user_cron_spool_log_t)
+-mta_system_content(user_cron_spool_log_t)
++type system_cronjob_var_lib_t;
++files_type(system_cronjob_var_lib_t)
++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
++
++type system_cronjob_var_run_t;
++files_pid_file(system_cronjob_var_run_t)
+
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+ ')
+
+-##############################
+-#
+-# Common crontab local policy
+-#
+-
+-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+-allow crontab_domain self:process { getcap setsched signal_perms };
+-allow crontab_domain self:fifo_file rw_fifo_file_perms;
+-
+-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+-
+-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+-
+-allow crontab_domain crond_t:process signal;
+-allow crontab_domain crond_var_run_t:file read_file_perms;
+-
+-kernel_read_system_state(crontab_domain)
+-
+-selinux_dontaudit_search_fs(crontab_domain)
+-
+-files_list_spool(crontab_domain)
+-files_read_etc_files(crontab_domain)
+-files_read_usr_files(crontab_domain)
+-files_search_pids(crontab_domain)
+-
+-fs_getattr_xattr_fs(crontab_domain)
+-fs_manage_cgroup_dirs(crontab_domain)
+-fs_rw_cgroup_files(crontab_domain)
+-
+-domain_use_interactive_fds(crontab_domain)
+-
+-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+-
+-auth_rw_var_auth(crontab_domain)
+-
+-logging_send_syslog_msg(crontab_domain)
+-logging_send_audit_msgs(crontab_domain)
+-logging_set_loginuid(crontab_domain)
+-
+-init_dontaudit_write_utmp(crontab_domain)
+-init_read_utmp(crontab_domain)
+-init_read_state(crontab_domain)
+-
+-miscfiles_read_localization(crontab_domain)
+-
+-seutil_read_config(crontab_domain)
+-
+-userdom_manage_user_tmp_dirs(crontab_domain)
+-userdom_manage_user_tmp_files(crontab_domain)
+-userdom_use_user_terminals(crontab_domain)
+-userdom_read_user_home_content_files(crontab_domain)
+-userdom_read_user_home_content_symlinks(crontab_domain)
+-
+-tunable_policy(`fcron_crond',`
+- dontaudit crontab_domain crond_t:process signal;
+-')
+-
+ ########################################
+ #
+-# Admin local policy
++# Admin crontab local policy
+ #
+
+-allow admin_crontab_t self:capability fsetid;
+-allow admin_crontab_t crond_t:process signal;
++# Allow our crontab domain to unlink a user cron spool file.
++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+
++# Manipulate other users crontab.
+ selinux_get_fs_mount(admin_crontab_t)
+ selinux_validate_context(admin_crontab_t)
+ selinux_compute_access_vector(admin_crontab_t)
+@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t)
+ selinux_compute_user_contexts(admin_crontab_t)
+
+ tunable_policy(`fcron_crond',`
++ # fcron wants an instant update of a crontab change for the administrator
++ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+ ')
+
+ ########################################
+ #
+-# Daemon local policy
++# Cron daemon local policy
+ #
+
+ allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+-dontaudit crond_t self:capability { sys_resource sys_tty_config };
++dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
+ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+ allow crond_t self:process { setexec setfscreate };
+ allow crond_t self:fd use;
+ allow crond_t self:fifo_file rw_fifo_file_perms;
++allow crond_t self:unix_dgram_socket create_socket_perms;
++allow crond_t self:unix_stream_socket create_stream_socket_perms;
+ allow crond_t self:unix_dgram_socket sendto;
+-allow crond_t self:unix_stream_socket { accept connectto listen };
++allow crond_t self:unix_stream_socket connectto;
+ allow crond_t self:shm create_shm_perms;
+ allow crond_t self:sem create_sem_perms;
+ allow crond_t self:msgq create_msgq_perms;
+@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive };
+ allow crond_t self:key { search write link };
+ dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
+
+-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+ logging_log_filetrans(crond_t, cron_log_t, file)
+
+ manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
+@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+
+ manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+ manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
++files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+
+ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+ read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
+-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+-
+-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
++kernel_read_kernel_sysctls(crond_t)
++kernel_read_fs_sysctls(crond_t)
++kernel_search_key(crond_t)
+
+-allow crond_t system_cronjob_t:process transition;
+-allow crond_t system_cronjob_t:fd use;
+-allow crond_t system_cronjob_t:key manage_key_perms;
++dev_read_sysfs(crond_t)
++selinux_get_fs_mount(crond_t)
++selinux_validate_context(crond_t)
++selinux_compute_access_vector(crond_t)
++selinux_compute_create_context(crond_t)
++selinux_compute_relabel_context(crond_t)
++selinux_compute_user_contexts(crond_t)
+
+-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
++dev_read_urand(crond_t)
+
+-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
++fs_getattr_all_fs(crond_t)
++fs_search_auto_mountpoints(crond_t)
++fs_list_inotifyfs(crond_t)
+
+-kernel_read_kernel_sysctls(crond_t)
+-kernel_read_fs_sysctls(crond_t)
+-kernel_search_key(crond_t)
++# need auth_chkpwd to check for locked accounts.
++auth_domtrans_chk_passwd(crond_t)
++auth_manage_var_auth(crond_t)
+
+ corecmd_exec_shell(crond_t)
+-corecmd_exec_bin(crond_t)
+ corecmd_list_bin(crond_t)
+-
+-dev_read_sysfs(crond_t)
+-dev_read_urand(crond_t)
++corecmd_exec_bin(crond_t)
++corecmd_read_bin_symlinks(crond_t)
+
+ domain_use_interactive_fds(crond_t)
+ domain_subj_id_change_exemption(crond_t)
+ domain_role_change_exemption(crond_t)
+
+-fs_getattr_all_fs(crond_t)
+-fs_list_inotifyfs(crond_t)
+-fs_manage_cgroup_dirs(crond_t)
+-fs_rw_cgroup_files(crond_t)
+-fs_search_auto_mountpoints(crond_t)
+-
+-files_read_usr_files(crond_t)
+ files_read_etc_runtime_files(crond_t)
+ files_read_generic_spool(crond_t)
+ files_list_usr(crond_t)
++# Read from /var/spool/cron.
