* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-05-15 13:27 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:27 UTC (permalink / raw
To: gentoo-commits
commit: 105c5c80ee234d6bed09a47fa36746382e3830f7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:25:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:25:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=105c5c80
postmap is a user command
When a postfix admin updates a postfix database, he has to call
"postmap hash:/etc/postfix/databasename" in order to regenerate the
database (in case of a hash database in the example).
To allow postmap to give feedback on errors, grant it access to the user
terminals and private file descriptors of the admin.
policy/modules/contrib/postfix.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index afc1fde..1c0a34c 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -500,6 +500,8 @@ corecmd_read_bin_files(postfix_map_t)
corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
+domain_use_interactive_fds(postfix_map_t)
+
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
@@ -511,6 +513,8 @@ logging_send_syslog_msg(postfix_map_t)
miscfiles_read_localization(postfix_map_t)
+userdom_use_user_terminals(postfix_map_t)
+
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-05-15 13:27 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:27 UTC (permalink / raw
To: gentoo-commits
commit: 4181d381fa9d12a6c7836c6acbc06ccc8b26e6b6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:21:49 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:21:49 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4181d381
Remove catch-all for postfix libraries
The postfix libraries in /usr/lib/postfix were by default marked as
postfix_exec_t. This however is a design mistake. Libraries should be
of a library type (of which lib_t is a default) so that applications
that use it have the proper read/execute rights without needing those on
the *real* executable types of an application.
policy/modules/contrib/postfix.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index da1791b..b71d844 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -4,7 +4,8 @@
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+# Remove catch-all so that .so files remain lib_t
+#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-05-15 13:29 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:29 UTC (permalink / raw
To: gentoo-commits
commit: 7f4df16703908b51f8a290532f1902a5981134ce
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:28:36 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:28:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f4df167
Move specifics to ifdef distro_gentoo
policy/modules/contrib/postfix.te | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1c0a34c..47cfeb0 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -500,8 +500,6 @@ corecmd_read_bin_files(postfix_map_t)
corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
-domain_use_interactive_fds(postfix_map_t)
-
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
@@ -513,8 +511,6 @@ logging_send_syslog_msg(postfix_map_t)
miscfiles_read_localization(postfix_map_t)
-userdom_use_user_terminals(postfix_map_t)
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -815,4 +811,12 @@ ifdef(`distro_gentoo',`
#
rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+ #####################################
+ #
+ # Local postmap policy
+ #
+
+ domain_use_interactive_fds(postfix_map_t)
+ userdom_use_user_terminals(postfix_map_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-05-15 13:47 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:47 UTC (permalink / raw
To: gentoo-commits
commit: 115949be334ab475bf97fa29ad8dc2bc88b71c4c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:46:27 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:46:27 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=115949be
Add bugfix number to policy change for tracking
policy/modules/contrib/postfix.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 47cfeb0..738ce6f 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -816,7 +816,8 @@ ifdef(`distro_gentoo',`
#
# Local postmap policy
#
-
+
+ # Bug #549566
domain_use_interactive_fds(postfix_map_t)
userdom_use_user_terminals(postfix_map_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-05-16 11:13 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-05-16 11:13 UTC (permalink / raw
To: gentoo-commits
commit: 94b22b5403841d31a3eeb61bab332e81c3afb69d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:11:10 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:11:10 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94b22b54
Add postfix operations to postfix_admin
Allow postfix administrator to execute postfix:
~# /usr/sbin/postfix reload
This also requires the administrative domain to have the ability to send
log messages.
policy/modules/contrib/postfix.if | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..a7ec448 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -748,11 +748,18 @@ interface(`postfix_admin',`
ifdef(`distro_gentoo',`
gen_require(`
type postfix_showq_exec_t;
+ type postfix_master_exec_t;
type postfix_postqueue_t;
')
allow postfix_postqueue_t $1:process sigchld;
can_exec($1, postfix_showq_exec_t)
+
+ # Postfix admin must be able to execute postfix main (for instance for "postfix reload")
+ can_exec($1, postfix_master_exec_t)
+
+ # Allow postfix admin to send message to log files, needed during operations like "postfix reload"
+ logging_send_syslog_msg($1)
')
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-05-16 11:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-05-16 11:30 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-05-16 11:30 UTC (permalink / raw
To: gentoo-commits
commit: 39073b3161feea2f4e2cbe3c36579127fc235ed6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:28:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:28:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39073b31
Additional rights for postfix admin
policy/modules/contrib/postfix.if | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index a7ec448..8bc856e 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -761,5 +761,13 @@ interface(`postfix_admin',`
# Allow postfix admin to send message to log files, needed during operations like "postfix reload"
logging_send_syslog_msg($1)
+
+ # Reloading the system through postfix reload needs a few permissions
+ # "postfix: fatal: socket: Permission denied"
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ # "postfix: fatal: inet_addr_local[getifaddrs]: getifaddrs: Permission denied"
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+ # "postsuper: fatal: setuid(207): Operation not permitted"
+ allow $1 self:capability { setuid setgid };
')
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 9dbeafd6f528951c4d47edc6a2b2a6482d0c9eaf
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Fri May 22 13:04:59 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9dbeafd6
Module version bump for update to the networkmanager policy module by Stephen Smalley.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 820cc5b..a4e179f 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.0)
+policy_module(networkmanager, 1.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: d6a80852487e87428cb97f9d9f776bd2f7ac4348
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 14:08:42 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d6a80852
Use init_startstop_service in admin interfaces A-M
Most foo_admin interfaces have transitions on the
foo_initrc_exec_t to system_r. These are only applicable
for RedHat <6. This replaces them with the interface
init_startstop_service which can easily be changed for
other init systems.
make validate passes for all combinations of distros,
standard/mcs/mls, monolithic y/n and direct_initrc y/n
This patch is for files starting with A-M.
policy/modules/contrib/abrt.if | 5 +----
policy/modules/contrib/acct.if | 5 +----
policy/modules/contrib/afs.if | 5 +----
policy/modules/contrib/aiccu.if | 5 +----
policy/modules/contrib/aisexec.if | 5 +----
policy/modules/contrib/amavis.if | 5 +----
policy/modules/contrib/amtu.if | 5 +----
policy/modules/contrib/apache.if | 5 +----
policy/modules/contrib/apcupsd.if | 5 +----
policy/modules/contrib/apm.if | 5 +----
policy/modules/contrib/arpwatch.if | 5 +----
policy/modules/contrib/asterisk.if | 5 +----
policy/modules/contrib/automount.if | 5 +----
policy/modules/contrib/avahi.if | 5 +----
policy/modules/contrib/bacula.if | 5 +----
policy/modules/contrib/bcfg2.if | 5 +----
policy/modules/contrib/bind.if | 5 +----
policy/modules/contrib/bird.if | 5 +----
policy/modules/contrib/bitlbee.if | 5 +----
policy/modules/contrib/bluetooth.if | 5 +----
policy/modules/contrib/boinc.if | 5 +----
policy/modules/contrib/cachefilesd.if | 5 +----
policy/modules/contrib/callweaver.if | 5 +----
policy/modules/contrib/canna.if | 5 +----
policy/modules/contrib/ccs.if | 5 +----
policy/modules/contrib/certmaster.if | 5 +----
policy/modules/contrib/certmonger.if | 5 +----
policy/modules/contrib/cfengine.if | 5 +----
policy/modules/contrib/cgroup.if | 7 ++-----
policy/modules/contrib/chronyd.if | 5 +----
policy/modules/contrib/cipe.if | 5 +----
policy/modules/contrib/clamav.if | 5 +----
policy/modules/contrib/cmirrord.if | 5 +----
policy/modules/contrib/cobbler.if | 5 +----
policy/modules/contrib/collectd.if | 5 +----
policy/modules/contrib/condor.if | 5 +----
policy/modules/contrib/corosync.if | 5 +----
policy/modules/contrib/couchdb.if | 5 +----
policy/modules/contrib/ctdb.if | 5 +----
policy/modules/contrib/cups.if | 5 +----
policy/modules/contrib/cvs.if | 5 +----
policy/modules/contrib/cyphesis.if | 5 +----
policy/modules/contrib/cyrus.if | 5 +----
policy/modules/contrib/dante.if | 5 +----
policy/modules/contrib/ddclient.if | 5 +----
policy/modules/contrib/denyhosts.if | 5 +----
policy/modules/contrib/dhcp.if | 5 +----
policy/modules/contrib/dictd.if | 5 +----
policy/modules/contrib/dirmngr.if | 5 +----
policy/modules/contrib/distcc.if | 5 +----
policy/modules/contrib/dkim.if | 5 +----
policy/modules/contrib/dnsmasq.if | 5 +----
policy/modules/contrib/dnssectrigger.if | 5 +----
policy/modules/contrib/dovecot.if | 5 +----
policy/modules/contrib/drbd.if | 5 +----
policy/modules/contrib/dspam.if | 5 +----
policy/modules/contrib/entropyd.if | 5 +----
policy/modules/contrib/exim.if | 5 +----
policy/modules/contrib/fail2ban.if | 5 +----
policy/modules/contrib/fcoe.if | 5 +----
policy/modules/contrib/fetchmail.if | 5 +----
policy/modules/contrib/firewalld.if | 5 +----
policy/modules/contrib/ftp.if | 5 +----
policy/modules/contrib/gatekeeper.if | 5 +----
policy/modules/contrib/gdomap.if | 5 +----
policy/modules/contrib/glance.if | 6 ++----
policy/modules/contrib/glusterfs.if | 5 +----
policy/modules/contrib/gpm.if | 5 +----
policy/modules/contrib/gpsd.if | 5 +----
policy/modules/contrib/hadoop.if | 5 +----
policy/modules/contrib/hddtemp.if | 5 +----
policy/modules/contrib/howl.if | 5 +----
policy/modules/contrib/hypervkvp.if | 5 +----
policy/modules/contrib/i18n_input.if | 5 +----
policy/modules/contrib/icecast.if | 5 +----
policy/modules/contrib/ifplugd.if | 5 +----
policy/modules/contrib/inn.if | 5 +----
policy/modules/contrib/iodine.if | 5 +----
policy/modules/contrib/ircd.if | 5 +----
policy/modules/contrib/irqbalance.if | 5 +----
policy/modules/contrib/iscsi.if | 5 +----
policy/modules/contrib/isns.if | 5 +----
policy/modules/contrib/jabber.if | 5 +----
policy/modules/contrib/kdump.if | 5 +----
policy/modules/contrib/kerberos.if | 5 +----
policy/modules/contrib/kerneloops.if | 5 +----
policy/modules/contrib/keystone.if | 5 +----
policy/modules/contrib/kismet.if | 5 +----
policy/modules/contrib/ksmtuned.if | 5 +----
policy/modules/contrib/kudzu.if | 5 +----
policy/modules/contrib/l2tp.if | 5 +----
policy/modules/contrib/ldap.if | 5 +----
policy/modules/contrib/likewise.if | 5 +----
policy/modules/contrib/lircd.if | 5 +----
policy/modules/contrib/lldpad.if | 5 +----
policy/modules/contrib/mailscanner.if | 5 +----
policy/modules/contrib/mcelog.if | 5 +----
policy/modules/contrib/memcached.if | 5 +----
policy/modules/contrib/minidlna.if | 5 +----
policy/modules/contrib/minissdpd.if | 5 +----
policy/modules/contrib/mongodb.if | 5 +----
policy/modules/contrib/monop.if | 5 +----
policy/modules/contrib/mpd.if | 5 +----
policy/modules/contrib/mrtg.if | 5 +----
policy/modules/contrib/munin.if | 5 +----
policy/modules/contrib/mysql.if | 6 ++----
106 files changed, 109 insertions(+), 425 deletions(-)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 058d908..39b6d29 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -304,10 +304,7 @@ interface(`abrt_admin',`
allow $1 abrt_domain:process { ptrace signal_perms };
ps_process_pattern($1, abrt_domain)
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, abrt_t, abrt_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, abrt_etc_t)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index 81280d0..59d95d0 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -106,10 +106,7 @@ interface(`acct_admin',`
allow $1 acct_t:process { ptrace signal_perms };
ps_process_pattern($1, acct_t)
- init_labeled_script_domtrans($1, acct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 acct_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, acct_t, acct_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, acct_data_t)
diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
index 3b41be6..d934f45 100644
--- a/policy/modules/contrib/afs.if
+++ b/policy/modules/contrib/afs.if
@@ -103,10 +103,7 @@ interface(`afs_admin',`
allow $1 afs_domain:process { ptrace signal_perms };
ps_process_pattern($1, afs_domain)
- afs_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 afs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, afs_domain, afs_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, afs_config_t)
diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
index 3b5dcb9..cd22faa 100644
--- a/policy/modules/contrib/aiccu.if
+++ b/policy/modules/contrib/aiccu.if
@@ -82,10 +82,7 @@ interface(`aiccu_admin',`
allow $1 aiccu_t:process { ptrace signal_perms };
ps_process_pattern($1, aiccu_t)
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t)
admin_pattern($1, aiccu_etc_t)
files_list_etc($1)
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
index a2997fa..9e1a105 100644
--- a/policy/modules/contrib/aisexec.if
+++ b/policy/modules/contrib/aisexec.if
@@ -86,10 +86,7 @@ interface(`aisexecd_admin',`
allow $1 aisexec_t:process { ptrace signal_perms };
ps_process_pattern($1, aisexec_t)
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, aisexec_t, aisexec_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
index 60d4f8c..f8a810c 100644
--- a/policy/modules/contrib/amavis.if
+++ b/policy/modules/contrib/amavis.if
@@ -237,10 +237,7 @@ interface(`amavis_admin',`
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, amavis_t, amavis_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, amavis_etc_t)
diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
index 884b23b..6942560 100644
--- a/policy/modules/contrib/amtu.if
+++ b/policy/modules/contrib/amtu.if
@@ -70,8 +70,5 @@ interface(`amtu_admin',`
allow $1 amtu_t:process { ptrace signal_perms };
ps_process_pattern($1, amtu_t)
- init_labeled_script_domtrans($1, amtu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 amtu_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, amtu_t, amtu_initrc_exec_t)
')
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 717c6f7..16539db 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1318,10 +1318,7 @@ interface(`apache_admin',`
ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t)
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
index f3c0aba..3dda634 100644
--- a/policy/modules/contrib/apcupsd.if
+++ b/policy/modules/contrib/apcupsd.if
@@ -149,10 +149,7 @@ interface(`apcupsd_admin',`
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, apcupsd_t, apcupsd_initrc_exec_t)
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
index 1a7a97e..32a59e1 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/apm.if
@@ -166,10 +166,7 @@ interface(`apm_admin',`
allow $1 apmd_t:process { ptrace signal_perms };
ps_process_pattern($1, apmd_t)
- init_labeled_script_domtrans($1, apmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apmd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, apmd_log_t)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 50c9b9c..76389b7 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -143,10 +143,7 @@ interface(`arpwatch_admin',`
allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 2077053..2e3f5a4 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -127,10 +127,7 @@ interface(`asterisk_admin',`
allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, asterisk_t, asterisk_initrc_exec_t)
asterisk_exec($1)
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index f24e369..37847d9 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -159,10 +159,7 @@ interface(`automount_admin',`
allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, automount_t, automount_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, automount_keytab_t)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index 9078c3d..4652358 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -264,10 +264,7 @@ interface(`avahi_admin',`
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
- avahi_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, avahi_var_run_t)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index dcd774e..18ad480 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -74,10 +74,7 @@ interface(`bacula_admin',`
allow $1 bacula_t:process { ptrace signal_perms };
ps_process_pattern($1, bacula_t)
- init_labeled_script_domtrans($1, bacula_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bacula_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bacula_t, bacula_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, bacula_etc_t)
diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if
index ec95d36..0cd2d35 100644
--- a/policy/modules/contrib/bcfg2.if
+++ b/policy/modules/contrib/bcfg2.if
@@ -141,10 +141,7 @@ interface(`bcfg2_admin',`
allow $1 bcfg2_t:process { ptrace signal_perms };
ps_process_pattern($1, bcfg2_t)
- bcfg2_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 bcfg2_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, bcfg2_var_run_t)
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 531a8f2..9654435 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -370,10 +370,7 @@ interface(`bind_admin',`
allow $1 { named_t ndc_t }:process { ptrace signal_perms };
ps_process_pattern($1, { named_t ndc_t })
- init_labeled_script_domtrans($1, named_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 named_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, named_t, named_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if
index 85c035f..d744d6b 100644
--- a/policy/modules/contrib/bird.if
+++ b/policy/modules/contrib/bird.if
@@ -26,10 +26,7 @@ interface(`bird_admin',`
allow $1 bird_t:process { ptrace signal_perms };
ps_process_pattern($1, bird_t)
- init_labeled_script_domtrans($1, bird_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bird_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bird_t, bird_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, bird_etc_t)
diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
index e73fb79..3409d80 100644
--- a/policy/modules/contrib/bitlbee.if
+++ b/policy/modules/contrib/bitlbee.if
@@ -47,10 +47,7 @@ interface(`bitlbee_admin',`
allow $1 bitlbee_t:process { ptrace signal_perms };
ps_process_pattern($1, bitlbee_t)
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bitlbee_t, bitlbee_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, bitlbee_conf_t)
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index c723a0a..09d6248 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -216,10 +216,7 @@ interface(`bluetooth_admin',`
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if
index 02fefaa..464a896 100644
--- a/policy/modules/contrib/boinc.if
+++ b/policy/modules/contrib/boinc.if
@@ -28,10 +28,7 @@ interface(`boinc_admin',`
allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
ps_process_pattern($1, { boinc_t boinc_project_t })
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, boinc_t, boinc_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, boinc_log_t)
diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if
index 8de2ab9..c4084b9 100644
--- a/policy/modules/contrib/cachefilesd.if
+++ b/policy/modules/contrib/cachefilesd.if
@@ -26,10 +26,7 @@ interface(`cachefilesd_admin',`
allow $1 cachefilesd_t:process { ptrace signal_perms };
ps_process_pattern($1, cachefilesd_t)
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cachefilesd_t, cachefilesd_initrc_exec_t)
files_search_var($1)
admin_pattern($1, cachefilesd_cache_t)
diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index 16f1855..f89bf39 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -65,10 +65,7 @@ interface(`callweaver_admin',`
allow $1 callweaver_t:process { ptrace signal_perms };
ps_process_pattern($1, callweaver_t)
- init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 callweaver_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, callweaver_log_t)
diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
index 400db07..e3fd199 100644
--- a/policy/modules/contrib/canna.if
+++ b/policy/modules/contrib/canna.if
@@ -46,10 +46,7 @@ interface(`canna_admin',`
allow $1 canna_t:process { ptrace signal_perms };
ps_process_pattern($1, canna_t)
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, canna_t, canna_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, canna_log_t)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index bb17e0f..92f67fa 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -105,10 +105,7 @@ interface(`ccs_admin',`
allow $1 ccs_t:process { ptrace signal_perms };
ps_process_pattern($1, ccs_t)
- init_labeled_script_domtrans($1, ccs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ccs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, ccs_conf_t)
diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
index 0c53b18..741fdd3 100644
--- a/policy/modules/contrib/certmaster.if
+++ b/policy/modules/contrib/certmaster.if
@@ -124,10 +124,7 @@ interface(`certmaster_admin',`
allow $1 certmaster_t:process { ptrace signal_perms };
ps_process_pattern($1, certmaster_t)
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, certmaster_t, certmaster_initrc_exec_t)
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
index 008f8ef..3a456b7 100644
--- a/policy/modules/contrib/certmonger.if
+++ b/policy/modules/contrib/certmonger.if
@@ -162,10 +162,7 @@ interface(`certmonger_admin',`
ps_process_pattern($1, certmonger_t)
allow $1 certmonger_t:process { ptrace signal_perms };
- certmonger_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, certmonger_t, certmonger_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index a731122..fdef5f3 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -97,10 +97,7 @@ interface(`cfengine_admin',`
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cfengine_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
index 85ca63f..2f8fa6f 100644
--- a/policy/modules/contrib/cgroup.if
+++ b/policy/modules/contrib/cgroup.if
@@ -180,11 +180,8 @@ interface(`cgroup_admin',`
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
- cgroup_initrc_domtrans_cgconfig($1)
- cgroup_initrc_domtrans_cgred($1)
- domain_system_change_exemption($1)
- role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t)
+ init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t)
cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32e8265..3d45be4 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -184,10 +184,7 @@ interface(`chronyd_admin',`
allow $1 chronyd_t:process { ptrace signal_perms };
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, chronyd_t, chronyd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, chronyd_keys_t)
diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
index 5fb51b2..11ec9dc 100644
--- a/policy/modules/contrib/cipe.if
+++ b/policy/modules/contrib/cipe.if
@@ -25,8 +25,5 @@ interface(`cipe_admin',`
allow $1 ciped_t:process { ptrace signal_perms };
ps_process_pattern($1, ciped_t)
- init_labeled_script_domtrans($1, ciped_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ciped_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t)
')
diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
index 4cc4a5c..7ad8e80 100644
--- a/policy/modules/contrib/clamav.if
+++ b/policy/modules/contrib/clamav.if
@@ -205,10 +205,7 @@ interface(`clamav_admin',`
allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
index cc4e7cb..0785068 100644
--- a/policy/modules/contrib/cmirrord.if
+++ b/policy/modules/contrib/cmirrord.if
@@ -106,10 +106,7 @@ interface(`cmirrord_admin',`
allow $1 cmirrord_t:process { ptrace signal_perms };
ps_process_pattern($1, cmirrord_t)
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t)
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index c223f81..376fa84 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -183,10 +183,7 @@ interface(`cobbler_admin',`
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cobblerd_t, cobblerd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if
index 954309e..a55db07 100644
--- a/policy/modules/contrib/collectd.if
+++ b/policy/modules/contrib/collectd.if
@@ -26,10 +26,7 @@ interface(`collectd_admin',`
allow $1 collectd_t:process { ptrace signal_perms };
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, collectd_t, collectd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, collectd_var_run_t)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index c80aaf5..b2af357 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -66,10 +66,7 @@ interface(`condor_admin',`
allow $1 condor_domain:process { ptrace signal_perms };
ps_process_pattern($1, condor_domain)
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, condor_domain, condor_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, condor_conf_t)
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 694a037..57736aa 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -165,10 +165,7 @@ interface(`corosync_admin',`
allow $1 corosync_t:process { ptrace signal_perms };
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, corosync_t, corosync_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if
index 715a826..830c271 100644
--- a/policy/modules/contrib/couchdb.if
+++ b/policy/modules/contrib/couchdb.if
@@ -103,10 +103,7 @@ interface(`couchdb_admin',`
allow $1 couchdb_t:process { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, couchdb_t, couchdb_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, couchdb_conf_t)
diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if
index b25b01d..79b0c9a 100644
--- a/policy/modules/contrib/ctdb.if
+++ b/policy/modules/contrib/ctdb.if
@@ -66,10 +66,7 @@ interface(`ctdb_admin',`
allow $1 ctdbd_t:process { ptrace signal_perms };
ps_process_pattern($1, ctdbd_t)
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ctdbd_t, ctdbd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 3023be7..cad7df2 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -357,10 +357,7 @@ interface(`cups_admin',`
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 64775fd..49f6c1c 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -65,10 +65,7 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cvs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cvs_t, cvs_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, cvs_keytab_t)
diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
index df8aa4a..da37d4e 100644
--- a/policy/modules/contrib/cyphesis.if
+++ b/policy/modules/contrib/cyphesis.if
@@ -45,10 +45,7 @@ interface(`cyphesis_admin',`
allow $1 cyphesis_t:process { ptrace signal_perms };
ps_process_pattern($1, cyphesis_t)
- init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyphesis_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cyphesis_t, cyphesis_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, cyphesis_log_t)
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 83bfda6..759e074 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -67,10 +67,7 @@ interface(`cyrus_admin',`
allow $1 cyrus_t:process { ptrace signal_perms };
ps_process_pattern($1, cyrus_t)
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cyrus_t, cyrus_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, cyrus_keytab_t)
diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
index e709177..8d02f8c 100644
--- a/policy/modules/contrib/dante.if
+++ b/policy/modules/contrib/dante.if
@@ -26,10 +26,7 @@ interface(`dante_admin',`
allow $1 dante_t:process { ptrace signal_perms };
ps_process_pattern($1, dante_t)
- init_labeled_script_domtrans($1, dante_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dante_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dante_t, dante_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dante_conf_t)
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
index 5606b40..96ddeea 100644
--- a/policy/modules/contrib/ddclient.if
+++ b/policy/modules/contrib/ddclient.if
@@ -73,10 +73,7 @@ interface(`ddclient_admin',`
allow $1 ddclient_t:process { ptrace signal_perms };
ps_process_pattern($1, ddclient_t)
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ddclient_t, ddclient_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
index a7326da..0fb8ec7 100644
--- a/policy/modules/contrib/denyhosts.if
+++ b/policy/modules/contrib/denyhosts.if
@@ -63,10 +63,7 @@ interface(`denyhosts_admin',`
allow $1 denyhosts_t:process { ptrace signal_perms };
ps_process_pattern($1, denyhosts_t)
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
index c697edb..b7a0337 100644
--- a/policy/modules/contrib/dhcp.if
+++ b/policy/modules/contrib/dhcp.if
@@ -84,10 +84,7 @@ interface(`dhcpd_admin',`
allow $1 dhcpd_t:process { ptrace signal_perms };
ps_process_pattern($1, dhcpd_t)
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dhcpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dhcpd_t, dhcpd_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, dhcpd_tmp_t)
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3cc3494..3878acc 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -41,10 +41,7 @@ interface(`dictd_admin',`
allow $1 dictd_t:process { ptrace signal_perms };
ps_process_pattern($1, dictd_t)
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dictd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dictd_t, dictd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index e5f6733..4cd2810 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -26,10 +26,7 @@ interface(`dirmngr_admin',`
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
- init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dirmngr_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 473823d..6b43286 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -26,10 +26,7 @@ interface(`distcc_admin',`
allow $1 distccd_t:process { ptrace signal_perms };
ps_process_pattern($1, distccd_t)
- init_labeled_script_domtrans($1, distccd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 distccd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, distccd_t, distccd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, distccd_log_t)
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 386e494..61e1f19 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -26,10 +26,7 @@ interface(`dkim_admin',`
allow $1 dkim_milter_t:process { ptrace signal_perms };
ps_process_pattern($1, dkim_milter_t)
- init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dkim_milter_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dkim_milter_t, dkim_milter_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dkim_milter_private_key_t)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 62e4948..f81566a 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -273,10 +273,7 @@ interface(`dnsmasq_admin',`
allow $1 dnsmasq_t:process { ptrace signal_perms };
ps_process_pattern($1, dnsmasq_t)
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnsmasq_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dnsmasq_t, dnsmasq_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if
index 456da5c..eea250e 100644
--- a/policy/modules/contrib/dnssectrigger.if
+++ b/policy/modules/contrib/dnssectrigger.if
@@ -26,10 +26,7 @@ interface(`dnssectrigger_admin',`
allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
ps_process_pattern($1, dnssec_triggerd_t)
- init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dnssec_trigger_conf_t)
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index d5badb7..3608ba2 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -149,10 +149,7 @@ interface(`dovecot_admin',`
allow $1 dovecot_t:process { ptrace signal_perms };
ps_process_pattern($1, dovecot_t)
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dovecot_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dovecot_t, dovecot_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if
index 9a21639..f147c10 100644
--- a/policy/modules/contrib/drbd.if
+++ b/policy/modules/contrib/drbd.if
@@ -46,10 +46,7 @@ interface(`drbd_admin',`
allow $1 drbd_t:process { ptrace signal_perms };
ps_process_pattern($1, drbd_t)
- init_labeled_script_domtrans($1, drbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 drbd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, drbd_t, drbd_initrc_exec_t)
files_search_locks($1)
admin_pattern($1, drbd_lock_t)
diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index 18f2452..a8cd028 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -66,10 +66,7 @@ interface(`dspam_admin',`
allow $1 dspam_t:process { ptrace signal_perms };
ps_process_pattern($1, dspam_t)
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dspam_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, dspam_log_t)
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
index 1161fbf..eedfae6 100644
--- a/policy/modules/contrib/entropyd.if
+++ b/policy/modules/contrib/entropyd.if
@@ -25,10 +25,7 @@ interface(`entropyd_admin',`
allow $1 entropyd_t:process { ptrace signal_perms };
ps_process_pattern($1, entropyd_t)
- init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 entropyd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, entropyd_t, entropyd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, entropyd_var_run_t)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 9bbc690..51655bb 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -288,10 +288,7 @@ interface(`exim_admin',`
allow $1 exim_t:process { ptrace signal_perms };
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 exim_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, exim_t, exim_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, exim_keytab_t)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 50d0084..5b8e08b 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -266,10 +266,7 @@ interface(`fail2ban_admin',`
allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fail2ban_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fail2ban_t, fail2ban_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if
index c3484a9..78d1147 100644
--- a/policy/modules/contrib/fcoe.if
+++ b/policy/modules/contrib/fcoe.if
@@ -44,10 +44,7 @@ interface(`fcoe_admin',`
allow $1 fcoemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fcoemon_t)
- init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fcoemon_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fcoemon_t, fcoemon_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index c3f7916..5115aff 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -23,10 +23,7 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
- init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fetchmail_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fetchmail_t, fetchmail_initrc_exec_t)
allow $1 fetchmail_t:process { ptrace signal_perms };
ps_process_pattern($1, fetchmail_t)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index c62c567..a16179b 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -86,10 +86,7 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 firewalld_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 65adda9..93fd4be 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -182,10 +182,7 @@ interface(`ftp_admin',`
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ftpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ftpd_t, ftpd_initrc_exec_t)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
index 30926d7..83681df 100644
--- a/policy/modules/contrib/gatekeeper.if
+++ b/policy/modules/contrib/gatekeeper.if
@@ -26,10 +26,7 @@ interface(`gatekeeper_admin',`
allow $1 gatekeeper_t:process { ptrace signal_perms };
ps_process_pattern($1, gatekeeper_t)
- init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gatekeeper_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gatekeeper_t, gatekeeper_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, gatekeeper_etc_t)
diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index 7d6b6b7..58e5c44 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -45,10 +45,7 @@ interface(`gdomap_admin',`
allow $1 gdomap_t:process { ptrace signal_perms };
ps_process_pattern($1, gdomap_t)
- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gdomap_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gdomap_t, gdomap_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, gdomap_conf_t)
diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
index 9eacb2c..6d9f3da 100644
--- a/policy/modules/contrib/glance.if
+++ b/policy/modules/contrib/glance.if
@@ -245,10 +245,8 @@ interface(`glance_admin',`
allow $1 { glance_api_t glance_registry_t }:process signal_perms;
ps_process_pattern($1, { glance_api_t glance_registry_t })
- init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, glance_api_t, glance_api_initrc_exec_t)
+ init_startstop_service($1, $2, glance_registry_t, glance_registry_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, glance_log_t)
diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 05233c8..0945d87 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -46,10 +46,7 @@ interface(`glusterfs_admin',`
type glusterd_var_run_t;
')