+ files_search_var_lib(crond_t)
+ files_search_default(crond_t)
+ files_read_all_locks(crond_t)
+
+-mls_fd_share_all_levels(crond_t)
++fs_manage_cgroup_dirs(crond_t)
++fs_manage_cgroup_files(crond_t)
++
++# needed by "crontab -e"
+ mls_file_read_all_levels(crond_t)
+ mls_file_write_all_levels(crond_t)
++
++# needed because of kernel check of transition
+ mls_process_set_level(crond_t)
+-mls_trusted_object(crond_t)
+
+-selinux_get_fs_mount(crond_t)
+-selinux_validate_context(crond_t)
+-selinux_compute_access_vector(crond_t)
+-selinux_compute_create_context(crond_t)
+-selinux_compute_relabel_context(crond_t)
+-selinux_compute_user_contexts(crond_t)
++# to make cronjob working
++mls_fd_share_all_levels(crond_t)
++mls_trusted_object(crond_t)
+
+ init_read_state(crond_t)
+ init_rw_utmp(crond_t)
+ init_spec_domtrans_script(crond_t)
+
+-auth_domtrans_chk_passwd(crond_t)
+-auth_manage_var_auth(crond_t)
+ auth_use_nsswitch(crond_t)
+
+ logging_send_audit_msgs(crond_t)
+@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t)
+
+ seutil_read_config(crond_t)
+ seutil_read_default_contexts(crond_t)
++seutil_sigchld_newrole(crond_t)
+
+-miscfiles_read_localization(crond_t)
+
++userdom_use_unpriv_users_fds(crond_t)
++# Not sure why this is needed
+ userdom_list_user_home_dirs(crond_t)
++userdom_list_admin_dir(crond_t)
++userdom_manage_all_users_keys(crond_t)
+
+-tunable_policy(`cron_userdomain_transition',`
+- dontaudit crond_t cronjob_t:process transition;
+- dontaudit crond_t cronjob_t:fd use;
+- dontaudit crond_t cronjob_t:key manage_key_perms;
+-',`
+- allow crond_t cronjob_t:process transition;
+- allow crond_t cronjob_t:fd use;
+- allow crond_t cronjob_t:key manage_key_perms;
+-')
++mta_send_mail(crond_t)
++mta_system_content(cron_spool_t)
+
+ ifdef(`distro_debian',`
++ # pam_limits is used
+ allow crond_t self:process setrlimit;
+
+- optional_policy(`
+- logwatch_search_cache_dir(crond_t)
+- ')
++')
++
++optional_policy(`
++ logwatch_search_cache_dir(crond_t)
++')
++
++optional_policy(`
++ bind_read_config(crond_t)
+ ')
+
+ ifdef(`distro_redhat',`
++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(crond_t)
+ ')
+ ')
+
+-tunable_policy(`allow_polyinstantiation',`
++tunable_policy(`polyinstantiation_enabled',`
+ files_polyinstantiate_all(crond_t)
+ ')
+
+-tunable_policy(`fcron_crond',`
+- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
++tunable_policy(`fcron_crond', `
++ allow crond_t system_cron_spool_t:file manage_file_perms;
+ ')
+
+ optional_policy(`
+@@ -354,103 +303,135 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(crond_t)
+-
+- optional_policy(`
+- hal_dbus_chat(crond_t)
+- ')
+-
+- optional_policy(`
+- unconfined_dbus_send(crond_t)
+- ')
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
+ ')
+
+ optional_policy(`
+- amanda_search_var_lib(crond_t)
++ locallogin_search_keys(crond_t)
++ locallogin_link_keys(crond_t)
+ ')
+
+ optional_policy(`
+- amavis_search_lib(crond_t)
++ # these should probably be unconfined_crond_t
++ dbus_system_bus_client(crond_t)
++ init_dbus_send_script(crond_t)
++ init_dbus_chat(crond_t)
+ ')
+
+ optional_policy(`
+- djbdns_search_tinydns_keys(crond_t)
+- djbdns_link_tinydns_keys(crond_t)
++ amanda_search_var_lib(crond_t)
+ ')
+
+ optional_policy(`
+- hal_write_log(crond_t)
++ antivirus_search_db(crond_t)
+ ')
+
+ optional_policy(`
+- locallogin_search_keys(crond_t)
+- locallogin_link_keys(crond_t)
++ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
++ hal_dbus_chat(system_cronjob_t)
+ ')
+
+ optional_policy(`
+- mta_send_mail(crond_t)
++ # cjp: why?
++ munin_search_lib(crond_t)
+ ')
+
+ optional_policy(`
+- munin_search_lib(crond_t)
++ rpc_search_nfs_state_data(crond_t)
+ ')
+
+ optional_policy(`
+- postgresql_search_db(crond_t)
++ # Commonly used from postinst scripts
++ rpm_read_pipes(crond_t)
+ ')
+
+ optional_policy(`
+- rpc_search_nfs_state_data(crond_t)
++ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
++ postgresql_search_db(crond_t)
+ ')
+
+ optional_policy(`
+- rpm_read_pipes(crond_t)
++ systemd_use_fds_logind(crond_t)
++ systemd_write_inherited_logind_sessions_pipes(crond_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(crond_t)
++ udev_read_db(crond_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(crond_t)
++ vnstatd_search_lib(crond_t)
+ ')
+
+ ########################################
+ #
+-# System local policy
++# System cron process domain
+ #
+
+ allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
++
+ allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fd use;
+ allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow system_cronjob_t self:passwd rootok;
+
+-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++# This is to handle creation of files in /var/log directory.
++# Used currently by rpm script log files
++allow system_cronjob_t cron_log_t:file manage_file_perms;
+ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
++# This is to handle /var/lib/misc directory. Used currently
++# by prelink var/lib files for cron
+ allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
+ files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
+ allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+ files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
++allow system_cronjob_t system_cron_spool_t:file read_file_perms;
++
++# anacron forces the following
+ manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
++# The entrypoint interface is not used as this is not
++# a regular entrypoint. Since crontab files are
++# not directly executed, crond must ensure that
++# the crontab file has a type that is appropriate
++# for the domain of the user cron job. It
++# performs an entrypoint permission check
++# for this purpose.
++allow system_cronjob_t system_cron_spool_t:file entrypoint;
++
++# Permit a transition from the crond_t domain to this domain.
++# The transition is requested explicitly by the modified crond
++# via setexeccon. There is no way to set up an automatic
++# transition, since crontabs are configuration files, not executables.
++allow crond_t system_cronjob_t:process transition;
++dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
++allow crond_t system_cronjob_t:fd use;
++allow system_cronjob_t crond_t:fd use;
++allow system_cronjob_t crond_t:fifo_file rw_file_perms;
++allow system_cronjob_t crond_t:process sigchld;
++allow crond_t system_cronjob_t:key manage_key_perms;
++
++# Write /var/lock/makewhatis.lock.
+ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+ files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+
++# write temporary files
++manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
++filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
++files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
+
++# var/lib files for system_crond
++files_search_var_lib(system_cronjob_t)
+ manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
+-allow system_cronjob_t crond_t:fd use;
+-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+-allow system_cronjob_t crond_t:process sigchld;
+-
++# Read from /var/spool/cron.
+ allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+ allow system_cronjob_t cron_spool_t:file rw_file_perms;
+
+@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t)
+ kernel_read_system_state(system_cronjob_t)
+ kernel_read_software_raid_state(system_cronjob_t)
+
++# ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot(system_cronjob_t)
+
+ corecmd_exec_all_executables(system_cronjob_t)
+
+-corenet_all_recvfrom_unlabeled(system_cronjob_t)
+ corenet_all_recvfrom_netlabel(system_cronjob_t)
+ corenet_tcp_sendrecv_generic_if(system_cronjob_t)
+ corenet_udp_sendrecv_generic_if(system_cronjob_t)
+@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+ fs_getattr_all_pipes(system_cronjob_t)
+ fs_getattr_all_sockets(system_cronjob_t)
+
++# quiet other ps operations
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+ files_exec_etc_files(system_cronjob_t)
+@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t)
+ files_getattr_all_symlinks(system_cronjob_t)
+ files_getattr_all_pipes(system_cronjob_t)
+ files_getattr_all_sockets(system_cronjob_t)
+-files_read_usr_files(system_cronjob_t)
+ files_read_var_files(system_cronjob_t)
++# for nscd:
+ files_dontaudit_search_pids(system_cronjob_t)
++# Access other spool directories like
++# /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_cronjob_t)
+ files_create_boot_flag(system_cronjob_t)
+
+ mls_file_read_to_clearance(system_cronjob_t)
+
+ init_domtrans_script(system_cronjob_t)
+-init_read_utmp(system_cronjob_t)
+ init_use_script_fds(system_cronjob_t)
++init_read_utmp(system_cronjob_t)
++init_dontaudit_rw_utmp(system_cronjob_t)
++# prelink tells init to restart it self, we either need to allow or dontaudit
++init_telinit(system_cronjob_t)
+
+ auth_use_nsswitch(system_cronjob_t)
+
+@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t)
+ logging_send_audit_msgs(system_cronjob_t)
+ logging_send_syslog_msg(system_cronjob_t)
+
+-miscfiles_read_localization(system_cronjob_t)
+-
+ seutil_read_config(system_cronjob_t)
+
++userdom_manage_tmpfs_files(system_cronjob_t, file)
++userdom_tmpfs_filetrans(system_cronjob_t, file)
++
+ ifdef(`distro_redhat',`
++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ allow crond_t system_cron_spool_t:file manage_file_perms;
++
++ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+ ')
+ ')
+
++selinux_get_fs_mount(system_cronjob_t)
++
+ tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_cronjob_t)
+ ',`
+- selinux_get_fs_mount(system_cronjob_t)
+ selinux_validate_context(system_cronjob_t)
+ selinux_compute_access_vector(system_cronjob_t)
+ selinux_compute_create_context(system_cronjob_t)
+@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',`
+ ')
+
+ optional_policy(`
++ # Needed for certwatch
+ apache_exec_modules(system_cronjob_t)
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
++ apache_manage_lib(system_cronjob_t)
++ apache_delete_cache_dirs(system_cronjob_t)
++ apache_delete_cache_files(system_cronjob_t)
++')
++
++optional_policy(`
++ bind_read_config(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -551,10 +552,6 @@ optional_policy(`
+
+ optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+-
+- optional_policy(`
+- networkmanager_dbus_chat(system_cronjob_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -591,6 +588,7 @@ optional_policy(`
+ optional_policy(`
+ mta_read_config(system_cronjob_t)
+ mta_send_mail(system_cronjob_t)
++ mta_system_content(system_cron_spool_t)
+ ')
+
+ optional_policy(`
+@@ -598,7 +596,23 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
++')
++
++optional_policy(`
++ prelink_delete_cache(system_cronjob_t)
++ prelink_manage_lib(system_cronjob_t)
++ prelink_manage_log(system_cronjob_t)
++ prelink_read_cache(system_cronjob_t)
++ prelink_relabel_lib(system_cronjob_t)
++')
++
++optional_policy(`
++ rkhunter_manage_lib_files(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -607,7 +621,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ snapper_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
++ spamassassin_manage_home_client(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -615,12 +634,27 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
++ systemd_dbus_chat_logind(system_cronjob_t)
++ systemd_dbus_chat_timedated(system_cronjob_t)
++ systemd_dbus_chat_hostnamed(system_cronjob_t)
++ systemd_dbus_chat_localed(system_cronjob_t)
++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_domain(crond_t)
++ unconfined_domain(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_shell_domtrans(crond_t)
++ unconfined_dbus_send(crond_t)
++ userdom_filetrans_home_content(crond_t)
+ ')
+
+ ########################################
+ #
+-# Cronjob local policy
++# User cronjobs local policy
+ #
+
+ allow cronjob_t self:process { signal_perms setsched };
+@@ -628,12 +662,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+ allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
++# The entrypoint interface is not used as this is not
++# a regular entrypoint. Since crontab files are
++# not directly executed, crond must ensure that
++# the crontab file has a type that is appropriate
++# for the domain of the user cron job. It
++# performs an entrypoint permission check
++# for this purpose.
++allow cronjob_t user_cron_spool_t:file entrypoint;
++
++# Permit a transition from the crond_t domain to this domain.
++# The transition is requested explicitly by the modified crond
++# via setexeccon. There is no way to set up an automatic
++# transition, since crontabs are configuration files, not executables.
++allow crond_t cronjob_t:process transition;
++dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
++allow crond_t cronjob_t:fd use;
++allow cronjob_t crond_t:fd use;
++allow cronjob_t crond_t:fifo_file rw_file_perms;
++allow cronjob_t crond_t:process sigchld;
++
+ kernel_read_system_state(cronjob_t)
+ kernel_read_kernel_sysctls(cronjob_t)
+
++# ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot(cronjob_t)
+
+-corenet_all_recvfrom_unlabeled(cronjob_t)
+ corenet_all_recvfrom_netlabel(cronjob_t)
+ corenet_tcp_sendrecv_generic_if(cronjob_t)
+ corenet_udp_sendrecv_generic_if(cronjob_t)
+@@ -641,66 +695,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+ corenet_udp_sendrecv_generic_node(cronjob_t)
+ corenet_tcp_sendrecv_all_ports(cronjob_t)
+ corenet_udp_sendrecv_all_ports(cronjob_t)
+-
+-corenet_sendrecv_all_client_packets(cronjob_t)
+ corenet_tcp_connect_all_ports(cronjob_t)
+-
+-corecmd_exec_all_executables(cronjob_t)
++corenet_sendrecv_all_client_packets(cronjob_t)
+
+ dev_read_urand(cronjob_t)
+
+ fs_getattr_all_fs(cronjob_t)
+
++corecmd_exec_all_executables(cronjob_t)
++
++# quiet other ps operations
+ domain_dontaudit_read_all_domains_state(cronjob_t)
+ domain_dontaudit_getattr_all_domains(cronjob_t)
+
+ files_exec_etc_files(cronjob_t)
+-files_read_etc_runtime_files(cronjob_t)
+-files_read_var_files(cronjob_t)
+-files_read_usr_files(cronjob_t)
+-files_search_spool(cronjob_t)
++# for nscd:
+ files_dontaudit_search_pids(cronjob_t)
+
+ libs_exec_lib_files(cronjob_t)
+ libs_exec_ld_so(cronjob_t)
+
++files_read_etc_runtime_files(cronjob_t)
++files_read_var_files(cronjob_t)
++files_search_spool(cronjob_t)
++
+ logging_search_logs(cronjob_t)
+
+ seutil_read_config(cronjob_t)
+
+-miscfiles_read_localization(cronjob_t)
+
+ userdom_manage_user_tmp_files(cronjob_t)
+ userdom_manage_user_tmp_symlinks(cronjob_t)
+ userdom_manage_user_tmp_pipes(cronjob_t)
+ userdom_manage_user_tmp_sockets(cronjob_t)
++# Run scripts in user home directory and access shared libs.
+ userdom_exec_user_home_content_files(cronjob_t)
++# Access user files and dirs.