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index f1528c9..b9a4743 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -106,10 +106,7 @@ interface(`gpm_admin',`
allow $1 gpm_t:process { ptrace signal_perms };
ps_process_pattern($1, gpm_t)
- init_labeled_script_domtrans($1, gpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpm_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gpm_t, gpm_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, gpm_conf_t)
diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
index 92eb564..1d10f63 100644
--- a/policy/modules/contrib/gpsd.if
+++ b/policy/modules/contrib/gpsd.if
@@ -91,10 +91,7 @@ interface(`gpsd_admin',`
allow $1 gpsd_t:process { ptrace signal_perms };
ps_process_pattern($1, gpsd_t)
- init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gpsd_t, gpsd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, gpsd_var_run_t)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index 2b0d488..a0a819f 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -441,10 +441,7 @@ interface(`hadoop_admin',`
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_labeled_script_domtrans($1, hadoop_init_script_file)
- domain_system_change_exemption($1)
- role_transition $2 hadoop_init_script_file system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
index 1728071..269bafd 100644
--- a/policy/modules/contrib/hddtemp.if
+++ b/policy/modules/contrib/hddtemp.if
@@ -63,10 +63,7 @@ interface(`hddtemp_admin',`
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)
- init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hddtemp_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, hddtemp_t, hddtemp_initrc_exec_t)
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
index dc609f0..afea184 100644
--- a/policy/modules/contrib/howl.if
+++ b/policy/modules/contrib/howl.if
@@ -43,10 +43,7 @@ interface(`howl_admin',`
allow $1 howl_t:process { ptrace signal_perms };
ps_process_pattern($1, howl_t)
- init_labeled_script_domtrans($1, howl_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 howl_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, howl_t, howl_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, howl_var_run_t)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 6517fad..f9a3b8e 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -25,8 +25,5 @@ interface(`hypervkvp_admin',`
allow $1 hypervkvpd_t:process { ptrace signal_perms };
ps_process_pattern($1, hypervkvpd_t)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, hypervkvpd_t, hypervkvpd_initrc_exec_t)
')
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index 5eab254..b908264 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -40,10 +40,7 @@ interface(`i18n_input_admin',`
allow $1 i18n_input_t:process { ptrace signal_perms };
ps_process_pattern($1, i18n_input_t)
- init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 i18n_input_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, i18n_input_t, i18n_input_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, i18n_input_var_run_t)
diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
index 580b533..38ce1b7 100644
--- a/policy/modules/contrib/icecast.if
+++ b/policy/modules/contrib/icecast.if
@@ -176,10 +176,7 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
- icecast_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 icecast_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, icecast_t, icecast_initrc_exec_t)
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
index 8999899..3cd19b3 100644
--- a/policy/modules/contrib/ifplugd.if
+++ b/policy/modules/contrib/ifplugd.if
@@ -122,10 +122,7 @@ interface(`ifplugd_admin',`
allow $1 ifplugd_t:process { ptrace signal_perms };
ps_process_pattern($1, ifplugd_t)
- init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ifplugd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ifplugd_t, ifplugd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, ifplugd_etc_t)
diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
index eb87f23..8e24feb 100644
--- a/policy/modules/contrib/inn.if
+++ b/policy/modules/contrib/inn.if
@@ -230,10 +230,7 @@ interface(`inn_admin',`
type innd_var_run_t, innd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 innd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, innd_t, innd_initrc_exec_t)
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index a0bfbd0..87e47eb 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -47,8 +47,5 @@ interface(`iodine_admin',`
allow $1 iodined_t:process { ptrace signal_perms };
ps_process_pattern($1, iodined_t)
- init_labeled_script_domtrans($1, iodined_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iodined_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, iodined_t, iodined_initrc_exec_t)
')
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index 1a88664..3dbe87d 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -23,10 +23,7 @@ interface(`ircd_admin',`
type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
')
- init_labeled_script_domtrans($1, ircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ircd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ircd_t, ircd_initrc_exec_t)
allow $1 ircd_t:process { ptrace signal_perms };
ps_process_pattern($1, ircd_t)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index d7113e7..9e943d3 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -25,10 +25,7 @@ interface(`irqbalance_admin',`
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 irqbalance_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, irqbalance_var_run_t)
diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
index 1a35420..44a891d 100644
--- a/policy/modules/contrib/iscsi.if
+++ b/policy/modules/contrib/iscsi.if
@@ -105,10 +105,7 @@ interface(`iscsi_admin',`
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, iscsi_t, iscsi_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if
index da7e970..4d847e9 100644
--- a/policy/modules/contrib/isns.if
+++ b/policy/modules/contrib/isns.if
@@ -26,10 +26,7 @@ interface(`isnsd_admin',`
allow $1 isnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, isnsd_t)
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, isnsd_t, isnsd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, isnsd_var_lib_t)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 7eb3811..549dac1 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -81,10 +81,7 @@ interface(`jabber_admin',`
allow $1 jabberd_domain:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_domain)
- init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 jabberd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, jabberd_domain, jabberd_initrc_exec_t)
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
index 3a00b3a..f90bfb4 100644
--- a/policy/modules/contrib/kdump.if
+++ b/policy/modules/contrib/kdump.if
@@ -102,10 +102,7 @@ interface(`kdump_admin',`
allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kdump_t kdumpctl_t })
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kdump_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kdump_t, kdump_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 77a5c49..01caeea 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -493,10 +493,7 @@ interface(`kerberos_admin',`
allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, { kadmind_t krb5kdc_t }, kerberos_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
index 714448f..d6f5fd8 100644
--- a/policy/modules/contrib/kerneloops.if
+++ b/policy/modules/contrib/kerneloops.if
@@ -108,10 +108,7 @@ interface(`kerneloops_admin',`
allow $1 kerneloops_t:process { ptrace signal_perms };
ps_process_pattern($1, kerneloops_t)
- init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kerneloops_t, kerneloops_initrc_exec_t)
files_search_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index e88fb16..ec9adb0 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -26,10 +26,7 @@ interface(`keystone_admin',`
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, keystone_t, keystone_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index f20de6e..24d623b 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -286,10 +286,7 @@ interface(`kismet_admin',`
type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
- init_labeled_script_domtrans($1, kismet_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kismet_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kismet_t, kismet_initrc_exec_t)
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index 93a64bc..59f401b 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -61,10 +61,7 @@ interface(`ksmtuned_admin',`
type ksmtuned_initrc_exec_t, ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ksmtuned_t, ksmtuned_initrc_exec_t)
allow $1 ksmtuned_t:process { ptrace signal_perms };
ps_process_pattern($1, ksmtuned_t)
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 5297064..993e152 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -89,10 +89,7 @@ interface(`kudzu_admin',`
allow $1 kudzu_t:process { ptrace signal_perms };
ps_process_pattern($1, kudzu_t)
- init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kudzu_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kudzu_t, kudzu_initrc_exec_t)
files_search_tmp($1)
admin_pattern($1, kudzu_tmp_t)
diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if
index 73e2803..24d3c44 100644
--- a/policy/modules/contrib/l2tp.if
+++ b/policy/modules/contrib/l2tp.if
@@ -86,10 +86,7 @@ interface(`l2tp_admin',`
allow $1 l2tpd_t:process { ptrace signal_perms };
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 l2tpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, l2tpd_t, l2tpd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, l2tp_conf_t)
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index 7f09b4a..b4eabc9 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -122,10 +122,7 @@ interface(`ldap_admin',`
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
- init_labeled_script_domtrans($1, slapd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slapd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
index bd20e8c..2b884e6 100644
--- a/policy/modules/contrib/likewise.if
+++ b/policy/modules/contrib/likewise.if
@@ -110,10 +110,7 @@ interface(`likewise_admin',`
allow $1 likewise_domains:process { ptrace signal_perms };
ps_process_pattern($1, likewise_domains)
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index dff21a7..f54240e 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -84,10 +84,7 @@ interface(`lircd_admin',`
allow $1 lircd_t:process { ptrace signal_perms };
ps_process_pattern($1, lircd_t)
- init_labeled_script_domtrans($1, lircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lircd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, lircd_t, lircd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, lircd_etc_t)
diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if
index d18c960..8d7692a 100644
--- a/policy/modules/contrib/lldpad.if
+++ b/policy/modules/contrib/lldpad.if
@@ -45,10 +45,7 @@ interface(`lldpad_admin',`
allow $1 lldpad_t:process { ptrace signal_perms };
ps_process_pattern($1, lldpad_t)
- init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lldpad_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, lldpad_t, lldpad_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, lldpad_var_lib_t)
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 214cb44..a684cfd 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -47,10 +47,7 @@ interface(`mscan_admin',`
allow $1 mscan_t:process { ptrace signal_perms };
ps_process_pattern($1, mscan_t)
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mscan_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mscan_etc_t)
diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
index f89651e..9b731b8 100644
--- a/policy/modules/contrib/mcelog.if
+++ b/policy/modules/contrib/mcelog.if
@@ -45,10 +45,7 @@ interface(`mcelog_admin',`
allow $1 mcelog_t:process { ptrace signal_perms };
ps_process_pattern($1, mcelog_t)
- init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mcelog_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mcelog_t, mcelog_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mcelog_etc_t)
diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
index 1d4eb19..5c12b31 100644
--- a/policy/modules/contrib/memcached.if
+++ b/policy/modules/contrib/memcached.if
@@ -124,10 +124,7 @@ interface(`memcached_admin',`
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
- init_labeled_script_domtrans($1, memcached_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 memcached_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, memcached_var_run_t)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index 358917a..7aa4fc9 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -26,10 +26,7 @@ interface(`minidlna_admin',`
allow $1 minidlna_t:process { ptrace signal_perms };
ps_process_pattern($1, minidlna_t)
- minidlna_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 minidlna_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, minidlna_t, minidlna_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, minidlna_conf_t)
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index f37a116..d4bdf6c 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -45,10 +45,7 @@ interface(`minissdpd_admin',`
allow $1 minissdpd_t:process { ptrace signal_perms };
ps_process_pattern($1, minissdpd_t)
- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 minissdpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, minissdpd_t, minissdpd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, minissdpd_conf_t)
diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if
index b247d25..9a184f2 100644
--- a/policy/modules/contrib/mongodb.if
+++ b/policy/modules/contrib/mongodb.if
@@ -26,10 +26,7 @@ interface(`mongodb_admin',`
allow $1 mongod_t:process { ptrace signal_perms };
ps_process_pattern($1, mongod_t)
- init_labeled_script_domtrans($1, mongod_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mongod_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mongod_t, mongod_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, mongod_log_t)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index a6ec137..0106004 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -26,10 +26,7 @@ interface(`monop_admin',`
allow $1 monopd_t:process { ptrace signal_perms };
ps_process_pattern($1, monopd_t)
- init_labeled_script_domtrans($1, monopd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 monopd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, monopd_t, monopd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, monopd_etc_t)
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 5fa77c7..384599f 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -347,10 +347,7 @@ interface(`mpd_admin',`
allow $1 mpd_t:process { ptrace signal_perms };
ps_process_pattern($1, mpd_t)
- mpd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 mpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mpd_t, mpd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mpd_etc_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index c595094..0a71bd8 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -47,10 +47,7 @@ interface(`mrtg_admin',`
allow $1 mrtg_t:process { ptrace signal_perms };
ps_process_pattern($1, mrtg_t)
- init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mrtg_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mrtg_t, mrtg_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mrtg_etc_t)
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
index b744fe3..cd67499 100644
--- a/policy/modules/contrib/munin.if
+++ b/policy/modules/contrib/munin.if
@@ -173,10 +173,7 @@ interface(`munin_admin',`
allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
ps_process_pattern($1, { munin_plugin_domain munin_t })
- init_labeled_script_domtrans($1, munin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 munin_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, munin_t, munin_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 590748a..e7250f7 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -450,10 +450,8 @@ interface(`mysql_admin',`
allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t)
+ init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 0e289ab8f74c478433de2a755082464a740d537b
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 22 12:49:50 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e289ab8
contrib: networkmanager: allow netlink_generic_socket access
refpolicy commit 58b302957652322288618ceda0771d39e74a9e46
defined the new netlink socket security classes introduced by
kernel commit 223ae516404a7a65f09e79a1c0291521c233336e.
NetworkManager requires netlink_generic_socket access when
running on a kernel with this change. Add an allow rule for it,
while retaining the existing :netlink_socket rule for compatibility
on older kernels.
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index c29e773..820cc5b 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -52,6 +52,7 @@ allow NetworkManager_t self:unix_dgram_socket sendto;
allow NetworkManager_t self:unix_stream_socket { accept listen };
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket { accept listen };
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 0b86dd6784975e36e51eec9b37a18c731adb0bd3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 14:08:43 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b86dd67
Use init_startstop_service in admin interfaces N-Z
Most foo_admin interfaces have transitions on the
foo_initrc_exec_t to system_r. These are only applicable
for RedHat <6. This replaces them with the interface
init_startstop_service which can easily be changed for
other init systems.
make validate passes for all combinations of distros,
standard/mcs/mls, monolithic y/n and direct_initrc y/n
This patch is for files starting with N-Z.
policy/modules/contrib/nagios.if | 5 +----
policy/modules/contrib/nessus.if | 5 +----
policy/modules/contrib/networkmanager.if | 5 +----
policy/modules/contrib/nis.if | 7 ++-----
policy/modules/contrib/nscd.if | 5 +----
policy/modules/contrib/nsd.if | 5 +----
policy/modules/contrib/nslcd.if | 5 +----
policy/modules/contrib/ntop.if | 5 +----
policy/modules/contrib/ntp.if | 5 +----
policy/modules/contrib/numad.if | 5 +----
policy/modules/contrib/nut.if | 5 +----
policy/modules/contrib/oident.if | 5 +----
policy/modules/contrib/openct.if | 5 +----
policy/modules/contrib/openhpi.if | 5 +----
policy/modules/contrib/openvpn.if | 5 +----
policy/modules/contrib/openvswitch.if | 5 +----
policy/modules/contrib/pacemaker.if | 5 +----
policy/modules/contrib/pads.if | 5 +----
policy/modules/contrib/pcscd.if | 5 +----
policy/modules/contrib/pegasus.if | 5 +----
policy/modules/contrib/perdition.if | 5 +----
policy/modules/contrib/pingd.if | 5 +----
policy/modules/contrib/pkcs.if | 5 +----
policy/modules/contrib/polipo.if | 5 +----
policy/modules/contrib/portmap.if | 5 +----
policy/modules/contrib/portreserve.if | 5 +----
policy/modules/contrib/postfix.if | 5 +----
policy/modules/contrib/postfixpolicyd.if | 5 +----
policy/modules/contrib/postgrey.if | 5 +----
policy/modules/contrib/ppp.if | 5 +----
policy/modules/contrib/prelude.if | 5 +----
policy/modules/contrib/privoxy.if | 5 +----
policy/modules/contrib/psad.if | 5 +----
policy/modules/contrib/puppet.if | 6 ++----
policy/modules/contrib/pxe.if | 5 +----
policy/modules/contrib/pyicqt.if | 5 +----
policy/modules/contrib/pyzor.if | 5 +----
policy/modules/contrib/qpid.if | 5 +----
policy/modules/contrib/quantum.if | 5 +----
policy/modules/contrib/quota.if | 5 +----
policy/modules/contrib/rabbitmq.if | 5 +----
policy/modules/contrib/radius.if | 5 +----
policy/modules/contrib/radvd.if | 5 +----
policy/modules/contrib/raid.if | 5 +----
policy/modules/contrib/redis.if | 5 +----
policy/modules/contrib/resmgr.if | 5 +----
policy/modules/contrib/rgmanager.if | 5 +----
policy/modules/contrib/rhcs.if | 7 +++----
policy/modules/contrib/rhsmcertd.if | 5 +----
policy/modules/contrib/ricci.if | 5 +----
policy/modules/contrib/rngd.if | 5 +----
policy/modules/contrib/roundup.if | 5 +----
policy/modules/contrib/rpc.if | 7 +++----
policy/modules/contrib/rpcbind.if | 5 +----
policy/modules/contrib/rpm.if | 5 +----
policy/modules/contrib/rtkit.if | 5 +----
policy/modules/contrib/rwho.if | 5 +----
policy/modules/contrib/samba.if | 5 +----
policy/modules/contrib/samhain.if | 5 +----
policy/modules/contrib/sanlock.if | 5 +----
policy/modules/contrib/sasl.if | 5 +----
policy/modules/contrib/sblim.if | 5 +----
policy/modules/contrib/sendmail.if | 4 +---
policy/modules/contrib/sensord.if | 5 +----
policy/modules/contrib/shorewall.if | 5 +----
policy/modules/contrib/slpd.if | 5 +----
policy/modules/contrib/smartmon.if | 5 +----
policy/modules/contrib/smokeping.if | 5 +----
policy/modules/contrib/smstools.if | 5 +----
policy/modules/contrib/snmp.if | 5 +----
policy/modules/contrib/snort.if | 5 +----
policy/modules/contrib/soundserver.if | 5 +----
policy/modules/contrib/spamassassin.if | 5 +----
policy/modules/contrib/squid.if | 5 +----
policy/modules/contrib/sssd.if | 5 +----
policy/modules/contrib/svnserve.if | 5 +----
policy/modules/contrib/sysstat.if | 5 +----
policy/modules/contrib/systemtap.if | 5 +----
policy/modules/contrib/tcsd.if | 5 +----
policy/modules/contrib/tgtd.if | 5 +----
policy/modules/contrib/tor.if | 5 +----
policy/modules/contrib/transproxy.if | 5 +----
policy/modules/contrib/tuned.if | 5 +----
policy/modules/contrib/ulogd.if | 5 +----
policy/modules/contrib/uptime.if | 5 +----
policy/modules/contrib/uucp.if | 5 +----
policy/modules/contrib/uuidd.if | 5 +----
policy/modules/contrib/varnishd.if | 10 ++--------
policy/modules/contrib/vdagent.if | 5 +----
policy/modules/contrib/vhostmd.if | 5 +----
policy/modules/contrib/virt.if | 5 +----
policy/modules/contrib/vnstatd.if | 5 +----
policy/modules/contrib/watchdog.if | 5 +----
policy/modules/contrib/wdmd.if | 5 +----
policy/modules/contrib/xfs.if | 5 +----
policy/modules/contrib/zabbix.if | 6 ++----
policy/modules/contrib/zarafa.if | 5 +----
policy/modules/contrib/zebra.if | 5 +----
98 files changed, 106 insertions(+), 396 deletions(-)
diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
index 0641e97..b73a47b 100644
--- a/policy/modules/contrib/nagios.if
+++ b/policy/modules/contrib/nagios.if
@@ -204,10 +204,7 @@ interface(`nagios_admin',`
allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
- init_labeled_script_domtrans($1, nagios_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nagios_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nagios_t, nagios_initrc_exec_t)
files_search_tmp($1)
admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index 42e9ed4..f41ec5f 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -40,10 +40,7 @@ interface(`nessus_admin',`
allow $1 nessusd_t:process { ptrace signal_perms };
ps_process_pattern($1, nessusd_t)
- init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nessusd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nessusd_t, nessusd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, nessusd_log_t)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index b512ce0..152dc57 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -297,10 +297,7 @@ interface(`networkmanager_admin',`
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 46e55c3..5acf395 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -381,11 +381,8 @@ interface(`nis_admin',`
allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
- nis_initrc_domtrans($1)
- nis_initrc_domtrans_ypbind($1)
- domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ypbind_t, ypbind_initrc_exec_t)
+ init_startstop_service($1, $2, ypserv_t, nis_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index 8f2ab09..c83635f 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -299,10 +299,7 @@ interface(`nscd_admin',`
allow $1 nscd_t:process { ptrace signal_perms };
ps_process_pattern($1, nscd_t)
- init_labeled_script_domtrans($1, nscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nscd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nscd_t, nscd_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index a9c60ff..8ec6ec4 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -54,10 +54,7 @@ interface(`nsd_admin',`
allow $1 nsd_t:process { ptrace signal_perms };
ps_process_pattern($1, nsd_t)
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nsd_t, nsd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { nsd_conf_t nsd_db_t })
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index bbd7cac..b3747da 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -102,10 +102,7 @@ interface(`nslcd_admin',`
allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
- nslcd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 nslcd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nslcd_t, nslcd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, nslcd_conf_t)
diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
index beaee73..60c7793 100644
--- a/policy/modules/contrib/ntop.if
+++ b/policy/modules/contrib/ntop.if
@@ -26,10 +26,7 @@ interface(`ntop_admin',`
allow $1 ntop_t:process { ptrace signal_perms };
ps_process_pattern($1, ntop_t)
- init_labeled_script_domtrans($1, ntop_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntop_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ntop_t, ntop_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, ntop_etc_t)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 6a83626..251f669 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -166,10 +166,7 @@ interface(`ntp_admin',`
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if
index 0d3c270..d1c6b8f 100644
--- a/policy/modules/contrib/numad.if
+++ b/policy/modules/contrib/numad.if
@@ -26,10 +26,7 @@ interface(`numad_admin',`
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, numad_t, numad_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, numad_log_t)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index c606ae6..462c079 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -26,10 +26,7 @@ interface(`nut_admin',`
allow $1 nut_domain:process { ptrace signal_perms };
ps_process_pattern($1, nut_domain)
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nut_domain, nut_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, nut_conf_t)
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index 513f452..c317a3a 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -131,10 +131,7 @@ interface(`oident_admin',`
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
- init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 oidentd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, oidentd_t, oidentd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
index a55238b..61c3eb8 100644
--- a/policy/modules/contrib/openct.if
+++ b/policy/modules/contrib/openct.if
@@ -120,10 +120,7 @@ interface(`openct_admin',`
allow $1 openct_t:process { ptrace signal_perms };
ps_process_pattern($1, openct_t)
- init_labeled_script_domtrans($1, openct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openct_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openct_t, openct_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, openct_var_run_t)
diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if
index 3c86958..ca1e226 100644
--- a/policy/modules/contrib/openhpi.if
+++ b/policy/modules/contrib/openhpi.if
@@ -26,10 +26,7 @@ interface(`openhpi_admin',`
allow $1 openhpid_t:process { ptrace signal_perms };
ps_process_pattern($1, openhpid_t)
- init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openhpid_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openhpid_t, openhpid_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, openhpid_var_lib_t)
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
index 6837e9a..a03c258 100644
--- a/policy/modules/contrib/openvpn.if
+++ b/policy/modules/contrib/openvpn.if
@@ -150,10 +150,7 @@ interface(`openvpn_admin',`
allow $1 openvpn_t:process { ptrace signal_perms };
ps_process_pattern($1, openvpn_t)
- init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvpn_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openvpn_t, openvpn_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if
index 9b15730..f0133ed 100644
--- a/policy/modules/contrib/openvswitch.if
+++ b/policy/modules/contrib/openvswitch.if
@@ -64,10 +64,7 @@ interface(`openvswitch_admin',`
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openvswitch_t, openvswitch_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, openvswitch_conf_t)
diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if
index 9682d9a..44d1cf6 100644
--- a/policy/modules/contrib/pacemaker.if
+++ b/policy/modules/contrib/pacemaker.if
@@ -26,10 +26,7 @@ interface(`pacemaker_admin',`
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pacemaker_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pacemaker_t, pacemaker_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, pacemaker_var_lib_t)
diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
index 6e097c9..4dd3574 100644
--- a/policy/modules/contrib/pads.if
+++ b/policy/modules/contrib/pads.if
@@ -26,10 +26,7 @@ interface(`pads_admin', `
allow $1 pads_t:process { ptrace signal_perms };
ps_process_pattern($1, pads_t)
- init_labeled_script_domtrans($1, pads_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pads_t, pads_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, pads_var_run_t)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 7f77d32..ac7e60c 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -128,10 +128,7 @@ interface(`pcscd_admin',`
allow $1 pcscd_t:process { ptrace signal_perms };
ps_process_pattern($1, pcscd_t)
- init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pcscd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pcscd_t, pcscd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, pcscd_var_run_t)
diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
index d2fc677..eadb012 100644
--- a/policy/modules/contrib/pegasus.if
+++ b/policy/modules/contrib/pegasus.if
@@ -27,10 +27,7 @@ interface(`pegasus_admin',`
allow $1 pegasus_t:process { ptrace signal_perms };
ps_process_pattern($1, pegasus_t)
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pegasus_t, pegasus_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, pegasus_conf_t)
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 47e09e1..092ac61 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -40,10 +40,7 @@ interface(`perdition_admin',`
allow $1 perdition_t:process { ptrace signal_perms };
ps_process_pattern($1, perdition_t)
- init_labeled_script_domtrans($1, perdition_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 perdition_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, perdition_t, perdition_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, perdition_etc_t)
diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
index 21a6ecb..fe9acb0 100644
--- a/policy/modules/contrib/pingd.if
+++ b/policy/modules/contrib/pingd.if
@@ -84,10 +84,7 @@ interface(`pingd_admin',`
allow $1 pingd_t:process { ptrace signal_perms };
ps_process_pattern($1, pingd_t)
- init_labeled_script_domtrans($1, pingd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pingd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pingd_t, pingd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, pingd_etc_t)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 69be2aa..9d1af4e 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -26,10 +26,7 @@ interface(`pkcs_admin_slotd',`
allow $1 pkcs_slotd_t:process { ptrace signal_perms };
ps_process_pattern($1, pkcs_slotd_t)
- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pkcs_slotd_t, pkcs_slotd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index ae27bb7..4b1988d 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -125,10 +125,7 @@ interface(`polipo_admin',`
allow $1 polipo_system_t:process { ptrace signal_perms };
ps_process_pattern($1, polipo_system_t)
- polipo_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 polipo_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t)
files_search_var($1)
admin_pattern($1, polipo_cache_t)
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 9f982b5..61e1a12 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -114,10 +114,7 @@ interface(`portmap_admin',`
allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
ps_process_pattern($1, { portmap_t portmap_helper_t })
- init_labeled_script_domtrans($1, portmap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 portmap_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, portmap_t, portmap_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, portmap_var_run_t)
diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
index 5ad5291..0a90afd 100644
--- a/policy/modules/contrib/portreserve.if
+++ b/policy/modules/contrib/portreserve.if
@@ -108,10 +108,7 @@ interface(`portreserve_admin',`
allow $1 portreserve_t:process { ptrace signal_perms };
ps_process_pattern($1, portreserve_t)
- portreserve_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 portreserve_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, portreserve_t, portreserve_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, portreserve_etc_t)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8bc856e..19fe613 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -720,10 +720,7 @@ interface(`postfix_admin',`
allow $1 postfix_domain:process { ptrace signal_perms };
ps_process_pattern($1, postfix_domain)
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
index 5de8173..e462ac0 100644
--- a/policy/modules/contrib/postfixpolicyd.if
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -26,10 +26,7 @@ interface(`postfixpolicyd_admin',`
allow $1 postfix_policyd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_policyd_t)
- init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_policyd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, postfix_policyd_t, postfix_policyd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
index b9e71b5..d63198e 100644
--- a/policy/modules/contrib/postgrey.if
+++ b/policy/modules/contrib/postgrey.if
@@ -67,10 +67,7 @@ interface(`postgrey_admin',`
allow $1 postgrey_t:process { ptrace signal_perms };
ps_process_pattern($1, postgrey_t)
- init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgrey_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, postgrey_t, postgrey_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index cd8b8b9..0376e92 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -487,10 +487,7 @@ interface(`ppp_admin',`
allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { pptp_t pppd_t })
- ppp_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pppd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pppd_t, pppd_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, pppd_tmp_t)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index db8f510..ceef90f 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -126,10 +126,7 @@ interface(`prelude_admin',`
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
- init_labeled_script_domtrans($1, prelude_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 prelude_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, prelude_t, prelude_initrc_exec_t)
files_search_spool($1)
admin_pattern($1, prelude_spool_t)
diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
index bdcee30..a35e6ea 100644
--- a/policy/modules/contrib/privoxy.if
+++ b/policy/modules/contrib/privoxy.if
@@ -26,10 +26,7 @@ interface(`privoxy_admin',`
allow $1 privoxy_t:process { ptrace signal_perms };
ps_process_pattern($1, privoxy_t)
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 privoxy_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, privoxy_t, privoxy_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, privoxy_log_t)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index cdc83d2..6ad8703 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -242,10 +242,7 @@ interface(`psad_admin',`
allow $1 psad_t:process { ptrace signal_perms };
ps_process_pattern($1, psad_t)
- init_labeled_script_domtrans($1, psad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 psad_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, psad_t, psad_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, psad_etc_t)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 7cb8b1f..135dafb 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -211,10 +211,8 @@ interface(`puppet_admin',`
allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, puppet_t, puppet_initrc_exec_t)
+ init_startstop_service($1, $2, puppetmaster_t, puppetmaster_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, puppet_etc_t)
diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
index 7da286f..e0068b7 100644
--- a/policy/modules/contrib/pxe.if
+++ b/policy/modules/contrib/pxe.if
@@ -26,10 +26,7 @@ interface(`pxe_admin',`
allow $1 pxe_t:process { ptrace signal_perms };
ps_process_pattern($1, pxe_t)
- init_labeled_script_domtrans($1, pxe_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pxe_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pxe_t, pxe_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, pxe_log_t)
diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
index 0ccea82..1742d8c 100644
--- a/policy/modules/contrib/pyicqt.if
+++ b/policy/modules/contrib/pyicqt.if
@@ -26,10 +26,7 @@ interface(`pyicqt_admin',`
allow $1 pyicqt_t:process { ptrace signal_perms };
ps_process_pattern($1, pyicqt_t)
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pyicqt_t, pyicqt_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, pyicqt_conf_t)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index c05a504..7bc14f9 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -118,10 +118,7 @@ interface(`pyzor_admin',`
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
- init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyzord_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pyzord_t, pyzord_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, pyzor_etc_t)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index fe2adf8..531bdc3 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -177,10 +177,7 @@ interface(`qpidd_admin',`
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, qpidd_t, qpidd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if
index afc0068..31aa2d9 100644
--- a/policy/modules/contrib/quantum.if
+++ b/policy/modules/contrib/quantum.if
@@ -26,10 +26,7 @@ interface(`quantum_admin',`
allow $1 quantum_t:process { ptrace signal_perms };
ps_process_pattern($1, quantum_t)
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, quantum_t, quantum_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, quantum_log_t)
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index 68611e3..c2a5ef4 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -184,10 +184,7 @@ interface(`quota_admin',`
allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
ps_process_pattern($1, { quota_nld_t quota_t })
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, quota_nld_t, quota_nld_initrc_exec_t)
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 2c3d338..53efd0d 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -45,10 +45,7 @@ interface(`rabbitmq_admin',`
allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
- init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rabbitmq_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, { rabbitmq_epmd_t rabbitmq_beam_t }, rabbitmq_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, rabbitmq_var_log_t)
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 4460582..7703bc7 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -41,10 +41,7 @@ interface(`radius_admin',`
allow $1 radiusd_t:process { ptrace signal_perms };
ps_process_pattern($1, radiusd_t)
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radiusd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, radiusd_t, radiusd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })
diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
index ac7058d..38e35fe 100644
--- a/policy/modules/contrib/radvd.if
+++ b/policy/modules/contrib/radvd.if
@@ -26,10 +26,7 @@ interface(`radvd_admin',`
allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t)
- init_labeled_script_domtrans($1, radvd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radvd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, radvd_t, radvd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, radvd_etc_t)
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 951db7f..6d98a94 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -91,10 +91,7 @@ interface(`raid_admin_mdadm',`
allow $1 mdadm_t:process { ptrace signal_perms };
ps_process_pattern($1, mdadm_t)
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mdadm_t, mdadm_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 3969450..6d86dbf 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -26,10 +26,7 @@ interface(`redis_admin',`
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 redis_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, redis_t, redis_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, redis_log_t)
diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
index 0d93db6..a406934 100644
--- a/policy/modules/contrib/resmgr.if
+++ b/policy/modules/contrib/resmgr.if
@@ -46,10 +46,7 @@ interface(`resmgr_admin',`
allow $1 resmgrd_t:process { ptrace signal_perms };
ps_process_pattern($1, resmgrd_t)
- init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 resmgrd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, resmgrd_t, resmgrd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, resmgrd_etc_t)
diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
index 1c2f9aa..1e0ed7a 100644
--- a/policy/modules/contrib/rgmanager.if
+++ b/policy/modules/contrib/rgmanager.if
@@ -105,10 +105,7 @@ interface(`rgmanager_admin',`
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)
- init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rgmanager_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rgmanager_t, rgmanager_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, rgmanager_tmp_t)
diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
index c8bdea2..776c570 100644
--- a/policy/modules/contrib/rhcs.if
+++ b/policy/modules/contrib/rhcs.if
@@ -467,15 +467,14 @@ interface(`rhcs_admin',`
attribute cluster_log;
type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
type fenced_tmp_t, qdiskd_var_lib_t;
+ type dlm_controld_t, foghorn_t;
')
allow $1 cluster_domain:process { ptrace signal_perms };
ps_process_pattern($1, cluster_domain)
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t)
+ init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, cluster_pid)
diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
index 6dbc905..7bdee3c 100644
--- a/policy/modules/contrib/rhsmcertd.if
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -285,10 +285,7 @@ interface(`rhsmcertd_admin',`
allow $1 rhsmcertd_t:process { ptrace signal_perms };
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rhsmcertd_t, rhsmcertd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, rhsmcertd_log_t)
diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
index 2ab3ed1..086f434 100644
--- a/policy/modules/contrib/ricci.if
+++ b/policy/modules/contrib/ricci.if
@@ -203,10 +203,7 @@ interface(`ricci_admin',`
allow $1 ricci_t:process { ptrace signal_perms };
ps_process_pattern($1, ricci_t)
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ricci_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ricci_t, ricci_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 13f788f..7b26dc3 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -25,10 +25,7 @@ interface(`rngd_admin',`
allow $1 rngd_t:process { ptrace signal_perms };
ps_process_pattern($1, rngd_t)
- init_labeled_script_domtrans($1, rngd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rngd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rngd_t, rngd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
index 975bb6a..c874017 100644
--- a/policy/modules/contrib/roundup.if
+++ b/policy/modules/contrib/roundup.if
@@ -26,10 +26,7 @@ interface(`roundup_admin',`
allow $1 roundup_t:process { ptrace signal_perms };
ps_process_pattern($1, roundup_t)
- init_labeled_script_domtrans($1, roundup_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 roundup_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, roundup_t, roundup_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 157afd9..fbf5995 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -395,15 +395,14 @@ interface(`rpc_admin',`
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ type nfsd_t, rpcd_t;
')
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nfsd_t, nfsd_initrc_exec_t)
+ init_startstop_service($1, $2, rpcd_t, rpcd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index f78fef0..78ca83a 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,10 +160,7 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpcbind_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rpcbind_t, rpcbind_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, rpcbind_var_run_t)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index fc9c8d8..3ff41b3 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -634,10 +634,7 @@ interface(`rpm_admin',`
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rpm_t, rpm_initrc_exec_t)
admin_pattern($1, rpm_file_t)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index e904ec4..ed6d0cd 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -90,8 +90,5 @@ interface(`rtkit_admin',`
allow $1 rtkit_daemon_t:process { ptrace signal_perms };
ps_process_pattern($1, rtkit_daemon_t)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rtkit_daemon_t, rtkit_daemon_initrc_exec_t)
')
diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
index 0360ff0..05aa3f1 100644
--- a/policy/modules/contrib/rwho.if
+++ b/policy/modules/contrib/rwho.if
@@ -142,10 +142,7 @@ interface(`rwho_admin',`
allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t)
- init_labeled_script_domtrans($1, rwho_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rwho_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rwho_t, rwho_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, rwho_log_t)
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 50d07fb..dfc606e 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -695,10 +695,7 @@ interface(`samba_admin',`
allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { nmbd_t smbd_t })
- init_labeled_script_domtrans($1, samba_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 samba_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, samba_t, samba_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
index b1ebcee..983fee5 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -221,10 +221,7 @@ interface(`samhain_admin',`
ps_process_pattern($1, samhain_domain)
# duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
- # init_labeled_script_domtrans($1, samhain_initrc_exec_t)
- # domain_system_change_exemption($1)
- # role_transition $2 samhain_initrc_exec_t system_r;
- # allow $2 system_r;
+ # init_startstop_service($1, $2, samhain_domain, samhain_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, samhain_db_t)
diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
index cd6c213..dbca6c8 100644
--- a/policy/modules/contrib/sanlock.if
+++ b/policy/modules/contrib/sanlock.if
@@ -104,10 +104,7 @@ interface(`sanlock_admin',`
allow $1 sanlock_t:process { ptrace signal_perms };
ps_process_pattern($1, sanlock_t)
- sanlock_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sanlock_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sanlock_t, sanlock_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, sanlock_var_run_t)
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index 8c3c151..edb4de2 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -45,10 +45,7 @@ interface(`sasl_admin',`
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
- init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, saslauthd_t, saslauthd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, saslauthd_keytab_t)
diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
index 98c9e0a..00e2e69 100644
--- a/policy/modules/contrib/sblim.if
+++ b/policy/modules/contrib/sblim.if
@@ -64,10 +64,7 @@ interface(`sblim_admin',`
allow $1 sblim_domain:process { ptrace signal_perms };
ps_process_pattern($1, sblim_domain)
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sblim_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sblim_domain, sblim_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 35ad2a7..d60de84 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -360,9 +360,7 @@ interface(`sendmail_admin',`
allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sendmail_initrc_exec_t system_r;
+ init_startstop_service($1, $2, sendmail_t, sendmail_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, sendmail_keytab_t)
diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if
index d204752..e58af36 100644
--- a/policy/modules/contrib/sensord.if
+++ b/policy/modules/contrib/sensord.if
@@ -25,10 +25,7 @@ interface(`sensord_admin',`
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sensord_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sensord_t, sensord_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, sensord_var_run_t)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 1aeef8a..7bd4593 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -179,10 +179,7 @@ interface(`shorewall_admin',`
allow $1 shorewall_t:process { ptrace signal_perms };
ps_process_pattern($1, shorewall_t)
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, shorewall_t, shorewall_initrc_exec_t)
can_exec($1, shorewall_exec_t)
diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if
index ca32e89..ffacc36 100644
--- a/policy/modules/contrib/slpd.if
+++ b/policy/modules/contrib/slpd.if
@@ -26,10 +26,7 @@ interface(`slpd_admin',`
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, slpd_t, slpd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, slpd_log_t)
diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
index e0644b5..08f4ee2 100644
--- a/policy/modules/contrib/smartmon.if
+++ b/policy/modules/contrib/smartmon.if
@@ -45,10 +45,7 @@ interface(`smartmon_admin',`
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
- init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fsdaemon_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fsdaemon_t, fsdaemon_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, fsdaemon_tmp_t)
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
index 1fa51c1..4f49c99 100644
--- a/policy/modules/contrib/smokeping.if
+++ b/policy/modules/contrib/smokeping.if
@@ -161,10 +161,7 @@ interface(`smokeping_admin',`
allow $1 smokeping_t:process { ptrace signal_perms };
ps_process_pattern($1, smokeping_t)
- smokeping_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 smokeping_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, smokeping_t, smokeping_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, smokeping_var_lib_t)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index 81136f0..fc420a5 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -27,10 +27,7 @@ interface(`smstools_admin',`
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
- init_labeled_script_domtrans($1, smsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 smsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, smsd_t, smsd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, smsd_conf_t)
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index bf78fa9..9677503 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -182,10 +182,7 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
- init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snmpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, snmpd_t, snmpd_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, snmpd_log_t)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index 7d86b34..e6ae26e 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -45,10 +45,7 @@ interface(`snort_admin',`
allow $1 snort_t:process { ptrace signal_perms };
ps_process_pattern($1, snort_t)
- init_labeled_script_domtrans($1, snort_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snort_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, snort_t, snort_initrc_exec_t)
admin_pattern($1, snort_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index a5abc5a..8dc1c0f 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -41,10 +41,7 @@ interface(`soundserver_admin',`
allow $1 soundd_t:process { ptrace signal_perms };
ps_process_pattern($1, soundd_t)
- init_labeled_script_domtrans($1, soundd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 soundd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, soundd_t, soundd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 7f5a1cc..e915b5f 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -384,10 +384,7 @@ interface(`spamassassin_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
- init_labeled_script_domtrans($1, spamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 spamd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, spamd_tmp_t)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 5e1f053..941cedf 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -216,10 +216,7 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
- init_labeled_script_domtrans($1, squid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 squid_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, squid_t, squid_initrc_exec_t)
files_list_var($1)
admin_pattern($1, squid_cache_t)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index a240455..e1b4cb0 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -342,10 +342,7 @@ interface(`sssd_admin',`
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
- sssd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sssd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sssd_t, sssd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, sssd_conf_t)
diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 5cd46e9..618dccb 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -25,10 +25,7 @@ interface(`svnserve_admin',`
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 svnserve_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, svnserve_t, svnserve_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, svnserve_var_run_t)
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 14ae3f2..a00a0dd 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -46,10 +46,7 @@ interface(`sysstat_admin',`
allow $1 sysstat_t:process { ptrace signal_perms };
ps_process_pattern($1, sysstat_t)
- init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sysstat_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sysstat_t, sysstat_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, sysstat_log_t)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index d60a21e..62520b3 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -26,10 +26,7 @@ interface(`stapserver_admin',`
allow $1 stapserver_t:process { ptrace signal_perms };
ps_process_pattern($1, stapserver_t)
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 stapserver_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, stapserver_t, stapserver_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, stapserver_conf_t)
diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
index b42ec1d..5140a7d 100644
--- a/policy/modules/contrib/tcsd.if
+++ b/policy/modules/contrib/tcsd.if
@@ -141,10 +141,7 @@ interface(`tcsd_admin',`
allow $1 tcsd_t:process { ptrace signal_perms };
ps_process_pattern($1, tcsd_t)
- tcsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tcsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tcsd_t, tcsd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index dc5b46e..3056b2e 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -83,10 +83,7 @@ interface(`tgtd_admin',`
allow $1 tgtd_t:process { ptrace signal_perms };
ps_process_pattern($1, tgtd_t)
- init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tgtd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tgtd_t, tgtd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, tgtd_var_lib_t)
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 61c2e07..f2fc7a7 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -45,10 +45,7 @@ interface(`tor_admin',`
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
- init_labeled_script_domtrans($1, tor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tor_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tor_t, tor_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, tor_etc_t)
diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
index 81a8351..946881b 100644
--- a/policy/modules/contrib/transproxy.if
+++ b/policy/modules/contrib/transproxy.if
@@ -25,10 +25,7 @@ interface(`transproxy_admin',`
allow $1 transproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, transproxy_t)
- init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 transproxy_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, transproxy_t, transproxy_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, transproxy_var_run_t)
diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
index e29db63..5ca6fa5 100644
--- a/policy/modules/contrib/tuned.if
+++ b/policy/modules/contrib/tuned.if
@@ -122,10 +122,7 @@ interface(`tuned_admin',`
allow $1 tuned_t:process { ptrace signal_perms };
ps_process_pattern($1, tuned_t)
- tuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tuned_t, tuned_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
index 9b95c3e..290eb1b 100644
--- a/policy/modules/contrib/ulogd.if
+++ b/policy/modules/contrib/ulogd.if
@@ -126,10 +126,7 @@ interface(`ulogd_admin',`
allow $1 ulogd_t:process { ptrace signal_perms };
ps_process_pattern($1, ulogd_t)
- init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ulogd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ulogd_t, ulogd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, ulogd_etc_t)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 19f4724..ce3bc3b 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -26,10 +26,7 @@ interface(`uptime_admin',`
allow $1 uptimed_t:process { ptrace signal_perms };
ps_process_pattern($1, uptimed_t)
- init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uptimed_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, uptimed_t, uptimed_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, uptimed_etc_t)
diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
index af9acc0..a06faaf 100644
--- a/policy/modules/contrib/uucp.if
+++ b/policy/modules/contrib/uucp.if
@@ -104,10 +104,7 @@ interface(`uucp_admin',`
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uucpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, uucpd_t, uucpd_initrc_exec_t)
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
index 6e48653..30f45eb 100644
--- a/policy/modules/contrib/uuidd.if
+++ b/policy/modules/contrib/uuidd.if
@@ -181,10 +181,7 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
- uuidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 uuidd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, uuidd_t, uuidd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, uuidd_var_lib_t)
diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
index 1c35171..e2dc5ea 100644
--- a/policy/modules/contrib/varnishd.if
+++ b/policy/modules/contrib/varnishd.if
@@ -160,10 +160,7 @@ interface(`varnishd_admin_varnishlog',`
allow $1 varnishlog_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishlog_t)
- init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishlog_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, varnishlog_t, varnishlog_initrc_exec_t)
files_list_pids($1)
admin_pattern($1, varnishlog_var_run_t)
@@ -199,10 +196,7 @@ interface(`varnishd_admin',`
allow $1 varnishd_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishd_t)
- init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, varnishd_t, varnishd_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, varnishd_var_lib_t)
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
index 31c752e..c4a5ed7 100644
--- a/policy/modules/contrib/vdagent.if
+++ b/policy/modules/contrib/vdagent.if
@@ -121,10 +121,7 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
- init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vdagentd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, vdagentd_t, vdagentd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, vdagent_log_t)
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
index 22edd58..3c66a92 100644
--- a/policy/modules/contrib/vhostmd.if
+++ b/policy/modules/contrib/vhostmd.if
@@ -219,10 +219,7 @@ interface(`vhostmd_admin',`
allow $1 vhostmd_t:process { ptrace signal_perms };
ps_process_pattern($1, vhostmd_t)
- vhostmd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 vhostmd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, vhostmd_t, vhostmd_initrc_exec_t)
fs_search_tmpfs($1)
admin_pattern($1, vhostmd_tmpfs_t)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 7c97c87..5b57d50 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1176,10 +1176,7 @@ interface(`virt_admin',`
ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, virtd_t, virtd_initrc_exec_t)
fs_search_tmpfs($1)
admin_pattern($1, virt_tmpfs_type)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 137ac44..7ec9bd0 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -168,10 +168,7 @@ interface(`vnstatd_admin',`
allow $1 vnstatd_t:process { ptrace signal_perms };
ps_process_pattern($1, vnstatd_t)
- init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vnstatd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, vnstatd_var_run_t)
diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
index 6461a77..b0fe922 100644
--- a/policy/modules/contrib/watchdog.if
+++ b/policy/modules/contrib/watchdog.if
@@ -26,10 +26,7 @@ interface(`watchdog_admin',`
allow $1 watchdog_t:process { ptrace signal_perms };
ps_process_pattern($1, watchdog_t)
- init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 watchdog_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, watchdog_t, watchdog_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, watchdog_log_t)
diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if
index 1e3aec0..53de648 100644
--- a/policy/modules/contrib/wdmd.if
+++ b/policy/modules/contrib/wdmd.if
@@ -45,10 +45,7 @@ interface(`wdmd_admin',`
allow $1 wdmd_t:process { ptrace signal_perms };
ps_process_pattern($1, wdmd_t)
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 wdmd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, wdmd_t, wdmd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, wdmd_var_run_t)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 4570b86..1993406 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -84,10 +84,7 @@ interface(`xfs_admin',`
allow $1 xfs_t:process { ptrace signal_perms };
ps_process_pattern($1, xfs_t)
- init_labeled_script_domtrans($1, xfs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 xfs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, xfs_t, xfs_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, xfs_var_run_t)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index 29d87d7..d71bce0 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -146,10 +146,8 @@ interface(`zabbix_admin',`
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
ps_process_pattern($1, { zabbix_t zabbix_agent_t })
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, zabbix_t, zabbix_initrc_exec_t)
+ init_startstop_service($1, $2, zabbix_agent_t, zabbix_agent_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 83b4ca5..37a7434 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -152,10 +152,7 @@ interface(`zarafa_admin',`
allow $1 zarafa_domain:process { ptrace signal_perms };
ps_process_pattern($1, zarafa_domain)
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zarafa_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, zarafa_t, zarafa_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, zarafa_etc_t)
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
index 3416401..21da77a 100644
--- a/policy/modules/contrib/zebra.if
+++ b/policy/modules/contrib/zebra.if
@@ -69,10 +69,7 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
- init_labeled_script_domtrans($1, zebra_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zebra_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, zebra_t, zebra_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 4569b61a85d70f5a686dc629fe98b4784a68467a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri May 22 18:26:17 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:24 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4569b61a
Module version bump for init_startstop_service from Jason Zaman.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/amtu.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyphesis.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/denyhosts.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/glance.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/howl.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/icecast.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/keystone.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mongodb.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/numad.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pads.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/pyicqt.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quantum.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/roundup.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/sysstat.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
203 files changed, 203 insertions(+), 203 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index f60f9c1..dedf055 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.5.0)
+policy_module(abrt, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 8b9ad83..7d6e06d 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.6.0)
+policy_module(acct, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 2fb6932..c2840ba 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.9.2)
+policy_module(afs, 1.9.3)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 5d2b90e..44a23e6 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.1.0)
+policy_module(aiccu, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 4e4f063..73e7382 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.2.0)
+policy_module(aisexec, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 91fa72a..1214ac1 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.15.0)
+policy_module(amavis, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te
index 16d0d66..918580d 100644
--- a/policy/modules/contrib/amtu.te
+++ b/policy/modules/contrib/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu, 1.3.0)
+policy_module(amtu, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index acdf41a..a7fd097 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.9.0)
+policy_module(apache, 2.9.1)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 080bc4d..407ca94 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.9.0)
+policy_module(apcupsd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index b9919b5..b6e5447 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.13.0)
+policy_module(apm, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 2d7bf34..f52071c 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.11.0)
+policy_module(arpwatch, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 0dd46ad..f51e183 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.14.0)
+policy_module(asterisk, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 969be75..6c5e7ed 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.15.0)
+policy_module(automount, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 02b2b78..46d5aba 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.0)
+policy_module(avahi, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index f16b000..5c9e2d9 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.2.0)
+policy_module(bacula, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index c3fd7b1..8709020 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.1.0)
+policy_module(bcfg2, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 90138a2..45ed04f 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.15.0)
+policy_module(bind, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index 1d60c27..2f6c545 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.1.0)
+policy_module(bird, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index f5c1a48..45d8a4b 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.5.0)
+policy_module(bitlbee, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 851769e..08f3c20 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.0)
+policy_module(bluetooth, 3.5.1)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 8402248..4ada99d 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.2.0)
+policy_module(boinc, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 79807ef..4e5a1a1 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.2)
+policy_module(cachefilesd, 1.1.3)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 0e5be4c..9218e45 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.1.0)
+policy_module(callweaver, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 9fe6162..9ee10b6 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.12.0)
+policy_module(canna, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index c4664c7..88cc4ad 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.8.0)
+policy_module(ccs, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 4a87873..5ab985b 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.3.0)
+policy_module(certmaster, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 550b287..2d5ecbc 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.2.0)
+policy_module(certmonger, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index fbe3ad9..2fff324 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.1.0)
+policy_module(cfengine, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 80a88a2..82c0c0c 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.2.0)
+policy_module(cgroup, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index e5b621c..7a16731 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.0)
+policy_module(chronyd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index a0aa693..76c1954 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.6.0)
+policy_module(cipe, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 5e74354..cdb3492 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.11.0)
+policy_module(clamav, 1.11.1)
## <desc>
## <p>
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index bbdd396..45bdca7 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.1.0)
+policy_module(cmirrord, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index 5f306dd..e81dcc4 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.2.0)
+policy_module(cobbler, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 6471fa8..07fb350 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.0.0)
+policy_module(collectd, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 38ca68b..7b0092e 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.2.0)
+policy_module(condor, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index d5aa1e4..fa18d76 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.1.0)
+policy_module(corosync, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 5dd39b8..cd5f079 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.3.0)
+policy_module(couchdb, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 7be0106..d1fad83 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.2.0)
+policy_module(ctdb, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index d2a7255..662b991 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.0)
+policy_module(cups, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 3d27f73..47a4822 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.11.0)
+policy_module(cvs, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
index 77ffc73..956a7ab 100644
--- a/policy/modules/contrib/cyphesis.te
+++ b/policy/modules/contrib/cyphesis.te
@@ -1,4 +1,4 @@
-policy_module(cyphesis, 1.3.0)
+policy_module(cyphesis, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index d451d1f..c43ee11 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.14.0)
+policy_module(cyrus, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 5a5e290..4c86835 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.9.0)
+policy_module(dante, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index a4caa1b..b4fc53f 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.10.0)
+policy_module(ddclient, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
index 583a527..9d3ca70 100644
--- a/policy/modules/contrib/denyhosts.te
+++ b/policy/modules/contrib/denyhosts.te
@@ -1,4 +1,4 @@
-policy_module(denyhosts, 1.1.0)
+policy_module(denyhosts, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 98a24b9..c7d00ed 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.11.0)
+policy_module(dhcp, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 433d3c5..15582e2 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.8.0)
+policy_module(dictd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index b3b2188..d0d9241 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.0.0)
+policy_module(dirmngr, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 7ea741c..2378d0c 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.10.0)
+policy_module(distcc, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 19daa68..925ca6f 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.3.0)
+policy_module(dkim, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 149b8f7..15b29cb 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.2)
+policy_module(dnsmasq, 1.12.3)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index c7bb4e7..181540f 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.1.0)
+policy_module(dnssectrigger, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index f43d9e8..8e6b35e 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.17.0)
+policy_module(dovecot, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index f2516cc..d89520c 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.1.0)
+policy_module(drbd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index ef62363..0a36018 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.1.0)
+policy_module(dspam, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index b8b8328..2f71ed6 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.8.0)
+policy_module(entropyd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 5ab6d77..b3c7066 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.8.0)
+policy_module(exim, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 49d0370..6b9fb7e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.5.0)
+policy_module(fail2ban, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index ce358fb..9719a51 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.1.0)
+policy_module(fcoe, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 7a3ea93..0c1c51a 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.14.0)
+policy_module(fetchmail, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 8897cfd..781295c 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.2.0)
+policy_module(firewalld, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index b8ee588..7a1ec37 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.17.0)
+policy_module(ftp, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 2820368..25093fd 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.8.0)
+policy_module(gatekeeper, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index f3d070c..2f2df8c 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.1.0)
+policy_module(gdomap, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
index 5cd0909..7bfd3a8 100644
--- a/policy/modules/contrib/glance.te
+++ b/policy/modules/contrib/glance.te
@@ -1,4 +1,4 @@
-policy_module(glance, 1.1.0)
+policy_module(glance, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index f336604..49e52ce 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.2.0)
+policy_module(glusterfs, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 69734fd..ef16279 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.9.0)
+policy_module(gpm, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index fe3895e..d57a144 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.2.0)