+ userdom_manage_user_home_content_files(cronjob_t)
+ userdom_manage_user_home_content_symlinks(cronjob_t)
+ userdom_manage_user_home_content_pipes(cronjob_t)
+ userdom_manage_user_home_content_sockets(cronjob_t)
+
+-tunable_policy(`cron_userdomain_transition',`
+- dontaudit cronjob_t crond_t:fd use;
+- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+- dontaudit cronjob_t crond_t:process sigchld;
+-
+- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
+-',`
+- allow cronjob_t crond_t:fd use;
+- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+- allow cronjob_t crond_t:process sigchld;
++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
+
+- allow cronjob_t user_cron_spool_t:file entrypoint;
++tunable_policy(`fcron_crond',`
++ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+
++# need a per-role version of this:
++#optional_policy(`
++# mono_domtrans(cronjob_t)
++#')
++
+ optional_policy(`
+ nis_use_ypbind(cronjob_t)
+ ')
+
++##############################
++#
++# crontab common policy
++#
++
++# dac_override is to create the file in the directory under /tmp
++allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
++allow crontab_domain self:process { getcap setsched signal_perms };
++allow crontab_domain self:fifo_file rw_fifo_file_perms;
++
++allow crontab_domain crond_t:process signal;
++allow crontab_domain crond_var_run_t:file read_file_perms;
++
++corecmd_exec_bin(crontab_domain)
++corecmd_exec_shell(crontab_domain)
++
++# create files in /var/spool/cron
++manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
++filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
++files_list_spool(crontab_domain)
++
++# crontab signals crond by updating the mtime on the spooldir
++allow crontab_domain cron_spool_t:dir setattr_dir_perms;
++
++# for the checks used by crontab -u
++selinux_dontaudit_search_fs(crontab_domain)
++
++fs_getattr_xattr_fs(crontab_domain)
++fs_manage_cgroup_dirs(crontab_domain)
++fs_manage_cgroup_files(crontab_domain)
++
++domain_use_interactive_fds(crontab_domain)
++
++files_dontaudit_search_pids(crontab_domain)
++
++fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
++
++auth_rw_var_auth(crontab_domain)
++
++logging_send_audit_msgs(crontab_domain)
++logging_set_loginuid(crontab_domain)
++
++init_dontaudit_write_utmp(crontab_domain)
++init_read_utmp(crontab_domain)
++init_read_state(crontab_domain)
++
++
++seutil_read_config(crontab_domain)
++
++userdom_manage_user_tmp_dirs(crontab_domain)
++userdom_manage_user_tmp_files(crontab_domain)
++# Access terminals.
++userdom_use_inherited_user_terminals(crontab_domain)
++# Read user crontabs
++userdom_read_user_home_content_files(crontab_domain)
++userdom_read_user_home_content_symlinks(crontab_domain)
++
++tunable_policy(`fcron_crond',`
++ # fcron wants an instant update of a crontab change for the administrator
++ # also crontab does a security check for crontab -u
++ dontaudit crontab_domain crond_t:process signal;
++')
++
++optional_policy(`
++ ssh_dontaudit_use_ptys(crontab_domain)
++')
++
++optional_policy(`
++ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
++ openshift_transition(system_cronjob_t)
++')
++
+ ########################################
+ #
+-# Unconfined local policy
++# Unconfined cronjobs local policy
+ #
+
+ type unconfined_cronjob_t;
+diff --git a/ctdb.fc b/ctdb.fc
+index 8401fe6..d58f3e7 100644
+--- a/ctdb.fc
++++ b/ctdb.fc
+@@ -1,12 +1,18 @@
+ /etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+
+ /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
++
++/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+ /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
+ /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+ /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
++
++/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+ /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+
+ /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
+diff --git a/ctdb.if b/ctdb.if
+index b25b01d..e99c5c6 100644
+--- a/ctdb.if
++++ b/ctdb.if
+@@ -1,9 +1,144 @@
+-## Clustered Database based on Samba Trivial Database.
++
++## policy for ctdbd
++
++########################################
++##
++## Transition to ctdbd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ctdbd_domtrans',`
++ gen_require(`
++ type ctdbd_t, ctdbd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
++')
++
++########################################
++##
++## Execute ctdbd server in the ctdbd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_initrc_domtrans',`
++ gen_require(`
++ type ctdbd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
++')
++
++########################################
++##
++## Read ctdbd's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`ctdbd_read_log',`
++ gen_require(`
++ type ctdbd_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++')
++
++########################################
++##
++## Append to ctdbd log files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ctdbd_append_log',`
++ gen_require(`
++ type ctdbd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## ctdbd lib files.
++## Manage ctdbd log files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ctdbd_manage_log',`
++ gen_require(`
++ type ctdbd_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
++ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++')
++
++########################################
++##
++## Search ctdbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_search_lib',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read ctdbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_read_lib_files',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++')
++
++########################################
++##
++## Manage ctdbd lib files.
+ ##
+ ##
+ ##
+@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
+ ')
+
+ files_search_var_lib($1)
+- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ ')
+
+-#######################################
++########################################
+ ##
+-## Connect to ctdbd with a unix
+-## domain stream socket.
++## Manage ctdbd lib files.
+ ##
+ ##
+ ##
+@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',`
+ ##
+ ##
+ #
+-interface(`ctdbd_stream_connect',`
++interface(`ctdbd_manage_var_files',`
+ gen_require(`
+- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ type ctdbd_var_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
++')
++
++########################################
++##
++## Manage ctdbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_manage_lib_dirs',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++')
++
++########################################
++##
++## Read ctdbd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_read_pid_files',`
++ gen_require(`
++ type ctdbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
++ allow $1 ctdbd_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Connect to ctdbd over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_stream_connect',`
++ gen_require(`
++ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
++ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
+ ')
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an ctdb environment.