+policy_module(gpsd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index d99a8b6..a40e85b 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.1)
+policy_module(hadoop, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 9e11b98..23f5a54 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.2.0)
+policy_module(hddtemp, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
index b9e60ec..626a92c 100644
--- a/policy/modules/contrib/howl.te
+++ b/policy/modules/contrib/howl.te
@@ -1,4 +1,4 @@
-policy_module(howl, 1.10.0)
+policy_module(howl, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 4eb7041..1359b2a 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.0.0)
+policy_module(hypervkvp, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 369a056..069305c 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.9.0)
+policy_module(i18n_input, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
index a9e573a..b44b952 100644
--- a/policy/modules/contrib/icecast.te
+++ b/policy/modules/contrib/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.2.0)
+policy_module(icecast, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index b0546b4..8154360 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.1.0)
+policy_module(ifplugd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index ae64957..bf33eb4 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.11.0)
+policy_module(inn, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index d443fee..61572da 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.1.0)
+policy_module(iodine, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index efaf4b1..1682d5c 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.8.0)
+policy_module(ircd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 22ef537..089e6d7 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.7.0)
+policy_module(irqbalance, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index ca020fa..070f8e3 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.0)
+policy_module(iscsi, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index bc11034..5b82de7 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.0.0)
+policy_module(isns, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index af67c36..8f71642 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.10.0)
+policy_module(jabber, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 715fc21..7c4e3f1 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.0)
+policy_module(kdump, 1.3.1)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 1a115e8..43df956 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.13.0)
+policy_module(kerberos, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index bcdb295..9360bde 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.5.0)
+policy_module(kerneloops, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/keystone.te b/policy/modules/contrib/keystone.te
index 9929647..b832ee1 100644
--- a/policy/modules/contrib/keystone.te
+++ b/policy/modules/contrib/keystone.te
@@ -1,4 +1,4 @@
-policy_module(keystone, 1.1.0)
+policy_module(keystone, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index e6d89c3..9b8fedf 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.8.0)
+policy_module(kismet, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index 2e93115..a799535 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.2.0)
+policy_module(ksmtuned, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index b1628ad..107f652 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.10.0)
+policy_module(kudzu, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index bb06a7f..f1de38f 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.1.0)
+policy_module(l2tp, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 2a2dfd0..1adbf03 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.12.0)
+policy_module(ldap, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index d8c2442..e33495b 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.3.0)
+policy_module(likewise, 1.3.1)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 483c87b..0064b06 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.0)
+policy_module(lircd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 2a491d9..7d580f2 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.1.0)
+policy_module(lldpad, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 6b6e2e1..509de59 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.1.0)
+policy_module(mailscanner, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index a9265c8..3fd0dc5 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.3.0)
+policy_module(mcelog, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index cf01235..54738e9 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.4.0)
+policy_module(memcached, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index c80d861..fdfa9a0 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.1.0)
+policy_module(minissdpd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te
index 169f236..29b0ab5 100644
--- a/policy/modules/contrib/mongodb.te
+++ b/policy/modules/contrib/mongodb.te
@@ -1,4 +1,4 @@
-policy_module(mongodb, 1.1.0)
+policy_module(mongodb, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 5f93763..fe78c10 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.8.0)
+policy_module(monop, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 9029996..e37c363 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.2.0)
+policy_module(mpd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 65a246a..1730669 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.9.0)
+policy_module(mrtg, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index c48f60c..2a8152f 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.10.0)
+policy_module(munin, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 76d1e84..60a7763 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.16.0)
+policy_module(mysql, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 7b3e682..dbdfbeb 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.13.0)
+policy_module(nagios, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index fe1068b..13f24c1 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.9.0)
+policy_module(nessus, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a4e179f..427dfe4 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.1)
+policy_module(networkmanager, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3a6b035..6e13b92 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.12.0)
+policy_module(nis, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index ad2a10e..aee77dc 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.12.0)
+policy_module(nscd, 1.12.1)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 47bb1d2..28ed38f 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.8.0)
+policy_module(nsd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 985823c..ad09d51 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.5.0)
+policy_module(nslcd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 8ec7859..43171f4 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.10.0)
+policy_module(ntop, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 56bb390..7600674 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.0)
+policy_module(ntp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index b0a1be4..cecc64a 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -1,4 +1,4 @@
-policy_module(numad, 1.1.0)
+policy_module(numad, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 64cd06f..1a4907d 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.4.0)
+policy_module(nut, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index edfad9d..e72ffea 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.3.0)
+policy_module(oident, 2.3.1)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 2ecffe3..a001328 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.7.0)
+policy_module(openct, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index 8de6191..d0c61ba 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.1.0)
+policy_module(openhpi, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index f9d58cc..bdb689e 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.13.0)
+policy_module(openvpn, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 5885f67..84d7e60 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.2.0)
+policy_module(openvswitch, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 6e6efb6..8db2c1f 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.1.0)
+policy_module(pacemaker, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
index 078adc4..4992358 100644
--- a/policy/modules/contrib/pads.te
+++ b/policy/modules/contrib/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.1.0)
+policy_module(pads, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 511d08d..bf5066f 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.0)
+policy_module(pcscd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 742fe1d..3e66bb7 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.10.0)
+policy_module(pegasus, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 9feb1ef..1887d96 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.8.0)
+policy_module(perdition, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index ab01060..5a91a3c 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.1.0)
+policy_module(pingd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 1e1a490..0e583e1 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.1.0)
+policy_module(pkcs, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index baa9b4b..5189e55 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.2.0)
+policy_module(polipo, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 18b255e..3ba2179 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.11.0)
+policy_module(portmap, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 00b01e2..162fe08 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.4.0)
+policy_module(portreserve, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 738ce6f..1c0e8a6 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.16.0)
+policy_module(postfix, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index ea1582a..20e9b79 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.3.0)
+policy_module(postfixpolicyd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index fd58805..705a5b6 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.9.0)
+policy_module(postgrey, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index d616ca3..dc115b1 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.14.0)
+policy_module(ppp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 6cebd0c..6effe7f 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.5.0)
+policy_module(prelude, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index ec21f80..b2873f6 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.12.0)
+policy_module(privoxy, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index ad12e3a..ee61046 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.2.0)
+policy_module(psad, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 1fa318e..f7f95b0 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.5.0)
+policy_module(puppet, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 06bec9b..d3b0e6d 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.5.0)
+policy_module(pxe, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
index f2863de..45cccaf 100644
--- a/policy/modules/contrib/pyicqt.te
+++ b/policy/modules/contrib/pyicqt.te
@@ -1,4 +1,4 @@
-policy_module(pyicqt, 1.1.0)
+policy_module(pyicqt, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 232d2d4..8462ee0 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.4.0)
+policy_module(pyzor, 2.4.1)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index 83eb09e..0ecfe15 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.1.0)
+policy_module(qpid, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/quantum.te b/policy/modules/contrib/quantum.te
index 8644d8b..32c1379 100644
--- a/policy/modules/contrib/quantum.te
+++ b/policy/modules/contrib/quantum.te
@@ -1,4 +1,4 @@
-policy_module(quantum, 1.1.0)
+policy_module(quantum, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 4ec203d..5a92a2c 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.7.0)
+policy_module(quota, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index cced9c3..5bdde4c 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.1.0)
+policy_module(rabbitmq, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index d85eecc..52c05da 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.13.1)
+policy_module(radius, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 6d162e4..76bba12 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.14.0)
+policy_module(radvd, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index a9ebb52..6f96e98 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.0)
+policy_module(raid, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index d2eecfe..bf6e4e9 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.1.0)
+policy_module(redis, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index f6eb358..a5b9878 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.3.0)
+policy_module(resmgr, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 147ce0c..4ef5d59 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.4.0)
+policy_module(rgmanager, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 3ac5646..ef7c72b 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.4.0)
+policy_module(rhcs, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index 8de4907..3fb1e18 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.2.0)
+policy_module(rhsmcertd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 0ba2569..dd763c4 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.8.0)
+policy_module(ricci, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index a4e8a5e..17b9504 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.2.0)
+policy_module(rngd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te
index ccb5991..11a013f 100644
--- a/policy/modules/contrib/roundup.te
+++ b/policy/modules/contrib/roundup.te
@@ -1,4 +1,4 @@
-policy_module(roundup, 1.8.0)
+policy_module(roundup, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index f0fa041..a150dc2 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.1)
+policy_module(rpc, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9604d59..9cdb548 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.1)
+policy_module(rpcbind, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 672fade..e56f892 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.0)
+policy_module(rpm, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 7eea21f..906ebb5 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.0)
+policy_module(rtkit, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 7fb75f4..24a685a 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.7.0)
+policy_module(rwho, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index de3adf2..2e782c5 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.17.0)
+policy_module(samba, 1.17.1)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 3ed8e45..f2e4eaf 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.1)
+policy_module(samhain, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index 0045465..af72f44 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.1.0)
+policy_module(sanlock, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 9f91f8b..d1028b7 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.16.0)
+policy_module(sasl, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 299756b..0834784 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.1.0)
+policy_module(sblim, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 6b30f39..52a6efa 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.13.0)
+policy_module(sendmail, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index 5e82fd6..f9bed73 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.0.0)
+policy_module(sensord, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 7710b9f..107bd15 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.4.0)
+policy_module(shorewall, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index 731512a..65a999d 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.1.0)
+policy_module(slpd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 9cf6582..e29affa 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.12.0)
+policy_module(smartmon, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index ec031a0..b2dafb4 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.2.0)
+policy_module(smokeping, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 5ccf83c..1edf97d 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.0.0)
+policy_module(smstools, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 068a706..afa86ff 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.14.1)
+policy_module(snmp, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index d5d9766..2cc5761 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.12.0)
+policy_module(snort, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 0919e0c..b9d3104 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.9.0)
+policy_module(soundserver, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index b208631..22c3fd4 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.8.0)
+policy_module(spamassassin, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 42b6ccf..deb497a 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.13.0)
+policy_module(squid, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 2d8db1f..17218c2 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.2.0)
+policy_module(sssd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 03cd1f7..48e5704 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.2.0)
+policy_module(svnserve, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index b92f677..fd167ee 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.8.0)
+policy_module(sysstat, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index 61f53ea..b368f33 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.2.0)
+policy_module(systemtap, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 3fc5fda..272c114 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.0)
+policy_module(tcsd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index 931c709..ecd3bfb 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.4.0)
+policy_module(tgtd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a9441af..519f9bf 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.10.0)
+policy_module(tor, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 34973ee..44dc6c0 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.8.0)
+policy_module(transproxy, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 393a330..5b16bda 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.2.0)
+policy_module(tuned, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index de35e5f..e244c11 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.3.0)
+policy_module(ulogd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 263d5fb..c0fe79b 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.6.0)
+policy_module(uptime, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 849f607..b6666a5 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.13.0)
+policy_module(uucp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index f8e52fc..52f8a7a 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.1.0)
+policy_module(uuidd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 9d4d8cb..77fb5b6 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.2.0)
+policy_module(varnishd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 045124a..01403ab 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.2.0)
+policy_module(vdagent, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 3d11c6a..dabfe40 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.1.0)
+policy_module(vhostmd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 27a28df..42cb462 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.1)
+policy_module(virt, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index e2220ae..79351c4 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.1.0)
+policy_module(vnstatd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 1a7ad18..25b17a0 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.9.0)
+policy_module(watchdog, 1.9.1)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 4815a93..823f289 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.1.0)
+policy_module(wdmd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 0928c5d..46ab354 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.7.0)
+policy_module(xfs, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index bd967ab..f297da0 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.8.0)
+policy_module(zabbix, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index 3fded1c..f03331e 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -1,4 +1,4 @@
-policy_module(zarafa, 1.2.0)
+policy_module(zarafa, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index 2e80d04..0f726fc 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.13.0)
+policy_module(zebra, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 23a0cb85e78deca55835b7e4964a8c19d6aa508e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 12:42:54 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 30 12:42:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=23a0cb85
portage: connect all unreserved for FTP PASV mode.
FTP PASV mode does not use specific ports, so the only way is to allow
all unreserved.
avc: denied { name_connect } for pid=5274 comm="wget" dest=26213
scontext=root:sysadm_r:portage_fetch_t
tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket
permissive=0
Gentoo bug 540056
policy/modules/contrib/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 83d6ab4..2e8ab9e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -295,6 +295,8 @@ corenet_sendrecv_rsync_client_packets(portage_fetch_t)
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
+# bug 540056
+corenet_tcp_connect_all_unreserved_ports(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 1943815a94454b541f37128cec20da4ed015970b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 24 12:04:00 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 27 19:01:18 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1943815a
bitcoin: use init_startstop_service interface in _admin
The bitcoin_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
policy/modules/contrib/bitcoin.if | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index 922bc7c..9c7ca8d 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -26,10 +26,7 @@ interface(`bitcoin_admin',`
allow $1 bitcoin_t:process { ptrace signal_perms };
ps_process_pattern($1, bitcoin_t)
- init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitcoin_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bitcoin_t, bitcoin_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, bitcoin_tmp_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: d4afeed432628ed87eb86e305d80b982751edcab
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 15:52:25 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 30 16:00:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4afeed4
Add KDEConnect policy
Thanks to Dan O. and a few minor fixups.
Gentoo bug 536672
policy/modules/contrib/kdeconnect.fc | 1 +
policy/modules/contrib/kdeconnect.if | 97 +++++++++++++++++++++++++++++
policy/modules/contrib/kdeconnect.te | 114 +++++++++++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
diff --git a/policy/modules/contrib/kdeconnect.fc b/policy/modules/contrib/kdeconnect.fc
new file mode 100644
index 0000000..797a7a0
--- /dev/null
+++ b/policy/modules/contrib/kdeconnect.fc
@@ -0,0 +1 @@
+/usr/lib/libexec/kdeconnectd -- gen_context(system_u:object_r:kdeconnect_exec_t,s0)
diff --git a/policy/modules/contrib/kdeconnect.if b/policy/modules/contrib/kdeconnect.if
new file mode 100644
index 0000000..f07be14
--- /dev/null
+++ b/policy/modules/contrib/kdeconnect.if
@@ -0,0 +1,97 @@
+## <summary>policy for kdeconnect</summary>
+
+########################################
+## <summary>
+## Execute kdeconnect in the kdeconnect domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdeconnect_domtrans',`
+ gen_require(`
+ type kdeconnect_t, kdeconnect_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdeconnect_exec_t, kdeconnect_t)
+')
+
+########################################
+## <summary>
+## Execute kdeconnect in the kdeconnect domain, and
+## allow the specified role the kdeconnect domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the kdeconnect domain.
+## </summary>
+## </param>
+#
+interface(`kdeconnect_run',`
+ gen_require(`
+ type kdeconnect_t;
+ ')
+
+ kdeconnect_domtrans($1)
+ role $2 types kdeconnect_t;
+')
+
+########################################
+## <summary>
+## Role access for kdeconnect
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`kdeconnect_role',`
+ gen_require(`
+ type kdeconnect_t;
+ ')
+
+ role $1 types kdeconnect_t;
+
+ kdeconnect_domtrans($2)
+
+ allow $2 kdeconnect_t:unix_stream_socket connectto;
+ allow kdeconnect_t $2:unix_stream_socket { read write connectto };
+
+ ps_process_pattern($2, kdeconnect_t)
+ allow $2 kdeconnect_t:process { signull signal sigkill };
+')
+
+#########################################
+## <summary>
+## Send and receive messages from the kdeconnect daemon
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdeconnect_dbus_chat',`
+ gen_require(`
+ type kdeconnect_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdeconnect_t:dbus send_msg;
+ allow kdeconnect_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/kdeconnect.te b/policy/modules/contrib/kdeconnect.te
new file mode 100644
index 0000000..92be330
--- /dev/null
+++ b/policy/modules/contrib/kdeconnect.te
@@ -0,0 +1,114 @@
+policy_module(kdeconnect, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow KDEConnect to read user home files
+## </p>
+## </desc>
+gen_tunable(kdeconnect_read_user_files, true)
+
+type kdeconnect_t;
+type kdeconnect_exec_t;
+application_domain(kdeconnect_t, kdeconnect_exec_t)
+
+type kdeconnect_xdg_cache_home_t;
+xdg_cache_home_content(kdeconnect_xdg_cache_home_t)
+
+type kdeconnect_tmp_t;
+userdom_user_tmp_file(kdeconnect_tmp_t)
+
+type kdeconnect_xdg_config_home_t;
+xdg_config_home_content(kdeconnect_xdg_config_home_t)
+
+type kdeconnect_xdg_data_home_t;
+xdg_data_home_content(kdeconnect_xdg_data_home_t)
+
+type kdeconnect_tmpfs_t;
+userdom_user_tmpfs_file(kdeconnect_tmpfs_t)
+
+########################################
+#
+# kdeconnect local policy
+#
+
+allow kdeconnect_t self:fifo_file manage_fifo_file_perms;
+allow kdeconnect_t self:unix_stream_socket create_stream_socket_perms;
+allow kdeconnect_t self:unix_dgram_socket { write getopt create setopt };
+allow kdeconnect_t self:netlink_route_socket create_netlink_socket_perms;
+allow kdeconnect_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdeconnect_t self:tcp_socket create_stream_socket_perms;
+allow kdeconnect_t self:udp_socket create_stream_socket_perms;
+allow kdeconnect_t self:process { execmem signal };
+
+kernel_read_system_state(kdeconnect_t)
+
+manage_dirs_pattern(kdeconnect_t, kdeconnect_tmp_t, kdeconnect_tmp_t)
+manage_files_pattern(kdeconnect_t, kdeconnect_tmp_t, kdeconnect_tmp_t)
+files_tmp_filetrans(kdeconnect_t, kdeconnect_tmp_t, { dir file })
+
+manage_files_pattern(kdeconnect_t, kdeconnect_xdg_cache_home_t, kdeconnect_xdg_cache_home_t)
+manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_cache_home_t, kdeconnect_xdg_cache_home_t)
+xdg_cache_home_filetrans(kdeconnect_t, kdeconnect_xdg_cache_home_t, dir)
+
+manage_files_pattern(kdeconnect_t, kdeconnect_xdg_config_home_t, kdeconnect_xdg_config_home_t)
+manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_config_home_t, kdeconnect_xdg_config_home_t)
+xdg_config_home_filetrans(kdeconnect_t, kdeconnect_xdg_config_home_t, { dir file })
+
+manage_files_pattern(kdeconnect_t, kdeconnect_xdg_data_home_t, kdeconnect_xdg_data_home_t)
+manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_data_home_t, kdeconnect_xdg_data_home_t)
+xdg_data_home_filetrans(kdeconnect_t, kdeconnect_xdg_data_home_t, { dir file })
+
+manage_dirs_pattern(kdeconnect_t, kdeconnect_tmpfs_t, kdeconnect_tmpfs_t)
+manage_files_pattern(kdeconnect_t, kdeconnect_tmpfs_t, kdeconnect_tmpfs_t)
+fs_tmpfs_filetrans(kdeconnect_t, kdeconnect_tmpfs_t, { dir file })
+
+corenet_sendrecv_kdeconnect_client_packets(kdeconnect_t)
+corenet_sendrecv_kdeconnect_server_packets(kdeconnect_t)
+corenet_tcp_bind_kdeconnect_port(kdeconnect_t)
+corenet_tcp_bind_generic_node(kdeconnect_t)
+corenet_tcp_connect_kdeconnect_port(kdeconnect_t)
+corenet_tcp_sendrecv_kdeconnect_port(kdeconnect_t)
+corenet_udp_bind_kdeconnect_port(kdeconnect_t)
+corenet_udp_sendrecv_kdeconnect_port(kdeconnect_t)
+corenet_udp_bind_generic_node(kdeconnect_t)
+
+dev_read_sysfs(kdeconnect_t)
+domain_use_interactive_fds(kdeconnect_t)
+
+files_manage_generic_tmp_files(kdeconnect_t)
+files_read_etc_files(kdeconnect_t)
+files_read_usr_files(kdeconnect_t)
+fs_getattr_xattr_fs(kdeconnect_t)
+
+miscfiles_read_localization(kdeconnect_t)
+udev_read_db(kdeconnect_t)
+
+userdom_manage_user_tmp_files(kdeconnect_t)
+userdom_manage_user_tmp_sockets(kdeconnect_t)
+userdom_use_user_ptys(kdeconnect_t)
+# KDEConnect needs access to some global config/cache/data files
+xdg_manage_cache_home(kdeconnect_t)
+xdg_manage_config_home(kdeconnect_t)
+xdg_manage_data_home(kdeconnect_t)
+
+xserver_stream_connect(kdeconnect_t)
+xserver_user_x_domain_template(kdeconnect, kdeconnect_t, kdeconnect_tmpfs_t)
+
+tunable_policy(`kdeconnect_read_user_files',`
+ userdom_read_user_home_content_files(kdeconnect_t)
+')
+
+#######################################
+#
+# Allow KDEConnect to talk to DBUS
+#
+
+dbus_all_session_bus_client(kdeconnect_t)
+dbus_connect_all_session_bus(kdeconnect_t)
+dbus_connect_system_bus(kdeconnect_t)
+dbus_system_bus_client(kdeconnect_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 62f241df91ddddeee30ef0d5c18d498f8641f9f0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 24 12:05:48 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 27 19:01:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=62f241df
salt: use init_startstop_service interface in _admin
The salt_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
policy/modules/contrib/salt.if | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
index 7ab9e6b..27fefae 100644
--- a/policy/modules/contrib/salt.if
+++ b/policy/modules/contrib/salt.if
@@ -29,9 +29,7 @@ interface(`salt_admin_master',`
allow $1 salt_master_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_master_t)
- init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_master_initrc_exec_t system_r;
+ init_startstop_service($1, $2, salt_master_t, salt_master_initrc_exec_t)
# for debugging?
role_transition $2 salt_master_exec_t system_r;
@@ -73,9 +71,7 @@ interface(`salt_admin_minion',`
allow $1 salt_minion_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_minion_t)
- init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_minion_initrc_exec_t system_r;
+ init_startstop_service($1, $2, salt_minion_t, salt_minion_initrc_exec_t)
# for debugging
role_transition $2 salt_minion_exec_t system_r;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-05-25 16:15 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-06-09 13:24 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: ad02fc9b27a7e4510b5c66a4910c5ad97e7da11c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 25 16:14:54 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon May 25 16:14:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad02fc9b
Maven (mvn) needs read access to m2.conf
policy/modules/contrib/java.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index cc4f515..7958f81 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -30,3 +30,8 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
+/usr/share/maven-bin-[^/]*/bin/m2.conf -- gen_context(system_u:object_r:usr_t,s0)
+')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:30 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:30 UTC (permalink / raw
To: gentoo-commits
commit: dc2ab995ed353dbd547b1522a60330abe448aff4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 13:26:55 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:26:55 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc2ab995
Fail2ban smoketest fixes
This partially fixes some of the reported issues in bug #534256. More
specifically, fail2ban fails to start because
- fail2ban-client is invoked from the service and checks if it has write
privileges on /run/fail2ban (although it does not by itself use it
further).
- fail2ban init script creates /run/fail2ban so a file transition is
needed
- output should be captured when an init script is used, hence allow
fail2ban_client_t access to the initrc script ptys.
X-Gentoo-Bug: 534256
policy/modules/contrib/fail2ban.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 6b9fb7e..bc6bd8e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -159,6 +159,12 @@ ifdef(`distro_gentoo',`
# Python compilation
files_dontaudit_write_usr_dirs(fail2ban_t)
+
+ # Fix bug 534256 - Startup fails without these
+ allow fail2ban_client_t fail2ban_var_run_t:dir write;
+
+ init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban")
+ init_use_script_ptys(fail2ban_client_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 049db179d5652a69cc90ee89fec2a6d6f2899f95
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun 8 19:14:24 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:06:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=049db179
Remove _run() interfaces from _admin()
Both cannot be applied to a type so removing _run from _admin
means things are a lot more flexible.
policy/modules/contrib/bacula.if | 2 --
policy/modules/contrib/bind.if | 2 --
policy/modules/contrib/kudzu.if | 2 --
policy/modules/contrib/portmap.if | 2 --
policy/modules/contrib/quota.if | 2 --
policy/modules/contrib/raid.if | 2 --
policy/modules/contrib/rpm.if | 2 --
policy/modules/contrib/samba.if | 5 -----
8 files changed, 19 deletions(-)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index 18ad480..eba3f1c 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -90,6 +90,4 @@ interface(`bacula_admin',`
files_search_pids($1)
admin_pattern($1, bacula_var_run_t)
-
- bacula_run_admin($1, $2)
')
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 9654435..1e974ca 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -386,6 +386,4 @@ interface(`bind_admin',`
files_list_pids($1)
admin_pattern($1, named_var_run_t)
-
- bind_run_ndc($1, $2)
')
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 993e152..85214c5 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -96,6 +96,4 @@ interface(`kudzu_admin',`
files_search_pids($1)
admin_pattern($1, kudzu_var_run_t)
-
- kudzu_run($1, $2)
')
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 61e1a12..f0af3fe 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -121,6 +121,4 @@ interface(`portmap_admin',`
files_search_tmp($1)
admin_pattern($1, portmap_tmp_t)
-
- portmap_run_helper($1, $2)
')
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index c2a5ef4..6f8a925 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -188,6 +188,4 @@ interface(`quota_admin',`
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
-
- quota_run($1, $2)
')
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 6d98a94..091c805 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -95,6 +95,4 @@ interface(`raid_admin_mdadm',`
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
-
- raid_run_mdadm($2, $1)
')
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 3ff41b3..2344edd 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -658,6 +658,4 @@ interface(`rpm_admin',`
fs_search_tmpfs($1)
admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
-
- rpm_run($1, $2)
')
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index dfc606e..f30e31d 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -714,9 +714,4 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
-
- samba_run_smbcontrol($1, $2)
- samba_run_winbind_helper($1, $2)
- samba_run_smbmount($1, $2)
- samba_run_net($1, $2)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-06-09 13:59 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-06-09 13:34 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 282c67cd689d85ddd0f9f0496a2411b67bb50527
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 13:26:55 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:34:30 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=282c67cd
Fail2ban smoketest fixes
This partially fixes some of the reported issues in bug #534256. More
specifically, fail2ban fails to start because
- fail2ban-client is invoked from the service and checks if it has write
privileges on /run/fail2ban (although it does not by itself use it
further).
- fail2ban init script creates /run/fail2ban so a file transition is
needed
- output should be captured when an init script is used, hence allow
fail2ban_client_t access to the initrc script ptys.
X-Gentoo-Bug: 534256
policy/modules/contrib/fail2ban.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 6b9fb7e..bc6bd8e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -159,6 +159,12 @@ ifdef(`distro_gentoo',`
# Python compilation
files_dontaudit_write_usr_dirs(fail2ban_t)
+
+ # Fix bug 534256 - Startup fails without these
+ allow fail2ban_client_t fail2ban_var_run_t:dir write;
+
+ init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban")
+ init_use_script_ptys(fail2ban_client_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-09 13:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:34 UTC (permalink / raw
To: gentoo-commits
commit: a5810838a5c032385f8231cd9942f808a0ccf36c
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Jun 8 19:59:07 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:06:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5810838
Module version bumps for "Remove run interface calls from admin interfaces" changes by Jason Zaman.