++## All of the rules required to administrate
++## an ctdbd environment
+ ##
+ ##
+ ##
+@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',`
+ ##
+ ##
+ #
+-interface(`ctdb_admin',`
++interface(`ctdbd_admin',`
+ gen_require(`
+- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
++ type ctdbd_t, ctdbd_initrc_exec_t;
+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
+ ')
+
+- allow $1 ctdbd_t:process { ptrace signal_perms };
++ allow $1 ctdbd_t:process signal_perms;
+ ps_process_pattern($1, ctdbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ctdbd_t:process ptrace;
++ ')
+
+- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
++ ctdbd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ctdbd_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -74,12 +269,10 @@ interface(`ctdb_admin',`
+ logging_search_logs($1)
+ admin_pattern($1, ctdbd_log_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, ctdbd_tmp_t)
+-
+ files_search_var_lib($1)
+ admin_pattern($1, ctdbd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, ctdbd_var_run_t)
+ ')
++
+diff --git a/ctdb.te b/ctdb.te
+index 001b502..2ab29db 100644
+--- a/ctdb.te
++++ b/ctdb.te
+@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
+ type ctdbd_var_lib_t;
+ files_type(ctdbd_var_lib_t)
+
++type ctdbd_var_t;
++files_type(ctdbd_var_t)
++
+ type ctdbd_var_run_t;
+ files_pid_file(ctdbd_var_run_t)
+
+@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
+ #
+
+ allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
++allow ctdbd_t self:capability2 block_suspend;
+ allow ctdbd_t self:process { setpgid signal_perms setsched };
+ allow ctdbd_t self:fifo_file rw_fifo_file_perms;
+ allow ctdbd_t self:unix_stream_socket { accept connectto listen };
+ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ctdbd_t self:packet_socket create_socket_perms;
+ allow ctdbd_t self:tcp_socket create_stream_socket_perms;
++allow ctdbd_t self:udp_socket create_socket_perms;
+
+ append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+ create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+ exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
++
++manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
+
+ manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+ manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+ files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+
+ kernel_read_network_state(ctdbd_t)
+@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+ corenet_tcp_sendrecv_generic_if(ctdbd_t)
+ corenet_tcp_sendrecv_generic_node(ctdbd_t)
+ corenet_tcp_bind_generic_node(ctdbd_t)
++corenet_udp_bind_generic_node(ctdbd_t)
+
+ corenet_sendrecv_ctdb_server_packets(ctdbd_t)
+ corenet_tcp_bind_ctdb_port(ctdbd_t)
++corenet_udp_bind_ctdb_port(ctdbd_t)
++corenet_tcp_connect_ctdb_port(ctdbd_t)
+ corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
+
+ corecmd_exec_bin(ctdbd_t)
+@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
+
+ domain_dontaudit_read_all_domains_state(ctdbd_t)
+
+-files_read_etc_files(ctdbd_t)
+ files_search_all_mountpoints(ctdbd_t)
+
++fs_getattr_all_fs(ctdbd_t)
++
++auth_use_nsswitch(ctdbd_t)
++
+ logging_send_syslog_msg(ctdbd_t)
+
+-miscfiles_read_localization(ctdbd_t)
+ miscfiles_read_public_files(ctdbd_t)
+
+ optional_policy(`
+@@ -109,6 +126,7 @@ optional_policy(`
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
+ samba_rw_var_files(ctdbd_t)
++ samba_systemctl(ctdbd_t)
+ ')
+
+ optional_policy(`
+diff --git a/cups.fc b/cups.fc
+index 949011e..9437dbe 100644
+--- a/cups.fc
++++ b/cups.fc
+@@ -1,77 +1,91 @@
+-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
++/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+ /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
+-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+-
+-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+
+-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
+
+-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+
+-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+
+-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
+
+-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
++/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+
+-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
++/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+
+-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++
++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
++/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++
++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++
++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff --git a/cups.if b/cups.if
+index 3023be7..0317731 100644
+--- a/cups.if
++++ b/cups.if
+@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
++ type hplip_etc_t;
+ ')
+
+ files_search_etc($1)
+- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
++ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
++ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
++ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
+
+ ########################################
+@@ -306,6 +309,30 @@ interface(`cups_stream_connect_ptal',`
+
+ ########################################
+ ##
++## Execute cupsd server in the cupsd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cupsd_systemctl',`
++ gen_require(`
++ type cupsd_t;
++ type cupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 cupsd_unit_file_t:file read_file_perms;
++ allow $1 cupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cupsd_t)
++')
++
++########################################
++##
+ ## Read the process state (/proc/pid) of cupsd.
+ ##
+ ##
+@@ -344,18 +371,23 @@ interface(`cups_read_state',`
+ interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
++ type cupsd_etc_t, cupsd_log_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
+ type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
+- type hplip_t, ptal_t;
++ type ptal_t;
++ type cupsd_unit_file_t;
+ ')
+
+- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
+- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
++ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
+ ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
+- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
++ ps_process_pattern($1, { cups_pdf_t ptal_t })
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -368,13 +400,45 @@ interface(`cups_admin',`
+ logging_list_logs($1)
+ admin_pattern($1, cupsd_log_t)
+
+- files_list_spool($1)
+- admin_pattern($1, cupsd_spool_t)
+-
+ files_list_tmp($1)
+ admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
+-
+- files_list_pids($1)
+ admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
+ admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
++
++ cupsd_systemctl($1)
++ admin_pattern($1, cupsd_unit_file_t)
++ allow $1 cupsd_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Transition to cups named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cups_filetrans_named_content',`
++ gen_require(`
++ type cupsd_rw_etc_t;
++ type cupsd_etc_t;
++ ')
++
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
+ ')
+diff --git a/cups.te b/cups.te
+index c91813c..dbd69b1 100644
+--- a/cups.te
++++ b/cups.te
+@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
+ # Declarations
+ #
+
+-type cupsd_config_t;
++##
++##
++## Allow cups execmem/execstack
++##
++##
++gen_tunable(cups_execmem, false)
++
++attribute cups_domain;
++
++type cupsd_config_t, cups_domain;
+ type cupsd_config_exec_t;