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 5c9e2d9..a69da67 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.2.1)
+policy_module(bacula, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 45ed04f..dd8f70d 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.15.1)
+policy_module(bind, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 107f652..915a88a 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.10.1)
+policy_module(kudzu, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 3ba2179..94500e6 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.11.1)
+policy_module(portmap, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 5a92a2c..45d9ca7 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.7.1)
+policy_module(quota, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 6f96e98..dfe62e3 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.1)
+policy_module(raid, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index e56f892..de5c91f 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.1)
+policy_module(rpm, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 2e782c5..45f2b36 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.17.1)
+policy_module(samba, 1.17.2)
#################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-11 16:04 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: 0f123fb70ecdda06fdd36db9471b2f3fb9f0d2e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 14:03:54 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 14:03:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f123fb7
Allow logrotate to call fail2ban-client (as installed by fail2ban package)
policy/modules/contrib/logrotate.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 62b05af..7b302cc 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -251,3 +251,8 @@ allow logrotate_mail_t logrotate_t:process sigchld;
manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
logging_read_all_logs(logrotate_mail_t)
+
+ifdef(`distro_gentoo',`
+ # Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition
+ fail2ban_domtrans_client(logrotate_t)
+')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-06-09 14:25 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-06-11 16:04 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: 746aaebf667236d83d3c427392b2d97c06fc8c59
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 14:25:38 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 14:25:38 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=746aaebf
Make fail2ban call an optional one
policy/modules/contrib/logrotate.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 7b302cc..311defd 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -254,5 +254,7 @@ logging_read_all_logs(logrotate_mail_t)
ifdef(`distro_gentoo',`
# Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition
- fail2ban_domtrans_client(logrotate_t)
+ optional_policy(`
+ fail2ban_domtrans_client(logrotate_t)
+ ')
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-06-11 16:08 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-06-11 16:04 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: 6315a80f5f47dda2fd6427b68db062b838e954c9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 11 16:04:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jun 11 16:04:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6315a80f
Add manage interfaces for XDG documents, pictures and music
policy/modules/contrib/xdg.if | 57 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 2bf63c9..55747d3 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -1141,6 +1141,63 @@ interface(`xdg_relabel_all_runtime_home',`
#########################################
## <summary>
+## Manage documents content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_documents_home',`
+ gen_require(`
+ type xdg_documents_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+ manage_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+')
+
+#########################################
+## <summary>
+## Manage music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_music_home',`
+ gen_require(`
+ type xdg_music_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ manage_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+')
+
+#########################################
+## <summary>
+## Manage pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_pictures_home',`
+ gen_require(`
+ type xdg_pictures_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ manage_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+')
+
+#########################################
+## <summary>
## Manage video content
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: 1fe4a68fc6e8a979fb6db744109500bf32f8283b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 7 14:38:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 14:38:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1fe4a68f
Salt minion uses blkid for mount info
To view the mount state information, salt minion calls the blkid binary.
policy/modules/contrib/salt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 576d424..00d1931 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -284,6 +284,8 @@ files_manage_all_non_security_file_types(salt_minion_t)
fs_getattr_all_fs(salt_minion_t)
+fstools_domtrans(salt_minion_t)
+
getty_use_fds(salt_minion_t)
init_exec_rc(salt_minion_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: 66e018165d78d4128923e5211b7d63137ac121e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 1 17:11:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jul 1 17:11:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66e01816
Recent salt-minion require setsched/getsched and sys_nice, otherwise process just stalls and cannot be connected to by the master
policy/modules/contrib/salt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 554e927..89995ce 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -207,9 +207,9 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signal signull };
+allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-06-27 15:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-07-11 14:09 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: ffab4e60223f7e4c8a8fbb2995a4c468e902a278
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 27 15:02:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 27 15:02:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ffab4e60
Gentoo has chronyd keyfile by default in /etc/chrony/
policy/modules/contrib/chronyd.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 4e4143e..fd5fbbb 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -11,3 +11,7 @@
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: dfac21413962d786be190c1cc9063ee00ea76001
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 17:05:54 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfac2141
android: dontaudit because it is noisy in /proc
policy/modules/contrib/android.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 08f3c83..a76061f 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -91,6 +91,8 @@ corenet_tcp_connect_adb_port(android_tools_t)
corenet_tcp_connect_http_port(android_tools_t)
corenet_udp_bind_generic_node(android_java_t)
+domain_dontaudit_getattr_all_domains(android_java_t)
+
miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: c9df4e6221b8f12d1683350b6a729837e3f22ddc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 20 13:01:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9df4e62
consolekit: add suspend perms for ConsoleKit2
policy/modules/contrib/consolekit.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a7506c1..1adb72e 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -155,4 +155,10 @@ ifdef(`distro_gentoo',`
optional_policy(`
udev_read_pid_files(consolekit_t)
')
+
+ # needs to write to sys for suspend
+ dev_rw_sysfs(consolekit_t)
+ optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+ ')
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: e65a2857d90b4c7be249a89b7571e3a2215d9111
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:43:52 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:43:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65a2857
Fix typo
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 00d1931..ab19bf7 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process { getsched setschd signal };
+allow salt_master_t self:process { getsched setsched signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: ebfa09de178fd10f0b853b65548a255aaa3a777f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 20 12:11:18 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebfa09de
consolekit: needs to be able to chown dev nodes
policy/modules/contrib/consolekit.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 050c5c5..a7506c1 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -147,3 +147,12 @@ optional_policy(`
optional_policy(`
unconfined_stream_connect(consolekit_t)
')
+
+ifdef(`distro_gentoo',`
+ # consolekit needs to be able to chown /dev nodes when logging in
+ dev_setattr_all_chr_files(consolekit_t)
+
+ optional_policy(`
+ udev_read_pid_files(consolekit_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2015-07-07 14:12 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2015-07-11 14:09 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: 68f348699a16ed79e25f29fc78a6e6a14c02b275
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 7 14:11:38 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 14:11:38 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68f34869
Add setsched/getsched to salt_master_t
The salt master daemon also requires the getsched/setsched permissions
(like added for salt_minion_t in the past) as otherwise the master
daemon is defunct and all connections to it are stalled.
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 89995ce..576d424 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process signal;
+allow salt_master_t self:process { getsched setschd signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-13 17:35 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-07-13 17:35 UTC (permalink / raw
To: gentoo-commits
commit: ff13e7e4cbbeddbc298d5d94e16ad8afddc614fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 13:00:21 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 13:00:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff13e7e4
portage: add fcontext for emaint
Thanks to Matthias Dahl for reporting
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 5f07098..655f986 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 258ba5c6c223988749d75bd11087b43dc1443462
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Aug 15 14:31:34 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=258ba5c6
Module version bump for changes to the pulseaudio module by Niklas Haas.
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index af4779d..1a25024 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.7.1)
+policy_module(pulseaudio, 1.7.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Sat Aug 15 14:17:58 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073
pulse: don't give pulseaudio_client full access to user_home_t
This doesn't seem to be necessary at all, and the comment immediately
above it doesn't make things any less mysterious, as pulseaudio clients
don't even need access to ~/.cache. I cannot observe any breakage on my
machine due to this change, and the permission being present was causing
unexpected behavior (eg. Skype could freely read the contents of my home
dir even with the boolean supposedly toggling that permission disabled,
because skype_t was marked as pulseaudio_client and thus had full access
regardless).
The original source seems to be 5851ec54, which doesn't really help
explaining the original purpose of the lines.
policy/modules/contrib/pulseaudio.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index ea5b2a9..af4779d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
-userdom_manage_user_home_content_files(pulseaudio_client)
-
userdom_read_user_tmpfs_files(pulseaudio_client)
# userdom_delete_user_tmpfs_files(pulseaudio_client)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 7107daec01a595033aa8d356226b7220d150115b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:07 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7107daec
rsync: remove rsync_run from admin interface
Admining rsync does not require running it in the rsync_t domain and
this causes problems for backups and the like which would originally run
in the user's domain now run in rsync_t.
policy/modules/contrib/rsync.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index e916de8..c7b19aa 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -276,6 +276,4 @@ interface(`rsync_admin',`
files_search_pids($1)
admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: dfdefb495631b52c859d13bc047924743e1b4ef2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 27 19:51:44 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:51:44 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfdefb49
apache: remove gentoo-specific fcontext
Has been upstreamed in commit
4cdea0f683f332134f3f93d79099f71d79d5f718
policy/modules/contrib/apache.fc | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 4222f2e..96006a0 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -172,7 +172,3 @@ ifdef(`distro_suse',`
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
-')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 2a26ba597c47fe006e1c18cdd9224e74aba02bf8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 6 10:58:43 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 10:58:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a26ba59
chromium: v45 needs setcap perms
type=AVC msg=audit(1441536942.937:329): avc: denied { setcap } for
pid=4857 comm="chrome" scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511 tclass=process
permissive=0
type=SYSCALL msg=audit(1441536942.937:329): arch=c000003e syscall=126
success=no exit=-13 a0=3f40091b950 a1=3f40091b960 a2=3ce87534090
a3=3ce87530010 items=0 ppid=4772 pid=4857 auid=1000 uid=1000 gid=100
euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts4
ses=3 comm="chrome" exe="/usr/lib64/chromium-browser/chrome"
subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 key=(null)
type=ANOM_ABEND msg=audit(1441536942.937:330): auid=1000 uid=1000
gid=100 ses=3 subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 pid=4857
comm="chrome" exe="/usr/lib64/chromium-browser/chrome" sig=6
[4:4:0906/185542:FATAL:credentials.cc(306)] Check failed:
DropAllCapabilitiesOnCurrentThread(). : Permission denied
[4765:4783:0906/185542:ERROR:zygote_host_impl_linux.cc(374)] Did not
receive ping from zygote child
[3:3:0906/185542:ERROR:zygote_linux.cc(573)] Zygote could not fork:
process_type renderer numfds 5 child_pid -1
policy/modules/contrib/chromium.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index b2c9ccc..3185640 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,7 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setrlimit setsched sigkill signal };
+allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 9371d4a13dad0af981681a631591f8c0f7d85203
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Tue Sep 1 07:10:52 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:47:46 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9371d4a1
vnstat: fix context on /usr/bin/vnstatd
policy/modules/contrib/vnstatd.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 52f8f68..0252ce4 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -11,5 +11,5 @@
ifdef(`distro_gentoo',`
# Fix bug 528602 - name is vnstatd in Gentoo
/etc/rc\.d/init\.d/vnstatd -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
-/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 7f5ece84232e3a6704b7e781203f4038a45417c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:09 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f5ece84
hadoop: init_startstop_service() can not take attributes
policy/modules/contrib/hadoop.if | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index a0a819f..5908119 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -426,7 +426,6 @@ interface(`hadoop_admin',`
attribute hadoop_domain;
attribute hadoop_initrc_domain;
- attribute hadoop_init_script_file;
attribute hadoop_pid_file;
attribute hadoop_lock_file;
attribute hadoop_log_file;
@@ -436,12 +435,22 @@ interface(`hadoop_admin',`
type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
type zookeeper_server_var_t;
+
+ type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
+ type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
+ type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
+ type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
+ type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
')
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
+ init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 4896ffe78b0ad5ce485f252084c40853323945dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:08 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4896ffe7
git: allow git_system_t to listen on tcp_sockets
git_session_t already has these permissions but they are missing on
git_system_t. Instead add the perms on the git_daemon attribute which
covers both system and session daemons.
policy/modules/contrib/git.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 1ca8c24..517d513 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
# Session policy
#
-allow git_session_t self:tcp_socket { accept listen };
-
userdom_search_user_home_dirs(git_session_t)
corenet_all_recvfrom_netlabel(git_session_t)
@@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
#
allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:tcp_socket { accept listen };
list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: b99a22fc6960896dcf82a02e92b1b913732bc774
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Sep 5 14:43:34 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b99a22fc
virt: Add policy for virtlockd the Virtual machine lock manager
policy/modules/contrib/virt.fc | 4 +++
policy/modules/contrib/virt.te | 56 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b38007b..ea197d0 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -27,6 +27,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -35,6 +36,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virtlockd_var_lib_t,s0)
/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -48,5 +50,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/virtlockd-sock -s gen_context(system_u:object_r:virtlockd_run_t,s0)
/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/virtlockd.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index ec84b5b..5648e9d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -190,6 +190,24 @@ type virsh_t;
type virsh_exec_t;
init_system_domain(virsh_t, virsh_exec_t)
+type virtlockd_t;
+type virtlockd_exec_t;
+init_daemon_domain(virtlockd_t, virtlockd_exec_t)
+
+type virtlockd_run_t;
+files_pid_file(virtlockd_run_t)
+
+type virtlockd_var_lib_t;
+files_type(virtlockd_var_lib_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+')
+
########################################
#
# Common virt domain local policy
@@ -221,6 +239,7 @@ manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
+stream_connect_pattern(virt_domain, virt_var_run_t, virtlockd_run_t, virtlockd_t)
dontaudit virt_domain virt_tmpfs_type:file { read write };
@@ -526,6 +545,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1243,3 +1263,39 @@ manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
kernel_dontaudit_read_system_state(virt_leaseshelper_t)
+
+########################################
+#
+# Virtlockd local policy
+#
+
+allow virtlockd_t self:capability dac_override;
+allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlockd_t virt_image_type:dir list_dir_perms;
+allow virtlockd_t virt_image_type:file rw_file_perms;
+
+create_files_pattern(virtlockd_t, virt_log_t, virt_log_t)
+
+list_dirs_pattern(virtlockd_t, virt_var_lib_t, virt_var_lib_t)
+
+manage_dirs_pattern(virtlockd_t, { virt_var_lib_t virtlockd_var_lib_t }, virtlockd_var_lib_t)
+manage_files_pattern(virtlockd_t, virtlockd_var_lib_t, virtlockd_var_lib_t)
+filetrans_pattern(virtlockd_t, virt_var_lib_t, virtlockd_var_lib_t, dir)
+
+manage_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t)
+manage_sock_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t)
+filetrans_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t, sock_file)
+files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
+
+can_exec(virtlockd_t, virtlockd_exec_t)
+
+ps_process_pattern(virtlockd_t, virtd_t)
+
+files_read_etc_files(virtlockd_t)
+files_list_var_lib(virtlockd_t)
+
+miscfiles_read_localization(virtlockd_t)
+
+virt_append_log(virtlockd_t)
+virt_read_config(virtlockd_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: f52d0d3cdd127ac6a824b4724448aa985c6e102a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Sep 2 03:44:36 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:44:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f52d0d3c
cgmanager: add fcontexts for /run and cgroupfs sock
policy/modules/contrib/cgmanager.fc | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
index 8ea4a46..17c6f88 100644
--- a/policy/modules/contrib/cgmanager.fc
+++ b/policy/modules/contrib/cgmanager.fc
@@ -1,3 +1,9 @@
-/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/var/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager/fs(/.*)? <<none>>
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 468b82617272cc7b23364f1d0ce2aa153ebbb3fc
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Sep 5 15:24:35 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=468b8261
Module version bump for changes to the virt module by Jason Zaman
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 5648e9d..2966d29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.2)
+policy_module(virt, 1.8.3)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 1f34097ea332cf9cc6c07a997afa2ab56d772f01
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Aug 24 17:00:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f34097e
Changes to the git, hadoop and rsync modules by Jason Zaman.
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 517d513..27e68f3 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.1)
+policy_module(git, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index a40e85b..b9ffe96 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.2)
+policy_module(hadoop, 1.3.3)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index abeb302..eae1b4c 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.13.0)
+policy_module(rsync, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: c4421326f5b50b190ea67e01721ca32a1a175c77
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Sep 5 13:43:49 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4421326
virt: Allow creating qemu guest agent socket
This is needed for the host side guest agent socket for qemu.
type=AVC msg=audit(1441210375.086:110241): avc: denied { create } for
pid=25153 comm="libvirtd"
scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:svirt_t:s0:c110,c185
tclass=unix_stream_socket permissive=0
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42cb462..ec84b5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -438,7 +438,7 @@ allow virtd_t self:netlink_route_socket nlmsg_write;
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 27f6d9af783c744d3f420f5cc20abf8eff5c6c38
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:38:26 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f6d9af
Module version bump for vfio support for libvirt from Alexander Wetzel.
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 8fa2a5b..ec81a76 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.3)
+policy_module(virt, 1.8.4)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep 5 07:41:47 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04
add vfio support for libvirt
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
policy/modules/contrib/virt.te | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 2966d29..881560f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
## </desc>
gen_tunable(virt_use_xserver, false)
+## <desc>
+### <p>
+### Determine whether confined virtual guests
+### can use vfio for pci device pass through (vt-d).
+### </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t)
corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+tunable_policy(`virt_use_vfio',`
+ dev_rw_vfio_dev(svirt_t)
+')
+
########################################
#
# virtd local policy
@@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',`
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_vfio',`
+ allow virtd_t self:capability sys_resource;
+ allow virtd_t self:process setrlimit;
+ allow virtd_t svirt_t:process rlimitinh;
+ dev_relabelfrom_vfio_dev(virtd_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 1247c3940b065599bf0eaa57005bc3b927acc420
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:27:07 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1247c394
Comment/whitespace fix in virt.te.
policy/modules/contrib/virt.te | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 881560f..8fa2a5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -71,11 +71,11 @@ gen_tunable(virt_use_usb, false)
gen_tunable(virt_use_xserver, false)
## <desc>
-### <p>
-### Determine whether confined virtual guests
-### can use vfio for pci device pass through (vt-d).
-### </p>
-### </desc>
+## <p>
+## Determine whether confined virtual guests
+## can use vfio for pci device pass through (vt-d).
+## </p>
+## </desc>
gen_tunable(virt_use_vfio, false)
attribute virt_ptynode;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 56782f09e37e1fbd0868f38084563d9f1aa0f8c7
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Oct 19 12:04:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Oct 22 13:40:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56782f09
contrib/portage: Fix portage_ro_role interface
According to its documentation, portage_ro_role expects a role for $1
and a type for $2, just like other _role interfaces. However, the policy
directives inside the interface don't match its documentation and expect
$1 to be a type.
This interface isn't used anywhere in the policy, so no other fixes are
neccessary.
policy/modules/contrib/portage.if | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e9de28e..14c4fb6 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -406,13 +406,13 @@ interface(`portage_eselect_module',`
## </param>
#
interface(`portage_ro_role',`
- portage_read_cache($1)
- portage_read_config($1)
- portage_read_db($1)
- portage_read_ebuild($1)
- portage_read_log($1)
- portage_read_srcrepo($1)
- portage_dontaudit_write_cache($1)
+ portage_read_cache($2)
+ portage_read_config($2)
+ portage_read_db($2)
+ portage_read_ebuild($2)
+ portage_read_log($2)
+ portage_read_srcrepo($2)
+ portage_dontaudit_write_cache($2)
')
########################################
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 061bd420d98e138a44a5fc328738b2ea1dd562ff
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:40 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=061bd420
portage: Dontaudit setattr in portage_dontaudit_write_cache
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 640a63b..c98a763 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -511,6 +511,6 @@ interface(`portage_dontaudit_write_cache',`
type portage_cache_t;
')
- dontaudit $1 portage_cache_t:dir { write };
+ dontaudit $1 portage_cache_t:dir { setattr write };
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 854f95bf84612c79037dbe83dd06223d4cf3154c
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:43 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=854f95bf
portage: Add new interfaces to portage_ro_role
policy/modules/contrib/portage.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 962dcca..e9de28e 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -410,6 +410,8 @@ interface(`portage_ro_role',`
portage_read_config($1)
portage_read_db($1)
portage_read_ebuild($1)
+ portage_read_log($1)
+ portage_read_srcrepo($1)
portage_dontaudit_write_cache($1)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 26930c8978e8ae49829ee8b13e9da9ca05e024ce
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:42 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26930c89
portage: New read-only interfaces for srcrepo and logs
Create portage_read_srcrepo and portage_read_log interfaces.
policy/modules/contrib/portage.if | 40 +++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 4652319..962dcca 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -498,6 +498,46 @@ interface(`portage_read_ebuild',`
########################################
## <summary>
+## Read portage log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_log',`
+ gen_require(`
+ type portage_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, portage_log_t, portage_log_t)
+')
+
+########################################
+## <summary>
+## Read portage src repository files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_srcrepo',`
+ gen_require(`
+ type portage_ebuild_t, portage_srcrepo_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, portage_ebuild_t, portage_srcrepo_t)
+ read_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ read_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+')
+
+########################################
+## <summary>
## Do not audit writing portage cache files
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: ef3895b29d224ba5c64e12242b5fb85fc1e9405d
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:41 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef3895b2
portage: Fix the gen_require of the portage_compile_domain interface
The portage_compile_domain interface used portage_sandbox_t without
requiring it.
policy/modules/contrib/portage.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c98a763..4652319 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -68,8 +68,8 @@ interface(`portage_run',`
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
- type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
- type portage_tmpfs_t;
+ type portage_devpts_t, portage_log_t, portage_sandbox_t, portage_srcrepo_t;
+ type portage_tmp_t, portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: cc84af253feefbacb7155575e1126a7abf0227ca
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:33 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25
Add systemd unit types.
Primarily contributed by the Tresys CLIP team.
policy/modules/contrib/alsa.fc | 5 +++++
policy/modules/contrib/alsa.te | 3 +++
policy/modules/contrib/bluetooth.fc | 3 +++
policy/modules/contrib/bluetooth.te | 3 +++
policy/modules/contrib/chronyd.fc | 5 +++++
policy/modules/contrib/chronyd.te | 3 +++
policy/modules/contrib/dbus.fc | 3 +++
policy/modules/contrib/dbus.te | 3 +++
policy/modules/contrib/dnsmasq.fc | 3 +++
policy/modules/contrib/dnsmasq.te | 3 +++
policy/modules/contrib/kdump.te | 3 +++
policy/modules/contrib/lircd.fc | 3 +++
policy/modules/contrib/lircd.te | 3 +++
policy/modules/contrib/logrotate.fc | 3 +++
policy/modules/contrib/logrotate.te | 3 +++
policy/modules/contrib/mandb.fc | 3 +++
policy/modules/contrib/mandb.te | 3 +++
policy/modules/contrib/networkmanager.fc | 4 ++++
policy/modules/contrib/networkmanager.te | 3 +++
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.te | 3 +++
policy/modules/contrib/pcscd.fc | 3 +++
policy/modules/contrib/pcscd.te | 3 +++
policy/modules/contrib/plymouthd.fc | 3 +++
policy/modules/contrib/plymouthd.te | 3 +++
policy/modules/contrib/policykit.fc | 3 +++
policy/modules/contrib/policykit.te | 3 +++
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.te | 3 +++
policy/modules/contrib/raid.fc | 4 ++++
policy/modules/contrib/raid.te | 3 +++
policy/modules/contrib/rpm.fc | 4 ++++
policy/modules/contrib/rpm.te | 3 +++
policy/modules/contrib/rtkit.fc | 3 +++
policy/modules/contrib/rtkit.te | 3 +++
policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++
policy/modules/contrib/tcsd.fc | 3 +++
policy/modules/contrib/tcsd.te | 3 +++
38 files changed, 135 insertions(+)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 6c3c0ba..a8c8a64 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -14,6 +14,11 @@ ifdef(`distro_debian',`
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 46d12e8..24d5287 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
+type alsa_unit_t;
+init_unit_file(alsa_unit_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index a28101f..bcce998 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -10,6 +10,9 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
+
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 08f3c20..d69c283 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t)
+type bluetooth_unit_t;
+init_unit_file(bluetooth_unit_t)
+
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index fd5fbbb..a4a42ea 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,11 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+# Systend unit files
+/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 7a16731..3167bae 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_t;
+init_unit_file(chronyd_unit_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index dda905b..309a462 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6f2b890..e79a81a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -22,6 +22,9 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
+type dbusd_unit_t;
+init_unit_file(dbusd_unit_t)
+
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 8ca133c..89edbaa 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 15b29cb..c71ace8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
+type dnsmasq_unit_t;
+init_unit_file(dnsmasq_unit_t)
+
type dnsmasq_var_log_t;
logging_log_file(dnsmasq_var_log_t)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 7c4e3f1..57e24e6 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_t;
+init_unit_file(kdump_unit_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index c7a726a..76e497e 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,9 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
+
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 0064b06..26690f2 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
files_type(lircd_etc_t)
+type lircd_unit_t;
+init_unit_file(lircd_unit_t)
+
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index 207ec10..ad21596 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,9 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
+
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 311defd..33f534b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
+type logrotate_unit_t;
+init_unit_file(logrotate_unit_t)
+
mta_base_mail_template(logrotate)
role system_r types logrotate_mail_t;
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 8ae78b5..9f2825e 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1 +1,4 @@
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index e29882f..46860dd 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -13,6 +13,9 @@ type mandb_exec_t;
application_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_unit_t;
+init_unit_file(mandb_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 5ffd285..c192c7f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -17,6 +17,10 @@
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 427dfe4..a977b9a 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t)
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_unit_t;
+init_unit_file(NetworkManager_unit_t)
+
type NetworkManager_var_lib_t;
files_type(NetworkManager_var_lib_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c74d996..c01eb54 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -11,6 +11,9 @@
/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7600674..1f24dab 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t)
type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)
+type ntpd_unit_t;
+init_unit_file(ntpd_unit_t)
+
type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 58363c7..5d1beba 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -2,6 +2,9 @@
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0)
+
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bf5066f..f863ba2 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t)
type pcscd_initrc_exec_t;
init_script_file(pcscd_initrc_exec_t)
+type pcscd_unit_t;
+init_unit_file(pcscd_unit_t)
+
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 735500f..2d9b956 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -4,6 +4,9 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
+
/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3078ce9..8dadb33 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
+type plymouthd_unit_t;
+init_unit_file(plymouthd_unit_t)
+
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 1d76c72..774c12b 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -8,6 +8,9 @@
/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee91778..108007e 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -34,6 +34,9 @@ files_type(policykit_reload_t)
type policykit_tmp_t;
files_tmp_file(policykit_tmp_t)
+type policykit_unit_t;
+init_unit_file(policykit_unit_t)
+
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index f1304fb..cfb18ec 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -3,6 +3,8 @@
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
+
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 136f6f3..a17ed0c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t)
virt_domain_template(qemu)
role qemu_roles types qemu_t;
+type qemu_unit_t;
+init_unit_file(qemu_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 5806046..2ea0889 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -11,6 +11,10 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+
/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index dfe62e3..b6aea09 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_unit_t;
+init_unit_file(mdadm_unit_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index ebe91fc..1ebd4a1 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -13,6 +13,10 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index de5c91f..5cac092 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
+type rpm_unit_t;
+init_unit_file(rpm_unit_t)
+
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
index 75bbf38..a3021da 100644
--- a/policy/modules/contrib/rtkit.fc
+++ b/policy/modules/contrib/rtkit.fc
@@ -3,3 +3,6 @@
/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 906ebb5..1aa52c4 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
type rtkit_daemon_initrc_exec_t;
init_script_file(rtkit_daemon_initrc_exec_t)
+type rtkit_daemon_unit_t;
+init_unit_file(rtkit_daemon_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index d1706bf..819d19b 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -91,6 +91,24 @@ interface(`shutdown_signal',`
########################################
## <summary>
+## Send SIGCHLD signals to shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow $1 shutdown_t:process sigchld;
+')
+
+########################################
+## <summary>
## Get attributes of shutdown executable files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index c2c2636..0e086e7 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
+
/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 272c114..439cf27 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t)
type tcsd_initrc_exec_t;
init_script_file(tcsd_initrc_exec_t)
+type tcsd_unit_t;
+init_unit_file(tcsd_unit_t)
+
type tcsd_var_lib_t;
files_type(tcsd_var_lib_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: e848a95c2e0d96123aead79676beaf7084ac8d31
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:05:29 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:06:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e848a95c
ntp: add perms for socket /run/ntpd.sock for openntpd
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c01eb54..b58ce47 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,6 +27,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2425edc..7af3a6d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -78,7 +78,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
can_exec(ntpd_t, ntpd_exec_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 69a218d604593c1a3c459b3935bc03e86b08b765
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:50:08 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=69a218d6
Module version bump for systemd additions.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
24 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 24d5287..d325af4 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.14.0)
+policy_module(alsa, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 161763f..bb06564 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.1)
+policy_module(avahi, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index d69c283..0c99cd9 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.1)
+policy_module(bluetooth, 3.5.2)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 3167bae..c0d266e 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.1)
+policy_module(chronyd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 261dc06..b5ff529 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.1)
+policy_module(cups, 1.18.2)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index e32b70a..bc3999f 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.0)
+policy_module(dbus, 1.20.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index c71ace8..601831b 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.3)
+policy_module(dnsmasq, 1.12.4)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 43f85f3..502a1bb 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.1)
+policy_module(iscsi, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 57e24e6..fb31bbf 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.1)
+policy_module(kdump, 1.3.2)
#######################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 26690f2..bfdd92e 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.1)
+policy_module(lircd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 33f534b..a256564 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.16.0)
+policy_module(logrotate, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 46860dd..8336559 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.2.0)
+policy_module(mandb, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a977b9a..83088ca 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.2)
+policy_module(networkmanager, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 1f24dab..2425edc 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.1)
+policy_module(ntp, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index f863ba2..d1cdf9f 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.1)
+policy_module(pcscd, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 8dadb33..c235706 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.2.0)
+policy_module(plymouthd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 108007e..6bb283f 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.3.0)
+policy_module(policykit, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index a17ed0c..9714860 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.8.0)
+policy_module(qemu, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index b6aea09..f561fdd 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.2)
+policy_module(raid, 1.14.3)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index fab6184..8c3575c 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.2)
+policy_module(rpcbind, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 5cac092..3da1c61 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.2)
+policy_module(rpm, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 1aa52c4..e9baab6 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.1)
+policy_module(rtkit, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index e2544e1..88a1436 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.2.0)
+policy_module(shutdown, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 439cf27..6c56bba 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.1)
+policy_module(tcsd, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 4f1ef29d168da11699a2dd5dcf9d7242bf5d1515
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:45 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f1ef29d
Add systemd socket activations.
policy/modules/contrib/avahi.te | 1 +
policy/modules/contrib/cups.te | 1 +
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/iscsi.te | 1 +
policy/modules/contrib/rpcbind.te | 1 +
5 files changed, 5 insertions(+)
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 46d5aba..161763f 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -8,6 +8,7 @@ policy_module(avahi, 1.15.1)
type avahi_t;
type avahi_exec_t;
init_daemon_domain(avahi_t, avahi_exec_t)
+init_named_socket_activation(avahi_t, avahi_var_run_t)
type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 662b991..261dc06 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+init_named_socket_activation(cupsd_t, cupsd_var_run_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index e79a81a..e32b70a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -35,6 +35,7 @@ userdom_user_tmp_file(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
+init_named_socket_activation(system_dbusd_t, system_dbusd_var_run_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 070f8e3..43f85f3 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -8,6 +8,7 @@ policy_module(iscsi, 1.9.1)
type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
+init_abstract_socket_activation(iscsid_t)
type iscsi_initrc_exec_t;
init_script_file(iscsi_initrc_exec_t)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9cdb548..fab6184 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -8,6 +8,7 @@ policy_module(rpcbind, 1.8.2)
type rpcbind_t;
type rpcbind_exec_t;
init_daemon_domain(rpcbind_t, rpcbind_exec_t)
+init_named_socket_activation(rpcbind_t, rpcbind_var_run_t)
type rpcbind_initrc_exec_t;
init_script_file(rpcbind_initrc_exec_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 476723f5d02b3222109358f99c9d76ede915e71b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 9ce39c14756e16c12ef1f09e9e0e063e14fb18d4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:10:02 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:10:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ce39c14
pulseaudio: add fd perms for v7
avc: denied { use } for pid=19660 comm="threaded-ml"
path="anon_inode:[eventfd]" dev="anon_inodefs" ino=7523
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c511 tclass=fd
permissive=0
avc: denied { write } for pid=19792 comm="threaded-ml"
name="pulse-shm-1853902321" dev="tmpfs" ino=183175232
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:object_r:pulseaudio_tmpfs_t:s0 tclass=file permissive=0
policy/modules/contrib/pulseaudio.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 1a25024..4dc75b1 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,8 @@ ifdef(`distro_gentoo',`
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
+
+ # pulse 7 uses fd's
+ allow pulseaudio_client pulseaudio_t:fd use;
+ allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: ccd334f66ed8b61c6fc43223ff504a9511eab158
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:39 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:32:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ccd334f6
pulseaudio: fcontext and filetrans for runtime
policy/modules/contrib/pulseaudio.fc | 1 +
policy/modules/contrib/pulseaudio.te | 7 ++++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index 9cc63f6..cde5a80 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,6 +7,7 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 9b8d84e..94b7ef4 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,11 @@ optional_policy(`
#
allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir manage_dir_perms;
+allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
+allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +232,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 535e8c89d35bbf6812f73377a771348b99c2d2f6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:40 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:32:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=535e8c89
ftp: Add filetrans from user_runtime
policy/modules/contrib/ftp.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 774bc9e..ed82117 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -318,9 +318,11 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -457,9 +459,11 @@ tunable_policy(`sftpd_enable_homedirs',`
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 0833adc9776e69a4e5305b0e92f35c0bee9aff67
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:44 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0833adc9
wm: Add filetrans from user_runtime
policy/modules/contrib/wm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index a3861e9..a477a16 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -40,6 +40,7 @@ miscfiles_read_localization(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 255513c25cb98f86dafc7c5ed9f18a8fe77cffdd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:43 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=255513c2
userhelper: Add filetrans from user_runtime
policy/modules/contrib/userhelper.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 8dadb4b..661f841 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -68,6 +68,7 @@ userdom_use_user_terminals(consolehelper_type)
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(consolehelper_type)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: c4542a5345afd96cf1cb19ec5dc23fd7bfa17171
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 4 11:00:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 4 11:00:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4542a53
Add in xdg_runtime_home_type attribute for now
policy/modules/contrib/xdg.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te
index 1cc9311..5ec1a12 100644
--- a/policy/modules/contrib/xdg.te
+++ b/policy/modules/contrib/xdg.te
@@ -11,6 +11,13 @@ attribute xdg_config_home_type;
attribute xdg_cache_home_type;
+# Not used but keep this at least two releases
+# We have noticed that the userdom_manage_home_role call to the xdg functions
+# seems to fail due to this attribute type not existing anymore while the
+# build seems to still require it. By waiting a couple of releases we can be more
+# confident that no calls to xdg_runtime_* are used anymore.