+ init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
+
+ type cupsd_config_var_run_t;
+ files_pid_file(cupsd_config_var_run_t)
+
+-type cupsd_t;
++type cupsd_t, cups_domain;
+ type cupsd_exec_t;
++typealias cupsd_t alias hplip_t;
++typealias cupsd_exec_t alias hplip_exec_t;
+ init_daemon_domain(cupsd_t, cupsd_exec_t)
+ mls_trusted_object(cupsd_t)
+
+ type cupsd_etc_t;
++typealias cupsd_etc_t alias hplip_etc_t;
+ files_config_file(cupsd_etc_t)
+
+ type cupsd_initrc_exec_t;
+@@ -33,13 +45,15 @@ type cupsd_lock_t;
+ files_lock_file(cupsd_lock_t)
+
+ type cupsd_log_t;
++typealias cupsd_log_t alias hplip_var_log_t;
+ logging_log_file(cupsd_log_t)
+
+-type cupsd_lpd_t;
++type cupsd_var_lib_t alias hplip_var_lib_t;
++files_type(cupsd_var_lib_t)
++
++type cupsd_lpd_t, cups_domain;
+ type cupsd_lpd_exec_t;
+-domain_type(cupsd_lpd_t)
+-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+-role system_r types cupsd_lpd_t;
++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+
+ type cupsd_lpd_tmp_t;
+ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+ type cupsd_lpd_var_run_t;
+ files_pid_file(cupsd_lpd_var_run_t)
+
+-type cups_pdf_t;
++type cups_pdf_t, cups_domain;
+ type cups_pdf_exec_t;
+ cups_backend(cups_pdf_t, cups_pdf_exec_t)
+
+@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
+ files_tmp_file(cups_pdf_tmp_t)
+
+ type cupsd_tmp_t;
++typealias cupsd_tmp_t alias hplip_tmp_t;
+ files_tmp_file(cupsd_tmp_t)
+
+ type cupsd_var_run_t;
++typealias cupsd_var_run_t alias hplip_var_run_t;
+ files_pid_file(cupsd_var_run_t)
+ init_daemon_run_dir(cupsd_var_run_t, "cups")
+ mls_trusted_object(cupsd_var_run_t)
+
+-type hplip_t;
+-type hplip_exec_t;
+-init_daemon_domain(hplip_t, hplip_exec_t)
+-cups_backend(hplip_t, hplip_exec_t)
+-
+-type hplip_etc_t;
+-files_config_file(hplip_etc_t)
+-
+-type hplip_tmp_t;
+-files_tmp_file(hplip_tmp_t)
+-
+-type hplip_var_lib_t;
+-files_type(hplip_var_lib_t)
+-
+-type hplip_var_run_t;
+-files_pid_file(hplip_var_run_t)
++type cupsd_unit_file_t;
++systemd_unit_file(cupsd_unit_file_t)
+
+ type ptal_t;
+ type ptal_exec_t;
+@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
+ ')
+
++#######################################
++#
++# Cups general local policy
++#
++
++allow cups_domain self:capability { setuid setgid sys_nice };
++allow cups_domain self:process { getsched setsched signal_perms };
++allow cups_domain self:fifo_file rw_fifo_file_perms;
++allow cups_domain self:tcp_socket { accept listen };
++allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cups_domain)
++kernel_read_network_state(cups_domain)
++
++corecmd_exec_bin(cups_domain)
++corecmd_exec_shell(cups_domain)
++
++dev_read_urand(cups_domain)
++dev_read_rand(cups_domain)
++dev_read_sysfs(cups_domain)
++
++fs_getattr_all_fs(cups_domain)
++
++miscfiles_read_fonts(cups_domain)
++miscfiles_setattr_fonts_cache_dirs(cups_domain)
++
++optional_policy(`
++ lpd_manage_spool(cups_domain)
++')
++
+ ########################################
+ #
+ # Cups local policy
+ #
+
+-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+ allow cupsd_t self:capability2 block_suspend;
+-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+-allow cupsd_t self:fifo_file rw_fifo_file_perms;
++allow cupsd_t self:process { getpgid setpgid setsched };
+ allow cupsd_t self:unix_stream_socket { accept connectto listen };
+ allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+ allow cupsd_t self:shm create_shm_perms;
+ allow cupsd_t self:sem create_sem_perms;
+-allow cupsd_t self:tcp_socket { accept listen };
+ allow cupsd_t self:appletalk_socket create_socket_perms;
+
+ allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
+@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+
+ manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
+
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+ files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
++cups_filetrans_named_content(cupsd_t)
++can_exec(cupsd_t, cupsd_rw_etc_t)
+
+ allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+
++manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
++manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
++
+ manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+
++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
+ manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
+
+-allow cupsd_t hplip_t:process { signal sigkill };
+-
+-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
++allow cupsd_t cupsd_unit_file_t:file read_file_perms;
+
+-allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+ can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
+
+ kernel_read_system_state(cupsd_t)
+-kernel_read_network_state(cupsd_t)
+ kernel_read_all_sysctls(cupsd_t)
+ kernel_request_load_module(cupsd_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_t)
+ corenet_all_recvfrom_netlabel(cupsd_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_t)
+ corenet_udp_sendrecv_generic_if(cupsd_t)
+@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+ corenet_tcp_bind_all_rpc_ports(cupsd_t)
+ corenet_tcp_connect_all_ports(cupsd_t)
+
+-corecmd_exec_bin(cupsd_t)
+-corecmd_exec_shell(cupsd_t)
++corenet_sendrecv_hplip_client_packets(cupsd_t)
++corenet_receive_hplip_server_packets(cupsd_t)
++corenet_tcp_bind_hplip_port(cupsd_t)
++corenet_tcp_connect_hplip_port(cupsd_t)
++corenet_tcp_bind_glance_port(cupsd_t)
++corenet_tcp_connect_glance_port(cupsd_t)
++
++corenet_sendrecv_ipp_client_packets(cupsd_t)
++corenet_tcp_connect_ipp_port(cupsd_t)
++
++corenet_sendrecv_howl_server_packets(cupsd_t)
++corenet_udp_bind_howl_port(cupsd_t)
+
+ dev_rw_printer(cupsd_t)
+-dev_read_urand(cupsd_t)
+-dev_read_sysfs(cupsd_t)
+ dev_rw_input_dev(cupsd_t)
+ dev_rw_generic_usb_dev(cupsd_t)
+ dev_rw_usbfs(cupsd_t)
+@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
+ files_getattr_boot_dirs(cupsd_t)
+ files_list_spool(cupsd_t)
+ files_read_etc_runtime_files(cupsd_t)
+-files_read_usr_files(cupsd_t)
+ files_exec_usr_files(cupsd_t)
+ # for /var/lib/defoma
+ files_read_var_lib_files(cupsd_t)
+@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
+ files_read_world_readable_symlinks(cupsd_t)
+ files_read_var_files(cupsd_t)
+ files_read_var_symlinks(cupsd_t)
+-files_write_generic_pid_pipes(cupsd_t)
+ files_dontaudit_getattr_all_tmp_files(cupsd_t)
+ files_dontaudit_list_home(cupsd_t)
+ # for /etc/printcap
+ files_dontaudit_write_etc_files(cupsd_t)
++files_dontaudit_write_usr_dirs(cupsd_t)
+
+-fs_getattr_all_fs(cupsd_t)
+ fs_search_auto_mountpoints(cupsd_t)
+ fs_search_fusefs(cupsd_t)
+ fs_read_anon_inodefs_files(cupsd_t)
++fs_rw_anon_inodefs_files(cupsd_t)
++fs_rw_inherited_tmpfs_files(cupsd_t)
+
++mls_dbus_send_all_levels(cupsd_t)
+ mls_fd_use_all_levels(cupsd_t)
+ mls_file_downgrade(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
+
+ term_search_ptys(cupsd_t)
+ term_use_unallocated_ttys(cupsd_t)
++term_use_ptmx(cupsd_t)
++term_use_usb_ttys(cupsd_t)
+
+ selinux_compute_access_vector(cupsd_t)
+ selinux_validate_context(cupsd_t)
+@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+ auth_rw_faillog(cupsd_t)
+ auth_use_nsswitch(cupsd_t)
+
+-libs_read_lib_files(cupsd_t)
+ libs_exec_lib_files(cupsd_t)
++libs_exec_ldconfig(cupsd_t)
+
+ logging_send_audit_msgs(cupsd_t)
+ logging_send_syslog_msg(cupsd_t)
+
+-miscfiles_read_localization(cupsd_t)
+-miscfiles_read_fonts(cupsd_t)
+-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+-
+ seutil_read_config(cupsd_t)
+
+ sysnet_exec_ifconfig(cupsd_t)