+attribute xdg_runtime_home_type;
+
type xdg_data_home_t;
xdg_data_home_content(xdg_data_home_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 26b2b23e8495e24a12fb6e997567e52a8276d820
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 2 08:41:34 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jun 2 08:42:06 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26b2b23e
pulseaudio: quote in comment throws a warning
Compiling mcs pulseaudio module
/usr/bin/checkmodule: loading policy configuration from tmp/pulseaudio.tmp
pulseaudio.te:264:WARNING 'unrecognized character' at token ''' on line 14411:
line 264
'
pulseaudio.te:264:WARNING 'unrecognized character' at token ''' on line 14411:
'
line 264
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 28dc672..118c86a 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -283,7 +283,7 @@ ifdef(`distro_gentoo',`
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
- # pulse 7 uses fd's
+ # pulse 7 uses fds
allow pulseaudio_client pulseaudio_t:fd use;
allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: b7e2a4f799c46cfe27dbeb3111e18c3186a2a61c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jun 1 17:33:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7e2a4f7
Module version bumps for user runtime fixes from Jason Zaman.
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index e02e105..a3fd0bf 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.0)
+policy_module(consolekit, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index ed82117..d143280 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.0)
+policy_module(ftp, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 503fc7f..dd6ac04 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.0)
+policy_module(gnome, 2.5.1)
##############################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 20e449e..26ff9aa 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.0)
+policy_module(mplayer, 2.5.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 94b7ef4..28dc672 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.0)
+policy_module(pulseaudio, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 661f841..8a0dc1d 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.9.0)
+policy_module(userhelper, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index a477a16..02329e0 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.4.0)
+policy_module(wm, 1.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 922ba515cf8c8c362fb2206e60720821850ba434
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:41 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:32:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=922ba515
gnome: Add filetrans from user_runtime
policy/modules/contrib/gnome.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index cd9fcd7..503fc7f 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -89,6 +89,7 @@ userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
dbus_all_session_domain(gconfd_t, gconfd_exec_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 9301c1e54d143b570060e515d9fbf7e290de9eae
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:42 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9301c1e5
mplayer: Add filetrans from user_runtime
policy/modules/contrib/mplayer.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 5ebba47..20e449e 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -95,6 +95,7 @@ userdom_use_user_terminals(mencoder_t)
userdom_manage_user_tmp_dirs(mencoder_t)
userdom_manage_user_tmp_files(mencoder_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mencoder_t)
userdom_manage_user_home_content_files(mencoder_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 07331fb3d60421f02d1fc698e1a92f894e4c4d2c
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Jun 16 14:48:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=07331fb3
Module version bump for changes to the varnishd module by Adam Tkac
policy/modules/contrib/varnishd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 2bdabca..9d24d0d 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.1)
+policy_module(varnishd, 1.3.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 709b6e9e94a450359fd8b9cd93e222b26a13faf3
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jun 21 13:36:04 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:29 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=709b6e9e
Module version bump for changes to the certmonger module by Adam Tkac
policy/modules/contrib/certmonger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 034ffa3..cfbb41c 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.3.0)
+policy_module(certmonger, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 9771f955615ba799aa321147a1730dda60e99a00
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com>
AuthorDate: Tue Jun 21 13:08:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9771f955
Grant certmonger "chown" capability
After autorenewal of the certificate, "chown" capability is needed
to change certificate user/group to daemon's user/group.
policy/modules/contrib/certmonger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 7c3126e..034ffa3 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 96442be2ecad875034508d025067058ac7df61eb
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 2 15:45:35 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:33:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96442be2
REWRITEME Add portage admin interface
policy/modules/contrib/portage.if | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 14c4fb6..38a31cd 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -556,3 +556,33 @@ interface(`portage_dontaudit_write_cache',`
dontaudit $1 portage_cache_t:dir { setattr write };
')
+
+########################################
+## <summary>
+## Portage (and thus the system software) administration role
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_admin',`
+ gen_require(`
+ type portage_cache_t, portage_conf_t, portage_db_t, portage_ebuild_t, portage_srcrepo_t, portage_log_t;
+ ')
+
+ admin_pattern($1, portage_cache_t)
+ admin_pattern($1, portage_conf_t)
+ admin_pattern($1, portage_db_t)
+ admin_pattern($1, portage_ebuild_t)
+ admin_pattern($1, portage_srcrepo_t)
+ admin_pattern($1, portage_log_t)
+')
+
+
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-07-03 11:34 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 668f0a09ac93f5791925ec3d52d5e3831911f6c0
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jun 14 11:14:37 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668f0a09
Module version bump for changes to the puppet module by Thomas Mueller
Move optional block as per style guide
policy/modules/contrib/puppet.te | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index adda09f..4516018 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.6.0)
+policy_module(puppet, 1.6.1)
########################################
#
@@ -192,16 +192,16 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(puppet_t)
+ shorewall_domtrans(puppet_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
+ unconfined_domain(puppet_t)
')
optional_policy(`
- shorewall_domtrans(puppet_t)
+ usermanage_domtrans_groupadd(puppet_t)
+ usermanage_domtrans_useradd(puppet_t)
')
########################################
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-07-03 11:34 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: f8f9f2766a60566938e58cdb0fbd292a6c26be2b
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com>
AuthorDate: Thu Jun 16 14:34:57 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:23 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8f9f276
varnishncsa (varnishlog_t) reads localization files
policy/modules/contrib/varnishd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index c928b0c..2bdabca 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -138,3 +138,5 @@ logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
files_search_var_lib(varnishlog_t)
+
+miscfiles_read_localization(varnishlog_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-07-03 11:34 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 82c3d44842260d9dc33d3ef3e813220d798e09a1
Author: Thomas Mueller <thomas <AT> chaschperli <DOT> ch>
AuthorDate: Thu Jun 9 11:14:05 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82c3d448
Allow puppet_t transtition to shorewall_t
If puppet executes /sbin/shorewall it won't transition to
shorewall_t and create log files with puppet_log_t context
instead of shorewall_log_t. If service is then managed by
init (sysv/systemd) it will fail to start.
If puppet_t is allowed to transtition to shorewall_t the
logfile will get the correct shorewall_log_t type.
policy/modules/contrib/puppet.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 5fd4c8b..adda09f 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -200,6 +200,10 @@ optional_policy(`
usermanage_domtrans_useradd(puppet_t)
')
+optional_policy(`
+ shorewall_domtrans(puppet_t)
+')
+
########################################
#
# Ca local policy
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 227d4173a648167242aef6f7243eda3788c88304
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:01:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=227d4173
pulseaudio: Move interface definitions.
policy/modules/contrib/pulseaudio.if | 76 ++++++++++++++++++------------------
1 file changed, 38 insertions(+), 38 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 11238f2..af0f950 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -146,6 +146,44 @@ interface(`pulseaudio_signull',`
allow $1 pulseaudio_t:process signull;
')
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
+
#####################################
## <summary>
## Connect to pulseaudio with a unix
@@ -410,41 +448,3 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
-
-########################################
-## <summary>
-## Use file descriptors for
-## pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- allow $1 pulseaudio_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use the
-## file descriptors for pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_dontaudit_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- dontaudit $1 pulseaudio_t:fd use;
-')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 53fc0ccf1852accb94ea5e13e45ffd69224f4e2f
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Thu Sep 1 17:25:08 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53fc0ccf
evolution: read SSL certificates
Update the evolution modules so that:
- it is able to read SSL certificates (e.g. for server authentication);
- it is able to read the random number generator device;
- it doesn't audit attempts to get the attributes of
extended attributes filesystems.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index c99e07c..28d619c 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -164,18 +164,21 @@ corenet_tcp_connect_ldap_port(evolution_t)
corenet_sendrecv_ipp_client_packets(evolution_t)
corenet_tcp_connect_ipp_port(evolution_t)
+dev_read_rand(evolution_t)
dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
files_read_usr_files(evolution_t)
+fs_dontaudit_getattr_xattr_fs(evolution_t)
fs_search_auto_mountpoints(evolution_t)
auth_use_nsswitch(evolution_t)
logging_send_syslog_msg(evolution_t)
+miscfiles_read_generic_certs(evolution_t)
miscfiles_read_localization(evolution_t)
udev_read_state(evolution_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 18ddac2acc0a71975ba87e0683cc3846ed72bb9f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:28:14 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18ddac2a
cups: Move can_exec() line.
policy/modules/contrib/cups.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1b0dffa..245926b 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -633,6 +633,9 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
allow hplip_t hplip_etc_t:file read_file_perms;
allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
@@ -647,9 +650,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-# e.g. execute python script to load the firmware
-can_exec(hplip_t, hplip_exec_t)
-
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 31afb6134c5d0dca49042de96801d28601a905d3
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Sep 10 16:26:46 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31afb613
mozilla: let mozilla play audio
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 9 +++++
policy/modules/contrib/pulseaudio.if | 77 ++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index cd1aea3..ca45f5c 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -217,6 +217,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ alsa_read_config(mozilla_t)
+ alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
apache_read_user_scripts(mozilla_t)
apache_read_user_content(mozilla_t)
')
@@ -269,6 +274,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_t)
+ pulseaudio_use_fds(mozilla_t)
')
optional_policy(`
@@ -493,6 +500,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_plugin_t)
+ pulseaudio_use_fds(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index f057680..11238f2 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -371,3 +371,80 @@ interface(`pulseaudio_client_domain',`
pulseaudio_domtrans($1)
pulseaudio_tmpfs_content($2)
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: ad72efd64eb17bf500c13b58120437b3dacc4aab
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 8 23:15:11 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad72efd6
evolution: Read user certs from Guido Trentalancia.
policy/modules/contrib/evolution.te | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 55ee470..a3cf532 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,10 +1,19 @@
-policy_module(evolution, 2.4.1)
+policy_module(evolution, 2.4.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow evolution to create and write
+## user certificates in addition to
+## being able to read them
+## </p>
+## </desc>
+gen_tunable(evolution_manage_user_certs, false)
+
attribute_role evolution_roles;
type evolution_t;
@@ -185,6 +194,13 @@ udev_read_state(evolution_t)
userdom_use_user_terminals(evolution_t)
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_t)
+ userdom_read_user_certs(evolution_t)
+')
+
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
@@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_server_t)
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_server_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_server_t)
+ userdom_read_user_certs(evolution_server_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_server_t)
fs_manage_nfs_files(evolution_server_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: ee7d0d58ccbabc7af9e2a2f7ca7ba276d1884292
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:02:28 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee7d0d58
Module version bump for mozilla patch from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ca45f5c..42fb9bf 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.2)
+policy_module(mozilla, 2.9.3)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4be64ec..214e9c6 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.5)
+policy_module(pulseaudio, 1.8.6)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: fa460d674228cdbe2e16cd33b5b5d83c85e72008
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Mon Sep 19 11:15:44 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa460d67
gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/gnome.fc | 4 ++
policy/modules/contrib/gnome.if | 98 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gnome.te | 3 ++
policy/modules/contrib/pulseaudio.te | 6 +++
4 files changed, 111 insertions(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 31d8c6c..ce12193 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -7,6 +7,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
@@ -16,6 +18,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index cad0e95..190fa16 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -610,6 +610,66 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -764,3 +824,41 @@ interface(`gnome_dbus_chat_gconfd',`
allow $1 gconfd_t:dbus send_msg;
allow gconfd_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Manage gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_mmap_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index dd6ac04..8c79849 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 214e9c6..7f30a72 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -193,6 +193,12 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ gnome_manage_gstreamer_orcexec(pulseaudio_t)
+ gnome_mmap_gstreamer_orcexec(pulseaudio_t)
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: abdacce1d5c0894bc44af2822d436ce670e68935
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Tue Sep 27 20:40:57 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abdacce1
Fix NetworkManager Read Pid Files Macro
Bug found in pull #26 - permissions aren't granted for searching
the NetworkManager_var_run_t directory, only to reading its files.
policy/modules/contrib/networkmanager.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 152dc57..10688d2 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -247,6 +247,7 @@ interface(`networkmanager_read_pid_files',`
')
files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:dir search_dir_perms;
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: a3cfff743285e946ebafb7bc1c2c9a5cdb4aa039
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 1 23:36:29 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a3cfff74
Module version bump for Evolution SSL fix from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 28d619c..55ee470 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.0)
+policy_module(evolution, 2.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 756d18c85f9a8e62ab510f6ab7026944ed028d3b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 9 12:11:16 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=756d18c8
cups: update permissions for HP printers (load firmware)
Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).
The permission to execute shell scripts has been removed in
this new version, as this is not required.
Compared to previous versions, this new version creates a
specific hplip pty (as suggested by Christopher PeBenito).
Here is the list of printers that require firmware loading:
HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.te | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 6fd2ee5..1b0dffa 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -71,6 +71,9 @@ type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
cups_backend(hplip_t, hplip_exec_t)
+type hplip_devpts_t;
+term_pty(hplip_devpts_t)
+
type hplip_etc_t;
files_config_file(hplip_etc_t)
@@ -157,6 +160,10 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -300,6 +307,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+')
+
+optional_policy(`
kerberos_manage_host_rcache(cupsd_t)
kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
@@ -426,6 +437,8 @@ miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
+term_use_generic_ptys(cupsd_config_t)
+
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -433,10 +446,6 @@ userdom_read_user_tmp_symlinks(cupsd_config_t)
userdom_rw_user_tmp_files(cupsd_config_t)
optional_policy(`
- term_use_generic_ptys(cupsd_config_t)
-')
-
-optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -608,9 +617,12 @@ allow hplip_t self:capability { dac_override dac_read_search net_raw };
dontaudit hplip_t self:capability sys_tty_config;
allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hplip_t self:tcp_socket { accept listen };
allow hplip_t self:rawip_socket create_socket_perms;
+allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
allow hplip_t cupsd_etc_t:dir search_dir_perms;
manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
@@ -635,6 +647,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -684,6 +699,10 @@ miscfiles_read_localization(hplip_t)
sysnet_dns_name_resolve(hplip_t)
+term_create_pty(hplip_t, hplip_devpts_t)
+term_use_generic_ptys(hplip_t)
+term_use_ptmx(hplip_t)
+
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: b27815edef70f38fdcf432a880d1c9419981311f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Sep 19 22:30:51 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b27815ed
Module version bump for gnome patch from Guido Trentalancia.
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 8c79849..c30e596 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.1)
+policy_module(gnome, 2.5.2)
##############################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 7f30a72..72064a2 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.6)
+policy_module(pulseaudio, 1.8.7)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: d08361ee81045093ab652fa49234e465b730a8f3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:43:08 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d08361ee
cups: Module version bump for hplip patch from Guido Trentalancia
policy/modules/contrib/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 245926b..1d6fd86 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.1)
+policy_module(cups, 1.19.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: cb341f0bcb4701f28a7a4ee0e452240e86bd9941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:31:13 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb341f0b
gpg: Whitespace fix.
policy/modules/contrib/gpg.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4d200ff..f76aed4 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -148,7 +148,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
- ')
+')
optional_policy(`
gnome_read_generic_home_content(gpg_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: b7fc726a01b14a90222b4686ec185315d3e998fb
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 2 15:45:35 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:45:30 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7fc726a
REWRITEME Add portage admin interface
policy/modules/contrib/portage.if | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 14c4fb6..38a31cd 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -556,3 +556,33 @@ interface(`portage_dontaudit_write_cache',`
dontaudit $1 portage_cache_t:dir { setattr write };
')
+
+########################################
+## <summary>
+## Portage (and thus the system software) administration role
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_admin',`
+ gen_require(`
+ type portage_cache_t, portage_conf_t, portage_db_t, portage_ebuild_t, portage_srcrepo_t, portage_log_t;
+ ')
+
+ admin_pattern($1, portage_cache_t)
+ admin_pattern($1, portage_conf_t)
+ admin_pattern($1, portage_db_t)
+ admin_pattern($1, portage_ebuild_t)
+ admin_pattern($1, portage_srcrepo_t)
+ admin_pattern($1, portage_log_t)
+')
+
+
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: c568bc4bfa98a347210c4ffd3a8aebe1a203d2d8
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 2 11:35:53 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c568bc4b
gpg: public key signature verification in evolution
Let gpg verify public key signatures in the evolution mail client application.
It doesn't need write permissions on such files for signing/encrypting messages.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 21 +++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 ++++
2 files changed, 25 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index d9c17d2..7c21ba1 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -128,6 +128,27 @@ interface(`evolution_stream_connect',`
########################################
## <summary>
+## Read evolution orbit temporary
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_orbit_tmp_files',`
+ gen_require(`
+ type evolution_orbit_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t)
+')
+
+
+########################################
+## <summary>
## Send and receive messages from
## evolution over dbus.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 072047d..0eedb45 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -147,6 +147,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ evolution_read_orbit_tmp_files(gpg_t)
+ ')
+
+optional_policy(`
gnome_read_generic_home_content(gpg_t)
gnome_stream_connect_all_gkeyringd(gpg_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: d2251e5d5b63f988488a732febefa2cd115da04c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:24:08 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2251e5d
Module version bump for evolution patch from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index a3cf532..1580c95 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.2)
+policy_module(evolution, 2.4.3)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 0eedb45..4d200ff 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.1)
+policy_module(gpg, 2.9.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 71beba0776f9e6a4ad9d4f02b9cdaa793622fc31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:45:34 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71beba07
Module version bump for networkmanager fix from Naftuli Tzvi Kay.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1ae3fde..45bbc02 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.3)
+policy_module(networkmanager, 1.18.4)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
1 sibling, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 2643b904b25db0560e375d37753018c0cd561cc0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:38 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2643b904
webalizer: Rearrange a couple lines.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/webalizer.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ff69b41..5e0a9e6 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,7 +36,6 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
-files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -51,7 +50,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-miscfiles_read_fonts(webalizer_t)
+files_read_usr_files(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -64,6 +63,7 @@ logging_send_syslog_msg(webalizer_t)
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
0 siblings, 2 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 2643b904b25db0560e375d37753018c0cd561cc0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:38 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2643b904
webalizer: Rearrange a couple lines.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/webalizer.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ff69b41..5e0a9e6 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,7 +36,6 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
-files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -51,7 +50,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-miscfiles_read_fonts(webalizer_t)
+files_read_usr_files(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -64,6 +63,7 @@ logging_send_syslog_msg(webalizer_t)
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 75bde71a956a7d9cd2ad48387d75dfda32c21e1c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:53 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75bde71a
Bump module versions for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/geoclue.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
60 files changed, 60 insertions(+), 60 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index dc87030..f7faa4b 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.1)
+policy_module(alsa, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 5f579aa..65fa397 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.15.1)
+policy_module(amanda, 1.16.0)
#######################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e02fcdc..2afcf1c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.10.1)
+policy_module(apache, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 586104d..2432884 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.10.1)
+policy_module(apcupsd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 449f23f..7c54285 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.2)
+policy_module(apm, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 0cda29a..cb9258d 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.12.1)
+policy_module(arpwatch, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index dee9f93..203d5e4 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.1)
+policy_module(asterisk, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 2f5852e..6f3dc40 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.16.1)
+policy_module(automount, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 40cba10..8c4bbb4 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.16.1)
+policy_module(avahi, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index e3072c7..23645e9 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.2)
+policy_module(bind, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 58468ea..557c8f9 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.3.1)
+policy_module(boinc, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index cfbb41c..a98db0b 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.3.1)
+policy_module(certmonger, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 736856f..24c2ee7 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.3.1)
+policy_module(cgroup, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index d733ffb..f615884 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.12.1)
+policy_module(clamav, 1.13.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index cb20d84..9c8f218 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.1.1)
+policy_module(collectd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 80c18fa..a41c47f 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.2)
+policy_module(consolekit, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 901911b..0c3ec09 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.4.1)
+policy_module(cpucontrol, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 0125df0..20a645c 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.2)
+policy_module(cron, 2.10.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1d6fd86..7674df8 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.2)
+policy_module(cups, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 3fc7f7c..ccee3f9 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.4.1)
+policy_module(devicekit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 927e1d9..9421ef8 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.12.1)
+policy_module(dhcp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e1f6d58..e5c943b 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.1)
+policy_module(entropyd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1580c95..1d5421b 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.3)
+policy_module(evolution, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index aa0d713..e9d23e1 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.3.1)
+policy_module(firewalld, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 8b83ad7..300d0dc 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.2)
+policy_module(ftp, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 9edb92c..c6e6640 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.4)
+policy_module(geoclue, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index c30e596..5a6f728 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.2)
+policy_module(gnome, 2.6.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f76aed4..c62a7f3 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.2)
+policy_module(gpg, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index beef250..18e3082 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.1)
+policy_module(hal, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 215a680..1f63509 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.2)
+policy_module(kdump, 1.5.0)
#######################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 5abf625..6b069f2 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.13.1)
+policy_module(ldap, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index fabf459..e2daa42 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.1)
+policy_module(logrotate, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 609a9ea..9ec364b 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.10.1)
+policy_module(mailman, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 42fb9bf..1331491 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.3)
+policy_module(mozilla, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 755e1ef..43de2d9 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.1)
+policy_module(mpd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 6915313..758b127 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.2)
+policy_module(mplayer, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 455fd81..023c7db 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.17.1)
+policy_module(mysql, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 45bbc02..5e7a002 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.4)
+policy_module(networkmanager, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3d3936d..9715d63 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.2)
+policy_module(nis, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 4ba589d..eec2928 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.13.1)
+policy_module(nscd, 1.14.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 215c57d..51747ad 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.2)
+policy_module(ntp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index b0e00eb..6c5f592 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.1)
+policy_module(policykit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 8473117..f09e8ca 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.15.1)
+policy_module(ppp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 72064a2..e641031 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.7)
+policy_module(pulseaudio, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4516018..dabc6d8 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.6.1)
+policy_module(puppet, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ec54379..e65f673 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.15.1)
+policy_module(raid, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 25cf846..d8bbd67 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.2.2)
+policy_module(redis, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 6703f96..027eb78 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.17.1)
+policy_module(rpc, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 88dbc6b..6e39fe7 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.9.1)
+policy_module(rpcbind, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 3e68e7f..3310d80 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.1)
+policy_module(rtkit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 602be98..15b53a1 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.18.1)
+policy_module(samba, 1.19.0)
#################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index c4f6477..29661de 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.5.1)
+policy_module(shorewall, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 4bb3c6f..1ffeaa7 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.1)
+policy_module(telepathy, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 3c596d8..1f0832d 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.11.1)
+policy_module(tor, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 8a0dc1d..7a57c21 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.9.1)
+policy_module(userhelper, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 9d24d0d..9ff049b 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.2)
+policy_module(varnishd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..c45ba2d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.3)
+policy_module(virt, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 0793afa..4d903b6 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.10.1)
+policy_module(watchdog, 1.11.0)
#################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 9e87be9..06f9d33 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.2)
+policy_module(webalizer, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 02329e0..2cecd32 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.4.1)
+policy_module(wm, 1.5.0)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 7ba6a2c036470cfa2cf1cac7665275ba48f45627
Author: Russell Coker via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Wed Oct 19 06:07:20 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:35 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ba6a2c0
webalizer patch for inclusion
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 5 +++++
policy/modules/contrib/webalizer.if | 20 ++++++++++++++++++++
policy/modules/contrib/webalizer.te | 2 ++
3 files changed, 27 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index a1670d0..f7a70da 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -242,6 +242,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ manage_webalizer_var_lib(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if
index fa28353..cc831b6 100644
--- a/policy/modules/contrib/webalizer.if
+++ b/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 99bef4a..ff69b41 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 4fe949b5d5a054cf70cc8fe2a7f24aa56e5ef941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4fe949b5
Module version bump for webalizer patch from Russell Coker.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index f7a70da..fabf459 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.0)
+policy_module(logrotate, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 5e0a9e6..9e87be9 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.1)
+policy_module(webalizer, 1.13.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 25d7f7a7b3dfe131f56d593cfc26816e45ba72f4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25d7f7a7
Update Changelog for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/Changelog | 160 +++++++++++++++++++++++++++++++++++++++
1 file changed, 160 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 63c8ea9..f143cb9 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,163 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Adam Tkac (2):
+ varnishncsa (varnishlog_t) reads localization files
+ Grant certmonger "chown" capability
+
+Chris PeBenito (42):
+ Merge branch 'bigon-geoclue'
+ Add additional comments in geoclue.
+ Merge branch 'bigon-virt-1'
+ Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into
+ bigon-nm-1
+ Merge branch 'bigon-nm-1'
+ Module version bump for virt and networkmanager patches from Laurent
+ Bigonville.
+ Merge branch 'master' of git://github.com/bigon/refpolicy-contrib
+ Module version bump for firewalld updates from Laurent Bigonville.
+ Module version bump for collectd update from Jason Zaman.
+ Module version bumps for user runtime fixes from Jason Zaman.
+ Boinc updates from Russell Coker.
+ rpcbind: Read /sys/devices/system/cpu/online from Russell Coker.
+ watchdog: Move line.
+ Module version bump for watchdog pidfile option from Russell Coker.
+ Systemd units from Russell Coker.
+ Module version bump for pulseaudio fc fix from Jason Zaman.
+ cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ Update the telepathy module:
+ Update the alsa module so that the alsa_etc_t file context (previously
+ alsa_etc_rw_t) is widened to the whole alsa share directory, instead of
+ just a couple of files.
+ alsa: Add compatibility alias for alsa_etc_rw_t.
+ Update the sysnetwork module to add some permissions needed by the dhcp
+ client (another separate patch makes changes to the ifconfig part).
+ Module version bump for various patches from Guido Trentalancia.
+ pulseaudio: Fix compile errors.
+ Merge branch 'master' of
+ https://github.com/SeanPlacchetti/refpolicy-contrib
+ Module version bump for webalizer dead type removal from Sean Placchetti.
+ Module version bump for Evolution SSL fix from Guido Trentalancia.
+ evolution: Read user certs from Guido Trentalancia.
+ cups: Move can_exec() line.
+ cups: Module version bump for hplip patch from Guido Trentalancia
+ pulseaudio: Move interface definitions.
+ Module version bump for mozilla patch from Guido Trentalancia.
+ Module version bump for gnome patch from Guido Trentalancia.
+ Module version bump for evolution patch from Guido Trentalancia.
+ gpg: Whitespace fix.
+ Merge branch 'feature/fix-networkmanager-varrun-macro' of
+ https://github.com/rfkrocktk/refpolicy-contrib
+ Module version bump for networkmanager fix from Naftuli Tzvi Kay.
+ Merge branch 'rfkrocktk-feature/syncthing'
+ Rearrange lines in syncthing.