++sysnet_dns_name_resolve(cupsd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_user_home_dirs(cupsd_t)
++userdom_dontaudit_search_user_home_content(cupsd_t)
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+
++tunable_policy(`cups_execmem',`
++ allow cupsd_t self:process { execmem execstack };
++')
++
++
+ optional_policy(`
+ apm_domtrans_client(cupsd_t)
+ ')
+@@ -272,6 +320,8 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(cupsd_t)
+
++ init_dbus_chat(cupsd_t)
++
+ userdom_dbus_send_all_users(cupsd_t)
+
+ optional_policy(`
+@@ -282,8 +332,10 @@ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
+
+@@ -296,8 +348,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
+ kerberos_manage_host_rcache(cupsd_t)
+- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
+ ')
+
+ optional_policy(`
+@@ -306,7 +358,6 @@ optional_policy(`
+
+ optional_policy(`
+ lpd_exec_lpr(cupsd_t)
+- lpd_manage_spool(cupsd_t)
+ lpd_read_config(cupsd_t)
+ lpd_relabel_spool(cupsd_t)
+ ')
+@@ -334,7 +385,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- virt_rw_all_image_chr_files(cupsd_t)
++ virt_rw_chr_files(cupsd_t)
++')
++
++optional_policy(`
++ vmware_read_system_config(cupsd_t)
+ ')
+
+ ########################################
+@@ -342,12 +397,11 @@ optional_policy(`
+ # Configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
++allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+-allow cupsd_config_t self:process { getsched signal_perms };
+-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_config_t self:tcp_socket { accept listen };
++allow cupsd_config_t self:process { getsched };
+
++domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
+ allow cupsd_config_t cupsd_t:process signal;
+ ps_process_pattern(cupsd_config_t, cupsd_t)
+
+@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+ manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
+
+-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
++read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+
+ stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+
+ can_exec(cupsd_config_t, cupsd_config_exec_t)
+-
+-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
++can_exec(cupsd_config_t, cupsd_exec_t)
+
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_all_sysctls(cupsd_config_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_config_t)
+ corenet_all_recvfrom_netlabel(cupsd_config_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_config_t)
+ corenet_tcp_sendrecv_generic_node(cupsd_config_t)
+@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+ corenet_sendrecv_all_client_packets(cupsd_config_t)
+ corenet_tcp_connect_all_ports(cupsd_config_t)
+
+-corecmd_exec_bin(cupsd_config_t)
+-corecmd_exec_shell(cupsd_config_t)
+-
+-dev_read_sysfs(cupsd_config_t)
+-dev_read_urand(cupsd_config_t)
+-dev_read_rand(cupsd_config_t)
+ dev_rw_generic_usb_dev(cupsd_config_t)
+
+ files_read_etc_runtime_files(cupsd_config_t)
+-files_read_usr_files(cupsd_config_t)
+ files_read_var_symlinks(cupsd_config_t)
+ files_search_all_mountpoints(cupsd_config_t)
+
+-fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+
+ domain_use_interactive_fds(cupsd_config_t)
+@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
+
+ logging_send_syslog_msg(cupsd_config_t)
+
+-miscfiles_read_localization(cupsd_config_t)
+-miscfiles_read_hwdata(cupsd_config_t)
+-
+-seutil_dontaudit_search_config(cupsd_config_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+ userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+@@ -449,9 +488,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_read_config(cupsd_config_t)
++')
++
++optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+- hal_dontaudit_use_fds(hplip_t)
+ ')
+
+ optional_policy(`
+@@ -487,10 +529,6 @@ optional_policy(`
+ # Lpd local policy
+ #
+
+-allow cupsd_lpd_t self:capability { setuid setgid };
+-allow cupsd_lpd_t self:process signal_perms;
+-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_lpd_t self:tcp_socket { accept listen };
+ allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+ allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
+@@ -508,15 +546,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+
+ kernel_read_kernel_sysctls(cupsd_lpd_t)
+ kernel_read_system_state(cupsd_lpd_t)
+-kernel_read_network_state(cupsd_lpd_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+ corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
+ corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
+
+ corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
+ corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++corenet_tcp_bind_printer_port(cupsd_lpd_t)
++corenet_tcp_connect_printer_port(cupsd_lpd_t)
+ corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
+
+ corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
+@@ -537,9 +575,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+
+ logging_send_syslog_msg(cupsd_lpd_t)
+
+-miscfiles_read_localization(cupsd_lpd_t)
+-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+-
+ optional_policy(`
+ inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+ ')
+@@ -550,7 +585,6 @@ optional_policy(`
+ #
+
+ allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+ append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+@@ -566,148 +600,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+
+ kernel_read_system_state(cups_pdf_t)
+
+-files_read_usr_files(cups_pdf_t)
+-
+-corecmd_exec_bin(cups_pdf_t)
+-corecmd_exec_shell(cups_pdf_t)
+-
+ auth_use_nsswitch(cups_pdf_t)
+
+-miscfiles_read_localization(cups_pdf_t)
+-miscfiles_read_fonts(cups_pdf_t)
+-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+-
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
+-userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_filetrans_home_content(cups_pdf_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(cups_pdf_t)
+- fs_manage_cifs_files(cups_pdf_t)
+-')
+-
+-optional_policy(`
+- lpd_manage_spool(cups_pdf_t)
+-')
+-
+-########################################
+-#
+-# HPLIP local policy
+-#
+-
+-allow hplip_t self:capability { dac_override dac_read_search net_raw };
+-dontaudit hplip_t self:capability sys_tty_config;
+-allow hplip_t self:fifo_file rw_fifo_file_perms;
+-allow hplip_t self:process signal_perms;
+-allow hplip_t self:tcp_socket { accept listen };
+-allow hplip_t self:rawip_socket create_socket_perms;
+-
+-allow hplip_t cupsd_etc_t:dir search_dir_perms;
+-
+-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
+-
+-allow hplip_t hplip_etc_t:dir list_dir_perms;
+-allow hplip_t hplip_etc_t:file read_file_perms;
+-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+-
+-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+-
+-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
+-
+-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+-
+-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+-
+-kernel_read_system_state(hplip_t)
+-kernel_read_kernel_sysctls(hplip_t)
+-
+-corenet_all_recvfrom_unlabeled(hplip_t)
+-corenet_all_recvfrom_netlabel(hplip_t)
+-corenet_tcp_sendrecv_generic_if(hplip_t)
+-corenet_udp_sendrecv_generic_if(hplip_t)
+-corenet_raw_sendrecv_generic_if(hplip_t)
+-corenet_tcp_sendrecv_generic_node(hplip_t)
+-corenet_udp_sendrecv_generic_node(hplip_t)
+-corenet_raw_sendrecv_generic_node(hplip_t)
+-corenet_tcp_sendrecv_all_ports(hplip_t)
+-corenet_udp_sendrecv_all_ports(hplip_t)
+-corenet_tcp_bind_generic_node(hplip_t)