+ webalizer: Rearrange a couple lines.
+ Module version bump for webalizer patch from Russell Coker.
+ Bump module versions for release.
+
+Dominick Grift (18):
+ Module version bump for changes to the geoclue module by Laurent
+ Bigonville.
+ Module version bump for changes to various modules from Laurent
+ Bigonville.
+ geoclue: move kernel interface call to the appropriate position
+ Actually associate mailmain_domain attribute with mailman domains
+ Module version bumps for changes to various modules by Nicolas Iooss
+ Module version bump for changes to the cron module by Jason Zaman
+ Module version bump for changes to the redis module by Grant Ridder
+ Module version bump for changes to the raid module by Laurent Bigonville
+ Module version bump for changes to the networkmanager module by Laurent
+ Bigonville.
+ Module version bump for changes to the redis module by Grant Ridder.
+ Module version bump for changes to the mozilla module by Laurent
+ Bigonville.
+ Module version bump for changes to the geoclue module by Nicolas Iooss.
+ Add hwloc-dump-hwdata SELinux policy
+ Module version bump for changes to the varnishd module by Robert Moucha
+ Module version bump for changes to the puppet module by Thomas Mueller
+ Module version bump for changes to the varnishd module by Adam Tkac
+ Module version bump for changes to the certmonger module by Adam Tkac
+ Revert "dbus: allow system, and session bus clients to answer to dbus
+ unconfined domains"
+
+Grant Ridder (2):
+ Add read/write perms for redis-sentinel
+ Allow tcp_connect to redis_port_t for redis_t
+
+Guido Trentalancia (7):
+ Policykit module: add fs_getattr_xattr_fs()
+ Update the policy for module apm
+ Let gpg disable core dumps
+ Update the rtkit module
+ Update the pulseaudio module for usability and ORC support
+ cups: update permissions for HP printers (load firmware)
+ gpg: public key signature verification in evolution
+
+Guido Trentalancia via refpolicy (3):
+ evolution: read SSL certificates
+ mozilla: let mozilla play audio
+ gnome: add support for the OIL Runtime Compiler (ORC) optimized code
+ execution
+
+Jason Zaman (10):
+ cron: Allow locks to be lnk_files
+ collectd: update policy for 5.5
+ consolekit: allow managing user runtime
+ pulseaudio: fcontext and filetrans for runtime
+ ftp: Add filetrans from user_runtime
+ gnome: Add filetrans from user_runtime
+ mplayer: Add filetrans from user_runtime
+ userhelper: Add filetrans from user_runtime
+ wm: Add filetrans from user_runtime
+ pulseaudio: fix user runtime fcontext
+
+Laurent Bigonville (13):
+ Add initial geoclue 2 module
+ Properly escape dot in the path to the geoclue daemon
+ Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf
+ virt.fc: Add some debian contexts
+ networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
+ Allow some domain to read sysctl_vm_overcommit_t
+ Allow mdadm read efivarfs files
+ Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t
+ Add an interface to allow a domain to read firewalld_var_run_t files
+ Allow firewalld to create firewalld_var_run_t directory.
+ dontaudit firewalld attempt to relabel its own config files
+ Allow NM to execute arping
+ Debian now ships firefox-esr, properly label the executable
+
+Luis Ressel (1):
+ New policy for tboot utilities
+
+Naftuli Tzvi Kay (2):
+ Fix NetworkManager Read Pid Files Macro
+ Syncthing Policy
+
+Nicolas Iooss (3):
+ Describe _initrc_domtrans interfaces differently from the _domtrans ones
+ Fix typos in several interfaces
+ Add Arch Linux path for geoclue module
+
+Robert Moucha (1):
+ Fix trivial typo in varnishncsa name
+
+Russell Coker (2):
+ watchdog reads pid files
+ named reads vm sysctls
+
+Russell Coker via refpolicy (1):
+ webalizer patch for inclusion
+
+Sean Placchetti (1):
+ -Remove unused declarations from webalizer type enforcement file
+
+Thomas Mueller (1):
+ Allow puppet_t transtition to shorewall_t
+
+doverride (3):
+ Merge pull request #8 from bigon/geoclue
+ Merge pull request #11 from bigon/overcommit-1
+ Merge pull request #12 from fishilico/typos
+
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
Alexander Wetzel (1):
add vfio support for libvirt
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:03 ` Sven Vermeulen
1 sibling, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 2643b904b25db0560e375d37753018c0cd561cc0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:38 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2643b904
webalizer: Rearrange a couple lines.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/webalizer.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ff69b41..5e0a9e6 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,7 +36,6 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
-files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -51,7 +50,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-miscfiles_read_fonts(webalizer_t)
+files_read_usr_files(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -64,6 +63,7 @@ logging_send_syslog_msg(webalizer_t)
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:47 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:47 UTC (permalink / raw
To: gentoo-commits
commit: d58ed8ba1ef188c67ec5ecbfc091abb0014dd6e4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 9 04:37:10 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:47:46 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d58ed8ba
chromium: perms for user_cert_t
policy/modules/contrib/chromium.te | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 3185640..10bcd9f 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,8 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -108,8 +109,6 @@ allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
allow chromium_t chromium_naclhelper_t:process { share };
-allow chromium_t self:process execmem; # Load in plugins
-
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -164,18 +163,17 @@ fs_dontaudit_getattr_xattr_fs(chromium_t)
getty_dontaudit_use_fds(chromium_t)
-miscfiles_manage_user_certs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
-sysnet_dns_name_resolve(chromium_t)
+sysnet_dns_name_resolve(chromium_t)
userdom_user_content_access_template(chromium, chromium_t)
userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
@@ -194,6 +192,7 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
tunable_policy(`chromium_rw_usb_dev',`
dev_rw_generic_usb_dev(chromium_t)
+ udev_read_db(chromium_t)
')
tunable_policy(`chromium_read_system_info',`
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 9c13ccfd92d3223dbad2972c7ed90c19f7c1a4ef
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:38:44 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c13ccfd
Module version bump for patches from Russell Coker.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 3a6c0b92..88a73ce4 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.3)
+policy_module(cups, 1.21.4)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 80ceb9de..ca39fb6b 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.5)
+policy_module(dbus, 1.22.6)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c795f278..c145fb4c 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.0)
+policy_module(gpg, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 29b473e7..997f3e3b 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.1)
+policy_module(hal, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee6ad3da..fc89a486 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.1)
+policy_module(policykit, 1.6.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 9f8cb24323e7357725e97e57caa71920e398ea6b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 22:02:08 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f8cb243
some little misc things from Russell Coker.
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
policy/modules/contrib/apt.if | 20 ++++++++++++++++++++
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/cron.te | 25 +++++++++++++++++++++----
policy/modules/contrib/mrtg.if | 18 ++++++++++++++++++
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/rsync.te | 4 +++-
6 files changed, 64 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index 0a1bc49f..568aa97d 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
########################################
## <summary>
+## Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read apt package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 05197c4c..dc6f09b1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.1)
+policy_module(apt, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5cb7dac1..15e6bdb4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.3)
+policy_module(cron, 2.11.4)
gen_require(`
class passwd rootok;
@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+
+ dpkg_manage_db(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -429,6 +436,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')
optional_policy(`
@@ -440,7 +448,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -607,6 +621,7 @@ optional_policy(`
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
+ mrtg_read_config(system_cronjob_t)
')
optional_policy(`
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index 0a71bd89..b25b0894 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_read_config',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 5126d9d5..96d48f37 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.0)
+policy_module(mrtg, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 2fce98b0..11c7041a 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.0)
+policy_module(rsync, 1.15.1)
########################################
#
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
fs_getattr_all_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
files_search_home(rsync_t)
auth_can_read_shadow_passwords(rsync_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 5c0380690178b590981b61a84253b8ca67452d65
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 29 15:13:24 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c038069
apt/dpkg strict patches from Russell Coker.
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
policy/modules/contrib/apt.te | 6 ++++--
policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++
policy/modules/contrib/dpkg.te | 5 ++++-
policy/modules/contrib/mta.te | 7 ++++++-
4 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index dc6f09b1..63b93257 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.2)
+policy_module(apt, 1.10.3)
########################################
#
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
can_exec(apt_t, apt_exec_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 081134f2..c753ad62 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
########################################
## <summary>
+## Inherit and use file descriptors
+## from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a91e4896..e781815d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.6)
+policy_module(dpkg, 1.11.7)
########################################
#
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
+# out of order to work around compiler issue
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2baa07c9..caa21fb9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.5)
+policy_module(mta, 2.8.6)
########################################
#
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
optional_policy(`
+ apt_use_fds(system_mail_t)
+ apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 7bb79960bdc89e57c7f681c63692c5341c1911e3
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:13 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7bb79960
evolution: minor fixes and updates
Minor fixes and updates for the evolution module.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index bf456df4..c30623de 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -111,7 +111,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
#
allow evolution_t self:capability { setgid setuid sys_nice };
-allow evolution_t self:process { execmem getsched setsched signal };
+allow evolution_t self:process { execmem getsched setsched signal signull };
allow evolution_t self:fifo_file rw_file_perms;
allow evolution_t evolution_home_t:dir manage_dir_perms;
@@ -320,6 +320,7 @@ dev_read_urand(evolution_alarm_t)
files_read_usr_files(evolution_alarm_t)
+fs_dontaudit_getattr_xattr_fs(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
auth_use_nsswitch(evolution_alarm_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 6bc27759a132a8acc69946da46bb4aefce6bbaeb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:11:50 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6bc27759
consolekit: allow run fifo_files
audit: type=1400 audit(1494126304.815:19): avc: denied { create } for pid=5335 comm="console-kit-dae" name="inhibit.IWBEZY.pipe" scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=fifo_file permissive=0
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 06451dff..19d4d1b4 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
kernel_read_system_state(consolekit_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 17df41e7dfd69017344a22a0033cc2c75da1b9bf
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 15 18:52:04 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 16:02:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17df41e7
Support systems with a single /usr/bin directory
Create /usr/bin/... file context definitions for all /usr/sbin/... ones.
This implements https://github.com/TresysTechnology/refpolicy/pull/116
for contrib modules.
policy/modules/contrib/abrt.fc | 3 +++
policy/modules/contrib/acct.fc | 2 ++
policy/modules/contrib/acpi.fc | 3 +++
policy/modules/contrib/afs.fc | 3 +++
policy/modules/contrib/aiccu.fc | 2 ++
policy/modules/contrib/aisexec.fc | 2 ++
policy/modules/contrib/alsa.fc | 2 ++
policy/modules/contrib/amanda.fc | 3 +++
policy/modules/contrib/amavis.fc | 2 ++
policy/modules/contrib/apache.fc | 12 ++++++++++++
policy/modules/contrib/apcupsd.fc | 2 ++
policy/modules/contrib/arpwatch.fc | 2 ++
policy/modules/contrib/asterisk.fc | 2 ++
policy/modules/contrib/automount.fc | 2 ++
policy/modules/contrib/avahi.fc | 4 ++++
policy/modules/contrib/bacula.fc | 4 ++++
policy/modules/contrib/bcfg2.fc | 2 ++
policy/modules/contrib/bind.fc | 6 ++++++
policy/modules/contrib/bird.fc | 2 ++
policy/modules/contrib/bitlbee.fc | 1 +
policy/modules/contrib/bluetooth.fc | 5 +++++
policy/modules/contrib/brctl.fc | 2 ++
policy/modules/contrib/cachefilesd.fc | 2 ++
policy/modules/contrib/callweaver.fc | 2 ++
policy/modules/contrib/canna.fc | 4 +++-
policy/modules/contrib/ccs.fc | 2 ++
policy/modules/contrib/certmonger.fc | 2 ++
policy/modules/contrib/cfengine.fc | 4 ++++
policy/modules/contrib/cgroup.fc | 4 ++++
policy/modules/contrib/chronyd.fc | 3 ++-
policy/modules/contrib/cipe.fc | 2 ++
policy/modules/contrib/clamav.fc | 2 ++
policy/modules/contrib/clogd.fc | 2 ++
policy/modules/contrib/cmirrord.fc | 2 ++
policy/modules/contrib/collectd.fc | 2 ++
policy/modules/contrib/comsat.fc | 2 ++
policy/modules/contrib/condor.fc | 8 ++++++++
policy/modules/contrib/consolekit.fc | 2 ++
policy/modules/contrib/corosync.fc | 3 +++
policy/modules/contrib/courier.fc | 9 ++++++++-
policy/modules/contrib/cpucontrol.fc | 5 +++++
policy/modules/contrib/cron.fc | 7 ++++++-
policy/modules/contrib/ctdb.fc | 2 ++
policy/modules/contrib/cups.fc | 9 +++++++++
policy/modules/contrib/dante.fc | 3 +++
policy/modules/contrib/dbskk.fc | 2 ++
policy/modules/contrib/dcc.fc | 6 +++++-
policy/modules/contrib/ddclient.fc | 3 +++
policy/modules/contrib/ddcprobe.fc | 2 ++
policy/modules/contrib/dhcp.fc | 2 ++
policy/modules/contrib/dictd.fc | 2 ++
policy/modules/contrib/dkim.fc | 3 +++
policy/modules/contrib/dmidecode.fc | 5 +++++
policy/modules/contrib/dnsmasq.fc | 2 ++
policy/modules/contrib/dnssectrigger.fc | 2 ++
policy/modules/contrib/dovecot.fc | 2 ++
policy/modules/contrib/dphysswapfile.fc | 2 ++
policy/modules/contrib/dpkg.fc | 2 ++
policy/modules/contrib/drbd.fc | 3 +++
policy/modules/contrib/entropyd.fc | 3 +++
policy/modules/contrib/exim.fc | 3 +++
policy/modules/contrib/fakehwclock.fc | 2 ++
policy/modules/contrib/fcoe.fc | 2 ++
policy/modules/contrib/finger.fc | 3 +++
policy/modules/contrib/firewalld.fc | 2 ++
policy/modules/contrib/firstboot.fc | 2 ++
policy/modules/contrib/ftp.fc | 5 +++++
policy/modules/contrib/gatekeeper.fc | 3 +++
policy/modules/contrib/glusterfs.fc | 3 +++
policy/modules/contrib/gpm.fc | 2 ++
policy/modules/contrib/gpsd.fc | 2 ++
policy/modules/contrib/hal.fc | 2 ++
policy/modules/contrib/hddtemp.fc | 2 ++
policy/modules/contrib/hwloc.fc | 4 +++-
policy/modules/contrib/hypervkvp.fc | 2 ++
policy/modules/contrib/i18n_input.fc | 2 ++
policy/modules/contrib/ifplugd.fc | 2 ++
policy/modules/contrib/inetd.fc | 6 ++++++
policy/modules/contrib/inn.fc | 10 ++++++----
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/ircd.fc | 2 ++
policy/modules/contrib/irqbalance.fc | 2 ++
policy/modules/contrib/iscsi.fc | 4 ++++
policy/modules/contrib/isns.fc | 2 ++
policy/modules/contrib/jabber.fc | 11 +++++++----
policy/modules/contrib/kdump.fc | 2 ++
policy/modules/contrib/kerberos.fc | 3 +++
policy/modules/contrib/kerneloops.fc | 2 ++
policy/modules/contrib/ksmtuned.fc | 2 ++
policy/modules/contrib/ktalk.fc | 4 +++-
policy/modules/contrib/kudzu.fc | 5 ++++-
policy/modules/contrib/l2tp.fc | 2 ++
policy/modules/contrib/ldap.fc | 2 ++
policy/modules/contrib/likewise.fc | 9 +++++++++
policy/modules/contrib/lircd.fc | 2 ++
policy/modules/contrib/lldpad.fc | 2 ++
policy/modules/contrib/lockdev.fc | 2 ++
policy/modules/contrib/logrotate.fc | 2 ++
policy/modules/contrib/logwatch.fc | 4 ++++
policy/modules/contrib/lpd.fc | 19 +++++++++++++------
policy/modules/contrib/mailscanner.fc | 2 ++
policy/modules/contrib/mcelog.fc | 2 ++
policy/modules/contrib/milter.fc | 5 +++++
policy/modules/contrib/minidlna.fc | 2 ++
policy/modules/contrib/minissdpd.fc | 2 ++
policy/modules/contrib/modemmanager.fc | 3 +++
policy/modules/contrib/mon.fc | 2 ++
policy/modules/contrib/monop.fc | 2 ++
policy/modules/contrib/mta.fc | 4 ++++
policy/modules/contrib/mysql.fc | 3 +++
policy/modules/contrib/nessus.fc | 2 ++
policy/modules/contrib/networkmanager.fc | 9 ++++++---
policy/modules/contrib/nis.fc | 5 +++++
policy/modules/contrib/nscd.fc | 2 ++
policy/modules/contrib/nsd.fc | 5 +++++
policy/modules/contrib/nslcd.fc | 2 ++
policy/modules/contrib/ntop.fc | 2 ++
policy/modules/contrib/ntp.fc | 4 ++++
policy/modules/contrib/nut.fc | 4 ++++
policy/modules/contrib/oav.fc | 3 +++
policy/modules/contrib/oddjob.fc | 3 +++
policy/modules/contrib/oident.fc | 2 ++
policy/modules/contrib/openct.fc | 3 +++
policy/modules/contrib/openhpi.fc | 2 ++
policy/modules/contrib/openvpn.fc | 2 ++
policy/modules/contrib/pacemaker.fc | 2 ++
policy/modules/contrib/pcmcia.fc | 3 +++
policy/modules/contrib/pcscd.fc | 2 ++
policy/modules/contrib/pegasus.fc | 3 +++
policy/modules/contrib/perdition.fc | 2 ++
policy/modules/contrib/pingd.fc | 2 ++
policy/modules/contrib/pkcs.fc | 2 ++
policy/modules/contrib/plymouthd.fc | 1 +
policy/modules/contrib/portmap.fc | 4 ++++
policy/modules/contrib/portreserve.fc | 2 ++
policy/modules/contrib/portslave.fc | 3 +++
policy/modules/contrib/postfix.fc | 11 +++++++++++
policy/modules/contrib/postfixpolicyd.fc | 2 ++
policy/modules/contrib/postgrey.fc | 2 ++
policy/modules/contrib/ppp.fc | 6 ++++++
policy/modules/contrib/prelink.fc | 2 ++
policy/modules/contrib/prelude.fc | 3 ++-
policy/modules/contrib/privoxy.fc | 2 ++
policy/modules/contrib/psad.fc | 2 ++
policy/modules/contrib/pxe.fc | 2 ++
policy/modules/contrib/qmail.fc | 12 ++++++++++++
policy/modules/contrib/qpid.fc | 2 ++
policy/modules/contrib/quota.fc | 4 ++++
policy/modules/contrib/radius.fc | 3 +++
policy/modules/contrib/radvd.fc | 2 ++
policy/modules/contrib/raid.fc | 8 ++++++++
policy/modules/contrib/rdisc.fc | 2 ++
policy/modules/contrib/readahead.fc | 2 ++
policy/modules/contrib/redis.fc | 2 ++
policy/modules/contrib/resmgr.fc | 2 ++
policy/modules/contrib/rgmanager.fc | 5 ++++-
policy/modules/contrib/rhcs.fc | 9 +++++++++
policy/modules/contrib/ricci.fc | 3 +++
policy/modules/contrib/rlogin.fc | 2 ++
policy/modules/contrib/rngd.fc | 2 ++
policy/modules/contrib/rpc.fc | 9 +++++++++
policy/modules/contrib/rpcbind.fc | 2 ++
policy/modules/contrib/rpm.fc | 10 ++++++++++
policy/modules/contrib/rshd.fc | 3 +++
policy/modules/contrib/rwho.fc | 2 ++
policy/modules/contrib/samba.fc | 4 ++++
policy/modules/contrib/samhain.fc | 3 +++
policy/modules/contrib/sanlock.fc | 2 ++
policy/modules/contrib/sasl.fc | 2 ++
policy/modules/contrib/sblim.fc | 3 +++
policy/modules/contrib/sensord.fc | 2 ++
policy/modules/contrib/setroubleshoot.fc | 2 ++
policy/modules/contrib/shibboleth.fc | 2 ++
policy/modules/contrib/shorewall.fc | 3 +++
policy/modules/contrib/shutdown.fc | 2 ++
policy/modules/contrib/slpd.fc | 2 ++
policy/modules/contrib/smartmon.fc | 2 ++
policy/modules/contrib/smokeping.fc | 2 ++
policy/modules/contrib/smstools.fc | 2 ++
policy/modules/contrib/snmp.fc | 4 ++++
policy/modules/contrib/snort.fc | 5 +++--
policy/modules/contrib/sosreport.fc | 2 ++
policy/modules/contrib/soundserver.fc | 1 +
policy/modules/contrib/spamassassin.fc | 5 +++--
policy/modules/contrib/speedtouch.fc | 2 ++
policy/modules/contrib/squid.fc | 2 ++
policy/modules/contrib/sssd.fc | 2 ++
policy/modules/contrib/sxid.fc | 1 +
policy/modules/contrib/tboot.fc | 2 ++
policy/modules/contrib/tcpd.fc | 2 ++
policy/modules/contrib/tcsd.fc | 2 ++
policy/modules/contrib/telnet.fc | 2 ++
policy/modules/contrib/tftp.fc | 2 ++
policy/modules/contrib/tgtd.fc | 2 ++
policy/modules/contrib/tmpreaper.fc | 3 +++
policy/modules/contrib/transproxy.fc | 2 ++
policy/modules/contrib/tripwire.fc | 5 +++++
policy/modules/contrib/tuned.fc | 2 ++
policy/modules/contrib/tzdata.fc | 2 ++
policy/modules/contrib/ulogd.fc | 2 ++
policy/modules/contrib/updfstab.fc | 3 +++
policy/modules/contrib/uptime.fc | 2 ++
policy/modules/contrib/usbmodules.fc | 2 ++
policy/modules/contrib/usbmuxd.fc | 2 ++
policy/modules/contrib/userhelper.fc | 1 +
policy/modules/contrib/usernetctl.fc | 2 ++
policy/modules/contrib/uucp.fc | 1 +
policy/modules/contrib/uuidd.fc | 2 ++
policy/modules/contrib/varnishd.fc | 1 +
policy/modules/contrib/vbetool.fc | 2 ++
policy/modules/contrib/vdagent.fc | 2 ++
policy/modules/contrib/vhostmd.fc | 2 ++
policy/modules/contrib/virt.fc | 7 ++++++-
policy/modules/contrib/vlock.fc | 3 ++-
policy/modules/contrib/vmware.fc | 2 ++
policy/modules/contrib/vnstatd.fc | 1 +
policy/modules/contrib/vpn.fc | 1 +
policy/modules/contrib/watchdog.fc | 2 ++
policy/modules/contrib/wdmd.fc | 2 ++
policy/modules/contrib/xen.fc | 9 +++++++++
policy/modules/contrib/zabbix.fc | 7 +++++--
policy/modules/contrib/zebra.fc | 5 +++++
policy/modules/contrib/zosremote.fc | 2 ++
223 files changed, 670 insertions(+), 35 deletions(-)
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index d1b1f4e8..d05819be 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -1,8 +1,11 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/usr/bin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
index 204e5375..5a772ec6 100644
--- a/policy/modules/contrib/acct.fc
+++ b/policy/modules/contrib/acct.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0)
+/usr/bin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
index bfbe255b..ffd4ea00 100644
--- a/policy/modules/contrib/acpi.fc
+++ b/policy/modules/contrib/acpi.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+/usr/bin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+/usr/bin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/bin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
index c40fe9ae..9307074e 100644
--- a/policy/modules/contrib/afs.fc
+++ b/policy/modules/contrib/afs.fc
@@ -27,6 +27,9 @@
/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+/usr/bin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
+/usr/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+
/usr/libexec/openafs/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
diff --git a/policy/modules/contrib/aiccu.fc b/policy/modules/contrib/aiccu.fc
index 86e436cb..5fc50bec 100644
--- a/policy/modules/contrib/aiccu.fc
+++ b/policy/modules/contrib/aiccu.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/usr/bin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/contrib/aisexec.fc b/policy/modules/contrib/aisexec.fc
index f9c20c63..578f2d33 100644
--- a/policy/modules/contrib/aisexec.fc
+++ b/policy/modules/contrib/aisexec.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+/usr/bin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
+
/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 0f9e5196..75ea9ebf 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,7 +6,9 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
diff --git a/policy/modules/contrib/amanda.fc b/policy/modules/contrib/amanda.fc
index 7f4dfbca..0d90d71e 100644
--- a/policy/modules/contrib/amanda.fc
+++ b/policy/modules/contrib/amanda.fc
@@ -7,6 +7,9 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+/usr/bin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/bin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
diff --git a/policy/modules/contrib/amavis.fc b/policy/modules/contrib/amavis.fc
index 7b8beae4..da86959b 100644
--- a/policy/modules/contrib/amavis.fc
+++ b/policy/modules/contrib/amavis.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+/usr/bin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 591c8ad2..f55535e7 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -37,9 +37,21 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index c9a7900c..43666b34 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+/usr/bin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 5e0e6862..b439c10c 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/contrib/asterisk.fc b/policy/modules/contrib/asterisk.fc
index 0aaa615a..337bf601 100644
--- a/policy/modules/contrib/asterisk.fc
+++ b/policy/modules/contrib/asterisk.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
+/usr/bin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
+
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc
index 8bd48bc4..dadd3a9f 100644
--- a/policy/modules/contrib/automount.fc
+++ b/policy/modules/contrib/automount.fc
@@ -3,6 +3,8 @@
/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
+/usr/bin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc
index 80248b62..2f72be4a 100644
--- a/policy/modules/contrib/avahi.fc
+++ b/policy/modules/contrib/avahi.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/bin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+
/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/contrib/bacula.fc b/policy/modules/contrib/bacula.fc
index 3550dcc4..27c021c3 100644
--- a/policy/modules/contrib/bacula.fc
+++ b/policy/modules/contrib/bacula.fc
@@ -4,6 +4,10 @@
/etc/rc\.d/init\.d/bacula.* -- gen_context(system_u:object_r:bacula_initrc_exec_t,s0)
+/usr/bin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/bin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/bin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
/usr/sbin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0)
/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
diff --git a/policy/modules/contrib/bcfg2.fc b/policy/modules/contrib/bcfg2.fc
index 10f28688..feb5d9d9 100644
--- a/policy/modules/contrib/bcfg2.fc
+++ b/policy/modules/contrib/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/bin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index de596aed..b4879dc1 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -14,6 +14,12 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/usr/bin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/bin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
diff --git a/policy/modules/contrib/bird.fc b/policy/modules/contrib/bird.fc
index d4524d56..d415fdf3 100644
--- a/policy/modules/contrib/bird.fc
+++ b/policy/modules/contrib/bird.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0)
+/usr/bin/bird -- gen_context(system_u:object_r:bird_exec_t,s0)
+
/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0)
/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0)
diff --git a/policy/modules/contrib/bitlbee.fc b/policy/modules/contrib/bitlbee.fc
index a6c071f8..e7b0aa60 100644
--- a/policy/modules/contrib/bitlbee.fc
+++ b/policy/modules/contrib/bitlbee.fc
@@ -3,6 +3,7 @@
/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/usr/bin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index 495fb7c0..4fbe7955 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -6,9 +6,14 @@
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
# Systemd unit file
/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
diff --git a/policy/modules/contrib/brctl.fc b/policy/modules/contrib/brctl.fc
index 32f8ee97..ed472f09 100644
--- a/policy/modules/contrib/brctl.fc
+++ b/policy/modules/contrib/brctl.fc
@@ -1 +1,3 @@
+/usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
+
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/contrib/cachefilesd.fc b/policy/modules/contrib/cachefilesd.fc
index 1ddbe60d..f58be76b 100644
--- a/policy/modules/contrib/cachefilesd.fc
+++ b/policy/modules/contrib/cachefilesd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+/usr/bin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
diff --git a/policy/modules/contrib/callweaver.fc b/policy/modules/contrib/callweaver.fc
index 4a86bec5..3cdd635b 100644
--- a/policy/modules/contrib/callweaver.fc
+++ b/policy/modules/contrib/callweaver.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
+/usr/bin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
+
/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
diff --git a/policy/modules/contrib/canna.fc b/policy/modules/contrib/canna.fc
index df523340..7688d0ec 100644
--- a/policy/modules/contrib/canna.fc
+++ b/policy/modules/contrib/canna.fc
@@ -1,7 +1,9 @@
/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0)
-/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc
index 4bf5e8f3..f428bee0 100644
--- a/policy/modules/contrib/ccs.fc
+++ b/policy/modules/contrib/ccs.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
+/usr/bin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+
/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0)
diff --git a/policy/modules/contrib/certmonger.fc b/policy/modules/contrib/certmonger.fc
index d3e1d6cf..7d357324 100644
--- a/policy/modules/contrib/certmonger.fc
+++ b/policy/modules/contrib/certmonger.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+/usr/bin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
diff --git a/policy/modules/contrib/cfengine.fc b/policy/modules/contrib/cfengine.fc
index 5b605d6b..807467cb 100644
--- a/policy/modules/contrib/cfengine.fc
+++ b/policy/modules/contrib/cfengine.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)) -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+/usr/bin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/bin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
+/usr/bin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
+
/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc
index cfe6b48c..f631358e 100644
--- a/policy/modules/contrib/cgroup.fc
+++ b/policy/modules/contrib/cgroup.fc
@@ -7,6 +7,10 @@
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+/usr/bin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
+/usr/bin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+/usr/bin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index d3069a0a..66f001b8 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,11 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
# Systend unit files
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
-
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/cipe.fc b/policy/modules/contrib/cipe.fc
index c7535226..2cfb0ae9 100644
--- a/policy/modules/contrib/cipe.fc
+++ b/policy/modules/contrib/cipe.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/ciped.* -- gen_context(system_u:object_r:ciped_initrc_exec_t,s0)
+/usr/bin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
+
/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc
index ccca6aaa..70fb22e6 100644
--- a/policy/modules/contrib/clamav.fc
+++ b/policy/modules/contrib/clamav.fc
@@ -2,7 +2,9 @@
/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+/usr/bin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
diff --git a/policy/modules/contrib/clogd.fc b/policy/modules/contrib/clogd.fc
index ba3bca7f..6c5de73b 100644
--- a/policy/modules/contrib/clogd.fc
+++ b/policy/modules/contrib/clogd.fc
@@ -1,3 +1,5 @@
+/usr/bin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc
index 9a26f5e1..c948aacf 100644
--- a/policy/modules/contrib/cmirrord.fc
+++ b/policy/modules/contrib/cmirrord.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+/usr/bin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/contrib/collectd.fc b/policy/modules/contrib/collectd.fc
index 9ac08967..4e9b367e 100644
--- a/policy/modules/contrib/collectd.fc
+++ b/policy/modules/contrib/collectd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/bin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc
index 90461f93..63e73363 100644
--- a/policy/modules/contrib/comsat.fc
+++ b/policy/modules/contrib/comsat.fc
@@ -1 +1,3 @@
+/usr/bin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
+
/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 19ffde01..eed1e341 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -2,6 +2,14 @@
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/bin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
+/usr/bin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
+/usr/bin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
+/usr/bin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
+/usr/bin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
+/usr/bin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+/usr/bin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index e3827ccd..8b440c56 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/bin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0)
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc
index e00b036b..3671df61 100644
--- a/policy/modules/contrib/corosync.fc
+++ b/policy/modules/contrib/corosync.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/bin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/bin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
index 3db41fbc..c28b2209 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -1,7 +1,14 @@
/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/bin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/bin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/bin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index 06f5d0f9..d01f2350 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,5 +1,10 @@
/usr/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/usr/bin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/bin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/bin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+/usr/bin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 6d4f5397..e1b3e7b3 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -3,7 +3,12 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