+-corenet_udp_bind_generic_node(hplip_t)
+-
+-corenet_sendrecv_hplip_client_packets(hplip_t)
+-corenet_receive_hplip_server_packets(hplip_t)
+-corenet_tcp_bind_hplip_port(hplip_t)
+-corenet_tcp_connect_hplip_port(hplip_t)
+-
+-corenet_sendrecv_ipp_client_packets(hplip_t)
+-corenet_tcp_connect_ipp_port(hplip_t)
+-
+-corenet_sendrecv_howl_server_packets(hplip_t)
+-corenet_udp_bind_howl_port(hplip_t)
+-
+-corecmd_exec_bin(hplip_t)
+-
+-dev_read_sysfs(hplip_t)
+-dev_rw_printer(hplip_t)
+-dev_read_urand(hplip_t)
+-dev_read_rand(hplip_t)
+-dev_rw_generic_usb_dev(hplip_t)
+-dev_rw_usbfs(hplip_t)
+-
+-domain_use_interactive_fds(hplip_t)
+-
+-files_read_etc_files(hplip_t)
+-files_read_etc_runtime_files(hplip_t)
+-files_read_usr_files(hplip_t)
+-
+-fs_getattr_all_fs(hplip_t)
+-fs_search_auto_mountpoints(hplip_t)
+-fs_rw_anon_inodefs_files(hplip_t)
+-
+-logging_send_syslog_msg(hplip_t)
+-
+-miscfiles_read_localization(hplip_t)
+-
+-sysnet_dns_name_resolve(hplip_t)
+-
+-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+-userdom_dontaudit_search_user_home_dirs(hplip_t)
+-userdom_dontaudit_search_user_home_content(hplip_t)
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
+- dbus_system_bus_client(hplip_t)
+-
+- optional_policy(`
+- userdom_dbus_send_all_users(hplip_t)
+- ')
++ gnome_read_config(cups_pdf_t)
+ ')
+
+-optional_policy(`
+- lpd_read_config(hplip_t)
+- lpd_manage_spool(hplip_t)
+-')
+-
+-optional_policy(`
+- seutil_sigchld_newrole(hplip_t)
+-')
+-
+-optional_policy(`
+- snmp_read_snmp_var_lib_files(hplip_t)
+-')
+-
+-optional_policy(`
+- udev_read_db(hplip_t)
+-')
+
+ ########################################
+ #
+@@ -735,7 +644,6 @@ kernel_read_kernel_sysctls(ptal_t)
+ kernel_list_proc(ptal_t)
+ kernel_read_proc_symlinks(ptal_t)
+
+-corenet_all_recvfrom_unlabeled(ptal_t)
+ corenet_all_recvfrom_netlabel(ptal_t)
+ corenet_tcp_sendrecv_generic_if(ptal_t)
+ corenet_tcp_sendrecv_generic_node(ptal_t)
+@@ -745,13 +653,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+ corenet_tcp_bind_ptal_port(ptal_t)
+ corenet_tcp_sendrecv_ptal_port(ptal_t)
+
+-dev_read_sysfs(ptal_t)
+ dev_read_usbfs(ptal_t)
+ dev_rw_printer(ptal_t)
+
+ domain_use_interactive_fds(ptal_t)
+
+-files_read_etc_files(ptal_t)
+ files_read_etc_runtime_files(ptal_t)
+
+ fs_getattr_all_fs(ptal_t)
+@@ -759,8 +665,6 @@ fs_search_auto_mountpoints(ptal_t)
+
+ logging_send_syslog_msg(ptal_t)
+
+-miscfiles_read_localization(ptal_t)
+-
+ sysnet_read_config(ptal_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+@@ -773,3 +677,4 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..4c1a965 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -1,13 +1,16 @@
++HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++
+ /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
+
+ /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+ /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
+
+-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
+
+ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+ /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
+
+-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
+diff --git a/cvs.if b/cvs.if
+index 64775fd..91a6056 100644
+--- a/cvs.if
++++ b/cvs.if
+@@ -1,5 +1,23 @@
+ ## Concurrent versions system.
+
++######################################
++##
++## Dontaudit Attempts to list the CVS data and metadata.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`cvs_dontaudit_list_data',`
++ gen_require(`
++ type cvs_data_t;
++ ')
++
++ dontaudit $1 cvs_data_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Read CVS data and metadata content.
+@@ -41,6 +59,24 @@ interface(`cvs_exec',`
+
+ ########################################
+ ##
++## Transition to cvs named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cvs_filetrans_home_content',`
++ gen_require(`
++ type cvs_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an cvs environment
+ ##
+@@ -60,11 +96,17 @@ interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
++ type cvs_home_t;
+ ')
+
+- allow $1 cvs_t:process { ptrace signal_perms };
++ allow $1 cvs_t:process signal_perms;
+ ps_process_pattern($1, cvs_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cvs_t:process ptrace;
++ ')
++
++ # Allow cvs_t to restart the apache service
+ init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cvs_initrc_exec_t system_r;
+@@ -81,4 +123,7 @@ interface(`cvs_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
++
++ userdom_search_user_home_dirs($1)
++ admin_pattern($1, cvs_home_t)
+ ')
+diff --git a/cvs.te b/cvs.te
+index 0f77550..cd608bc 100644
+--- a/cvs.te
++++ b/cvs.te
+@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
+ ## password files.
+ ##
+ ##
+-gen_tunable(allow_cvs_read_shadow, false)
++gen_tunable(cvs_read_shadow, false)
+
+ type cvs_t;
+ type cvs_exec_t;
+@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
+ type cvs_var_run_t;
+ files_pid_file(cvs_var_run_t)
+
++type cvs_home_t;
++userdom_user_home_content(cvs_home_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow cvs_t self:capability { setuid setgid };
++allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+ allow cvs_t self:tcp_socket { accept listen };
+
++userdom_search_user_home_dirs(cvs_t)
++allow cvs_t cvs_home_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
+
++corenet_all_recvfrom_netlabel(cvs_t)
++corenet_tcp_sendrecv_generic_if(cvs_t)
++corenet_udp_sendrecv_generic_if(cvs_t)
++corenet_tcp_sendrecv_generic_node(cvs_t)
++corenet_udp_sendrecv_generic_node(cvs_t)
++corenet_tcp_sendrecv_all_ports(cvs_t)
++corenet_udp_sendrecv_all_ports(cvs_t)
++corenet_tcp_bind_cvs_port(cvs_t)
++
+ dev_read_urand(cvs_t)
+
+ files_read_etc_runtime_files(cvs_t)
+@@ -86,18 +101,16 @@ auth_use_nsswitch(cvs_t)
+
+ init_read_utmp(cvs_t)
+
++init_dontaudit_read_utmp(cvs_t)
++
+ logging_send_syslog_msg(cvs_t)
+ logging_send_audit_msgs(cvs_t)
+
+-miscfiles_read_localization(cvs_t)
+-
+ mta_send_mail(cvs_t)
+
+-userdom_dontaudit_search_user_home_dirs(cvs_t)
+-
+ # cjp: typeattribute doesnt work in conditionals yet
+ auth_can_read_shadow_passwords(cvs_t)
+-tunable_policy(`allow_cvs_read_shadow',`
++tunable_policy(`cvs_read_shadow',`
+ allow cvs_t self:capability dac_override;
+ auth_tunable_read_shadow(cvs_t)
+ ')
+@@ -116,8 +129,10 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(cvs)
++ apache_content_alias_template(cvs, cvs)
+
+- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
++ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/cyphesis.te b/cyphesis.te
+index 77ffc73..86e11f5 100644
+--- a/cyphesis.te
++++ b/cyphesis.te
+@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
+ corecmd_search_bin(cyphesis_t)
+ corecmd_getattr_bin_files(cyphesis_t)
+
+-corenet_all_recvfrom_unlabeled(cyphesis_t)
+ corenet_tcp_sendrecv_generic_if(cyphesis_t)
+ corenet_tcp_sendrecv_generic_node(cyphesis_t)
+ corenet_tcp_bind_generic_node(cyphesis_t)
+@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
+
+ domain_use_interactive_fds(cyphesis_t)
+
+-files_read_etc_files(cyphesis_t)
+-files_read_usr_files(cyphesis_t)
+
+ logging_send_syslog_msg(cyphesis_t)
+
+-miscfiles_read_localization(cyphesis_t)
+-
+ sysnet_dns_name_resolve(cyphesis_t)
+
+ optional_policy(`
+diff --git a/cyrus.if b/cyrus.if
+index 83bfda6..92d9fb2 100644
+--- a/cyrus.if
++++ b/cyrus.if
+@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
+ manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+ ')
+
++#######################################
++##