+/usr/bin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
diff --git a/policy/modules/contrib/ctdb.fc b/policy/modules/contrib/ctdb.fc
index be3db334..98484341 100644
--- a/policy/modules/contrib/ctdb.fc
+++ b/policy/modules/contrib/ctdb.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+/usr/bin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 72afd973..43c4616a 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -21,8 +21,17 @@
/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/bin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/bin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/bin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/bin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/contrib/dante.fc b/policy/modules/contrib/dante.fc
index 44c83be9..3aea9187 100644
--- a/policy/modules/contrib/dante.fc
+++ b/policy/modules/contrib/dante.fc
@@ -3,6 +3,9 @@
/etc/danted\.conf -- gen_context(system_u:object_r:dante_conf_t,s0)
/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
+/usr/bin/danted -- gen_context(system_u:object_r:dante_exec_t,s0)
+/usr/bin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
+
/usr/sbin/danted -- gen_context(system_u:object_r:dante_exec_t,s0)
/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc
index 6fb8fead..a3028746 100644
--- a/policy/modules/contrib/dbskk.fc
+++ b/policy/modules/contrib/dbskk.fc
@@ -1 +1,3 @@
+/usr/bin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
+
/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc
index ccfe6037..bc9189c8 100644
--- a/policy/modules/contrib/dcc.fc
+++ b/policy/modules/contrib/dcc.fc
@@ -2,8 +2,12 @@
/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/bin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/bin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+/usr/bin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc
index 81b69d02..64d55e5c 100644
--- a/policy/modules/contrib/ddclient.fc
+++ b/policy/modules/contrib/ddclient.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
+/usr/bin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/bin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc
index 9f2a27f5..747c416e 100644
--- a/policy/modules/contrib/ddcprobe.fc
+++ b/policy/modules/contrib/ddcprobe.fc
@@ -1 +1,3 @@
+/usr/bin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
+
/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index b85ea22a..c4166794 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0)
+/usr/bin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc
index 5902d746..b2c773b2 100644
--- a/policy/modules/contrib/dictd.fc
+++ b/policy/modules/contrib/dictd.fc
@@ -2,6 +2,8 @@
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
+/usr/bin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc
index aa146efa..832c1585 100644
--- a/policy/modules/contrib/dkim.fc
+++ b/policy/modules/contrib/dkim.fc
@@ -2,6 +2,9 @@
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
+/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+
/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc
index c394e45d..0ca4c99a 100644
--- a/policy/modules/contrib/dmidecode.fc
+++ b/policy/modules/contrib/dmidecode.fc
@@ -1,3 +1,8 @@
+/usr/bin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+
/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index a7169462..07ffc0d4 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/usr/bin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
diff --git a/policy/modules/contrib/dnssectrigger.fc b/policy/modules/contrib/dnssectrigger.fc
index 312949dc..e2ed6e23 100644
--- a/policy/modules/contrib/dnssectrigger.fc
+++ b/policy/modules/contrib/dnssectrigger.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_initrc_exec_t,s0)
+/usr/bin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
+
/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
/var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0)
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
index c2f5734e..1ab9d643 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -8,6 +8,8 @@
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+/usr/bin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 5c0feb83..70b0ee3a 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
+/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc
index ad87459f..9ba6e312 100644
--- a/policy/modules/contrib/dpkg.fc
+++ b/policy/modules/contrib/dpkg.fc
@@ -2,6 +2,8 @@
/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc
index d5d54f78..3b7da568 100644
--- a/policy/modules/contrib/drbd.fc
+++ b/policy/modules/contrib/drbd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0)
+/usr/bin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/bin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc
index 3a0377e9..b7342ef2 100644
--- a/policy/modules/contrib/entropyd.fc
+++ b/policy/modules/contrib/entropyd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0)
+/usr/bin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/bin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 842cb34a..bd1f558a 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -3,6 +3,9 @@
/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0)
/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0)
+/usr/bin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/usr/bin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
diff --git a/policy/modules/contrib/fakehwclock.fc b/policy/modules/contrib/fakehwclock.fc
index b0a55f6e..0ab3bd87 100644
--- a/policy/modules/contrib/fakehwclock.fc
+++ b/policy/modules/contrib/fakehwclock.fc
@@ -1,5 +1,7 @@
/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0)
+/usr/bin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+
/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0)
diff --git a/policy/modules/contrib/fcoe.fc b/policy/modules/contrib/fcoe.fc
index 0cf8db8a..cb9552db 100644
--- a/policy/modules/contrib/fcoe.fc
+++ b/policy/modules/contrib/fcoe.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/fcoe -- gen_context(system_u:object_r:fcoemon_initrc_exec_t,s0)
+/usr/bin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
+
/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 422a9492..ce3adb5c 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -2,6 +2,9 @@
/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/bin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/bin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
diff --git a/policy/modules/contrib/firewalld.fc b/policy/modules/contrib/firewalld.fc
index 0e595c42..19fc9177 100644
--- a/policy/modules/contrib/firewalld.fc
+++ b/policy/modules/contrib/firewalld.fc
@@ -2,6 +2,8 @@
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+/usr/bin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc
index 12c782c8..2aafeb25 100644
--- a/policy/modules/contrib/firstboot.fc
+++ b/policy/modules/contrib/firstboot.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/bin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index 03adaab6..6af8b34f 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -6,6 +6,11 @@
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc
index 5d37898e..516f65a2 100644
--- a/policy/modules/contrib/gatekeeper.fc
+++ b/policy/modules/contrib/gatekeeper.fc
@@ -2,6 +2,9 @@
/etc/rc\.d/init\.d/gnugk -- gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0)
+/usr/bin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/bin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
diff --git a/policy/modules/contrib/glusterfs.fc b/policy/modules/contrib/glusterfs.fc
index e2d1f847..be43eb4f 100644
--- a/policy/modules/contrib/glusterfs.fc
+++ b/policy/modules/contrib/glusterfs.fc
@@ -3,6 +3,9 @@
/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/usr/bin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/bin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc
index aacc7f9f..24531dc0 100644
--- a/policy/modules/contrib/gpm.fc
+++ b/policy/modules/contrib/gpm.fc
@@ -6,6 +6,8 @@
/etc/rc\.d/init\.d/gpm -- gen_context(system_u:object_r:gpm_initrc_exec_t,s0)
+/usr/bin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
+
/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc
index 9909197d..4e62fd9e 100644
--- a/policy/modules/contrib/gpsd.fc
+++ b/policy/modules/contrib/gpsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+/usr/bin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc
index cf311f5a..5ac1f7a7 100644
--- a/policy/modules/contrib/hal.fc
+++ b/policy/modules/contrib/hal.fc
@@ -2,6 +2,8 @@
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+/usr/bin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/bin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
diff --git a/policy/modules/contrib/hddtemp.fc b/policy/modules/contrib/hddtemp.fc
index 993b14ac..f1d334eb 100644
--- a/policy/modules/contrib/hddtemp.fc
+++ b/policy/modules/contrib/hddtemp.fc
@@ -2,4 +2,6 @@
/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0)
+/usr/bin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
+
/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --git a/policy/modules/contrib/hwloc.fc b/policy/modules/contrib/hwloc.fc
index ade2ac01..136bb697 100644
--- a/policy/modules/contrib/hwloc.fc
+++ b/policy/modules/contrib/hwloc.fc
@@ -1,5 +1,7 @@
-/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+/usr/bin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index b46130ef..d1bbb44c 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+
/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
diff --git a/policy/modules/contrib/i18n_input.fc b/policy/modules/contrib/i18n_input.fc
index 05aa1da3..9dcc65aa 100644
--- a/policy/modules/contrib/i18n_input.fc
+++ b/policy/modules/contrib/i18n_input.fc
@@ -2,6 +2,8 @@
/usr/bin/iiimd -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
diff --git a/policy/modules/contrib/ifplugd.fc b/policy/modules/contrib/ifplugd.fc
index 8c365f5c..2a1e9290 100644
--- a/policy/modules/contrib/ifplugd.fc
+++ b/policy/modules/contrib/ifplugd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+/usr/bin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
index 7973588d..3329de47 100644
--- a/policy/modules/contrib/inetd.fc
+++ b/policy/modules/contrib/inetd.fc
@@ -2,6 +2,12 @@
/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/bin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/bin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
+/usr/bin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/bin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
diff --git a/policy/modules/contrib/inn.fc b/policy/modules/contrib/inn.fc
index 28a4f604..eb9bda28 100644
--- a/policy/modules/contrib/inn.fc
+++ b/policy/modules/contrib/inn.fc
@@ -3,10 +3,12 @@
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
-/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index 53b6a139..7ae0c069 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -2,4 +2,6 @@
/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
+/usr/bin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
index 07decaa2..f1944c75 100644
--- a/policy/modules/contrib/ircd.fc
+++ b/policy/modules/contrib/ircd.fc
@@ -5,7 +5,9 @@
/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0)
+/usr/bin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+/usr/bin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc
index 77530088..a9fb4296 100644
--- a/policy/modules/contrib/irqbalance.fc
+++ b/policy/modules/contrib/irqbalance.fc
@@ -4,4 +4,6 @@
/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_pid_t,s0)
+/usr/bin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
+
/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc
index 29c1e5cd..9503952e 100644
--- a/policy/modules/contrib/iscsi.fc
+++ b/policy/modules/contrib/iscsi.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
+/usr/bin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/bin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/bin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/contrib/isns.fc b/policy/modules/contrib/isns.fc
index f00d23d1..488e9a0c 100644
--- a/policy/modules/contrib/isns.fc
+++ b/policy/modules/contrib/isns.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
+/usr/bin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
+
/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index e31f56e8..bda8b8c5 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -1,10 +1,13 @@
/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index 94c0daa2..4e396725 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -2,7 +2,9 @@
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/usr/bin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/bin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
index 4fe75fd6..df21fcc7 100644
--- a/policy/modules/contrib/kerberos.fc
+++ b/policy/modules/contrib/kerberos.fc
@@ -13,6 +13,9 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+
/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
diff --git a/policy/modules/contrib/kerneloops.fc b/policy/modules/contrib/kerneloops.fc
index 5ef261a3..d0db3544 100644
--- a/policy/modules/contrib/kerneloops.fc
+++ b/policy/modules/contrib/kerneloops.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+/usr/bin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
+
/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/policy/modules/contrib/ksmtuned.fc b/policy/modules/contrib/ksmtuned.fc
index 7229ce8b..68f3623b 100644
--- a/policy/modules/contrib/ksmtuned.fc
+++ b/policy/modules/contrib/ksmtuned.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+/usr/bin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/contrib/ktalk.fc b/policy/modules/contrib/ktalk.fc
index 38ecb07d..fae3b8c4 100644
--- a/policy/modules/contrib/ktalk.fc
+++ b/policy/modules/contrib/ktalk.fc
@@ -1,4 +1,6 @@
-/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc
index a0030a74..a0127d49 100644
--- a/policy/modules/contrib/kudzu.fc
+++ b/policy/modules/contrib/kudzu.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0)
+/usr/bin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/usr/bin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_var_run_t,s0)
diff --git a/policy/modules/contrib/l2tp.fc b/policy/modules/contrib/l2tp.fc
index 77d5c5a6..499c7de6 100644
--- a/policy/modules/contrib/l2tp.fc
+++ b/policy/modules/contrib/l2tp.fc
@@ -4,6 +4,8 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
+/usr/bin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc
index 38b123d7..174f4d73 100644
--- a/policy/modules/contrib/ldap.fc
+++ b/policy/modules/contrib/ldap.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
diff --git a/policy/modules/contrib/likewise.fc b/policy/modules/contrib/likewise.fc
index 0a5cc34e..c95fd7d5 100644
--- a/policy/modules/contrib/likewise.fc
+++ b/policy/modules/contrib/likewise.fc
@@ -21,6 +21,15 @@
/opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/opt/likewise/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+/usr/bin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/bin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/bin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/bin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/bin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/bin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/bin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/bin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index d38234fd..79947d0c 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,8 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/usr/bin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
diff --git a/policy/modules/contrib/lldpad.fc b/policy/modules/contrib/lldpad.fc
index 385eccf4..305b8de7 100644
--- a/policy/modules/contrib/lldpad.fc
+++ b/policy/modules/contrib/lldpad.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
+/usr/bin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
+
/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
diff --git a/policy/modules/contrib/lockdev.fc b/policy/modules/contrib/lockdev.fc
index 4fd0fda9..65ed30df 100644
--- a/policy/modules/contrib/lockdev.fc
+++ b/policy/modules/contrib/lockdev.fc
@@ -1,3 +1,5 @@
+/usr/bin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
+
/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index ad215962..dac1af39 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,8 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc
index 792e3cf7..7e83c901 100644
--- a/policy/modules/contrib/logwatch.fc
+++ b/policy/modules/contrib/logwatch.fc
@@ -1,3 +1,7 @@
+/usr/bin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/bin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/bin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0)
diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
index cd1aa707..8916d38e 100644
--- a/policy/modules/contrib/lpd.fc
+++ b/policy/modules/contrib/lpd.fc
@@ -3,19 +3,26 @@
/opt/gutenprint/bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
/opt/gutenprint/sbin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/bin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
-/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
diff --git a/policy/modules/contrib/mailscanner.fc b/policy/modules/contrib/mailscanner.fc
index 00ecd1b2..cc6a8f88 100644
--- a/policy/modules/contrib/mailscanner.fc
+++ b/policy/modules/contrib/mailscanner.fc
@@ -6,6 +6,8 @@
/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
+/usr/bin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
+
/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc
index 86d8bdba..a91a13f9 100644
--- a/policy/modules/contrib/mcelog.fc
+++ b/policy/modules/contrib/mcelog.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+/usr/bin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc
index 38a65aac..378d5e4c 100644
--- a/policy/modules/contrib/milter.fc
+++ b/policy/modules/contrib/milter.fc
@@ -1,3 +1,8 @@
+/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/bin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
index 37239ebf..79af2d74 100644
--- a/policy/modules/contrib/minidlna.fc
+++ b/policy/modules/contrib/minidlna.fc
@@ -2,6 +2,8 @@
/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
+/usr/bin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+
/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
diff --git a/policy/modules/contrib/minissdpd.fc b/policy/modules/contrib/minissdpd.fc
index c7a5368b..cdad38ed 100644
--- a/policy/modules/contrib/minissdpd.fc
+++ b/policy/modules/contrib/minissdpd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+/usr/bin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
+
/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc
index c43901e6..88d8ff3f 100644
--- a/policy/modules/contrib/modemmanager.fc
+++ b/policy/modules/contrib/modemmanager.fc
@@ -1,2 +1,5 @@
+/usr/bin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/bin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index c92575b4..71b42ee7 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,5 +1,7 @@
/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+/usr/bin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+
/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
diff --git a/policy/modules/contrib/monop.fc b/policy/modules/contrib/monop.fc
index f25a1820..f89b50f9 100644
--- a/policy/modules/contrib/monop.fc
+++ b/policy/modules/contrib/monop.fc
@@ -2,6 +2,8 @@
/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
+/usr/bin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
+
/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index dd9f799a..ace4a1f1 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -14,6 +14,10 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
index 6735c459..8213e53c 100644
--- a/policy/modules/contrib/mysql.fc
+++ b/policy/modules/contrib/mysql.fc
@@ -7,8 +7,11 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+/usr/bin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+/usr/bin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
diff --git a/policy/modules/contrib/nessus.fc b/policy/modules/contrib/nessus.fc
index 9640c364..2065c1b8 100644
--- a/policy/modules/contrib/nessus.fc
+++ b/policy/modules/contrib/nessus.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/nessusd -- gen_context(system_u:object_r:nessusd_initrc_exec_t,s0)
+/usr/bin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 1e6d0f5b..16b3c06f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -21,9 +21,12 @@
/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index 2b86f44d..46f101bc 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -5,6 +5,11 @@
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+/usr/bin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/bin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/bin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/usr/bin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
index 51460f89..4857b5b7 100644
--- a/policy/modules/contrib/nscd.fc
+++ b/policy/modules/contrib/nscd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/policy/modules/contrib/nsd.fc b/policy/modules/contrib/nsd.fc
index 286a4ecf..d4fc584e 100644
--- a/policy/modules/contrib/nsd.fc
+++ b/policy/modules/contrib/nsd.fc
@@ -5,6 +5,11 @@
/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/usr/bin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
diff --git a/policy/modules/contrib/nslcd.fc b/policy/modules/contrib/nslcd.fc
index cdeb9350..89543b3e 100644
--- a/policy/modules/contrib/nslcd.fc
+++ b/policy/modules/contrib/nslcd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/bin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+
/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/contrib/ntop.fc b/policy/modules/contrib/ntop.fc
index cbbec58a..3ededdd2 100644
--- a/policy/modules/contrib/ntop.fc
+++ b/policy/modules/contrib/ntop.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
+/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+
/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 67c2b883..903c131c 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -13,6 +13,10 @@
/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
+/usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index fdf658f1..6dbfbde1 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -4,6 +4,10 @@
/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
+/usr/bin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/bin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/bin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/oav.fc b/policy/modules/contrib/oav.fc
index 2448426e..dabf41ee 100644
--- a/policy/modules/contrib/oav.fc
+++ b/policy/modules/contrib/oav.fc
@@ -1,6 +1,9 @@
/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+/usr/bin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/bin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc
index d20f5ea2..f1c819ef 100644
--- a/policy/modules/contrib/oddjob.fc
+++ b/policy/modules/contrib/oddjob.fc
@@ -2,6 +2,9 @@
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/bin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+/usr/bin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --git a/policy/modules/contrib/oident.fc b/policy/modules/contrib/oident.fc
index df3b9758..584d948f 100644
--- a/policy/modules/contrib/oident.fc
+++ b/policy/modules/contrib/oident.fc
@@ -5,4 +5,6 @@ HOME_DIR/\.oidentd\.conf -- gen_context(system_u:object_r:oidentd_home_t,s0)
/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t,s0)
+/usr/bin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
+
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
diff --git a/policy/modules/contrib/openct.fc b/policy/modules/contrib/openct.fc
index b5c2b05d..4c0236d2 100644
--- a/policy/modules/contrib/openct.fc
+++ b/policy/modules/contrib/openct.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/openct -- gen_context(system_u:object_r:openct_initrc_exec_t,s0)
+/usr/bin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/bin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+
/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
diff --git a/policy/modules/contrib/openhpi.fc b/policy/modules/contrib/openhpi.fc
index e1ee3e4a..1ce9da3d 100644
--- a/policy/modules/contrib/openhpi.fc
+++ b/policy/modules/contrib/openhpi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+/usr/bin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
+
/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 00d176d3..7a00b7a8 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+/usr/bin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
diff --git a/policy/modules/contrib/pacemaker.fc b/policy/modules/contrib/pacemaker.fc
index 6de95e79..3b398450 100644
--- a/policy/modules/contrib/pacemaker.fc
+++ b/policy/modules/contrib/pacemaker.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+/usr/bin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
+
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc
index b508069e..f9fadf5f 100644
--- a/policy/modules/contrib/pcmcia.fc
+++ b/policy/modules/contrib/pcmcia.fc
@@ -1,5 +1,8 @@
/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+/usr/bin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+/usr/bin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 79e96b1b..4d667ea2 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pcscd -- gen_context(system_u:object_r:pcscd_initrc_exec_t,s0)
+/usr/bin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/pegasus.fc b/policy/modules/contrib/pegasus.fc
index 4791c0e2..0f7fe617 100644
--- a/policy/modules/contrib/pegasus.fc
+++ b/policy/modules/contrib/pegasus.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/bin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/bin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
index a7d2a8be..f9f88dfb 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,8 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
+/usr/bin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
+
/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/pingd.fc b/policy/modules/contrib/pingd.fc
index 494a24cc..1cbbf6d8 100644
--- a/policy/modules/contrib/pingd.fc
+++ b/policy/modules/contrib/pingd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+/usr/bin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
+
/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 65a25e37..148293a9 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0)
+/usr/bin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
+
/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 8eab91b8..c99ccd2d 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -1,4 +1,5 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
# Systemd unit file
/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
index d15c7072..b33b5f4e 100644
--- a/policy/modules/contrib/portmap.fc
+++ b/policy/modules/contrib/portmap.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0)
+/usr/bin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/bin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/bin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc
index de7da13c..d649d58d 100644
--- a/policy/modules/contrib/portreserve.fc
+++ b/policy/modules/contrib/portreserve.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/usr/bin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/contrib/portslave.fc b/policy/modules/contrib/portslave.fc
index 22ca4a50..1afb1976 100644
--- a/policy/modules/contrib/portslave.fc
+++ b/policy/modules/contrib/portslave.fc
@@ -1,5 +1,8 @@
/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+/usr/bin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/bin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+
/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index 707b5be0..ecf447d6 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -4,6 +4,17 @@
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/usr/bin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/bin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/bin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/bin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
# Remove catch-all so that .so files remain lib_t
#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfixpolicyd.fc b/policy/modules/contrib/postfixpolicyd.fc
index ed79fe20..a8fb9f8c 100644
--- a/policy/modules/contrib/postfixpolicyd.fc
+++ b/policy/modules/contrib/postfixpolicyd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
+/usr/bin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0)
+
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0)
/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t,s0)
diff --git a/policy/modules/contrib/postgrey.fc b/policy/modules/contrib/postgrey.fc
index 955207fc..076987a6 100644
--- a/policy/modules/contrib/postgrey.fc
+++ b/policy/modules/contrib/postgrey.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+/usr/bin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
+
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index d31591a5..67de5b3e 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -9,6 +9,12 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/bin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+
/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/prelink.fc b/policy/modules/contrib/prelink.fc
index a90d6231..8823d27a 100644
--- a/policy/modules/contrib/prelink.fc
+++ b/policy/modules/contrib/prelink.fc
@@ -2,6 +2,8 @@
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/usr/bin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc
index 75df3cf6..ca48c982 100644
--- a/policy/modules/contrib/prelude.fc
+++ b/policy/modules/contrib/prelude.fc
@@ -4,8 +4,9 @@
/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/usr/bin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0)
-/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
diff --git a/policy/modules/contrib/privoxy.fc b/policy/modules/contrib/privoxy.fc
index cf3678a4..9feef4f7 100644
--- a/policy/modules/contrib/privoxy.fc
+++ b/policy/modules/contrib/privoxy.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+/usr/bin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/policy/modules/contrib/psad.fc b/policy/modules/contrib/psad.fc
index 1157cebc..d26a15b5 100644
--- a/policy/modules/contrib/psad.fc
+++ b/policy/modules/contrib/psad.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/usr/bin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
diff --git a/policy/modules/contrib/pxe.fc b/policy/modules/contrib/pxe.fc
index 270f819a..56ca3ecd 100644
--- a/policy/modules/contrib/pxe.fc
+++ b/policy/modules/contrib/pxe.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pxe -- gen_context(system_u:object_r:pxe_initrc_exec_t,s0)
+/usr/bin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0)
diff --git a/policy/modules/contrib/qmail.fc b/policy/modules/contrib/qmail.fc
index e53fe5a9..54e0847f 100644
--- a/policy/modules/contrib/qmail.fc
+++ b/policy/modules/contrib/qmail.fc
@@ -1,5 +1,17 @@
/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/usr/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
diff --git a/policy/modules/contrib/qpid.fc b/policy/modules/contrib/qpid.fc
index fdcf49dc..ed8f5432 100644
--- a/policy/modules/contrib/qpid.fc
+++ b/policy/modules/contrib/qpid.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+/usr/bin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc
index c3d05ba1..28a21a8b 100644
--- a/policy/modules/contrib/quota.fc
+++ b/policy/modules/contrib/quota.fc
@@ -10,6 +10,10 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
+/usr/bin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+/usr/bin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+/usr/bin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
+
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
index 663b804a..19ff8e93 100644
--- a/policy/modules/contrib/radius.fc
+++ b/policy/modules/contrib/radius.fc
@@ -6,6 +6,9 @@
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
+/usr/bin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/bin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
diff --git a/policy/modules/contrib/radvd.fc b/policy/modules/contrib/radvd.fc
index 350bb7e8..9765e456 100644
--- a/policy/modules/contrib/radvd.fc
+++ b/policy/modules/contrib/radvd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
+/usr/bin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
+
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index dc26d8d3..323a8865 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -3,6 +3,14 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/usr/bin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
# Systemd unit files
/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc
index 168de323..0c4d5b55 100644
--- a/policy/modules/contrib/rdisc.fc
+++ b/policy/modules/contrib/rdisc.fc
@@ -1 +1,3 @@
+/usr/bin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
index 5932e207..823f5454 100644
--- a/policy/modules/contrib/readahead.fc
+++ b/policy/modules/contrib/readahead.fc
@@ -1,3 +1,5 @@
+/usr/bin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 2ea69aa9..74443abd 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -2,6 +2,8 @@
/etc/redis.*\.conf -- gen_context(system_u:object_r:redis_conf_t,s0)
+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+
/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc
index 138f76e2..c5b467dc 100644
--- a/policy/modules/contrib/resmgr.fc
+++ b/policy/modules/contrib/resmgr.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0)
+/usr/bin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/contrib/rgmanager.fc b/policy/modules/contrib/rgmanager.fc
index fd21f975..0e064444 100644
--- a/policy/modules/contrib/rgmanager.fc
+++ b/policy/modules/contrib/rgmanager.fc
@@ -1,9 +1,12 @@
/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc
index ff20b9ce..90d0c0de 100644
--- a/policy/modules/contrib/rhcs.fc
+++ b/policy/modules/contrib/rhcs.fc
@@ -1,6 +1,15 @@
/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/bin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/bin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/bin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/bin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/bin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
diff --git a/policy/modules/contrib/ricci.fc b/policy/modules/contrib/ricci.fc
index 08d8abac..b7918a93 100644
--- a/policy/modules/contrib/ricci.fc
+++ b/policy/modules/contrib/ricci.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+/usr/bin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/usr/bin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
+
/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/contrib/rlogin.fc b/policy/modules/contrib/rlogin.fc
index f1118772..00e7f3a5 100644
--- a/policy/modules/contrib/rlogin.fc
+++ b/policy/modules/contrib/rlogin.fc
@@ -3,6 +3,8 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+/usr/bin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/contrib/rngd.fc b/policy/modules/contrib/rngd.fc
index 3bba53a8..c49ab4ac 100644
--- a/policy/modules/contrib/rngd.fc
+++ b/policy/modules/contrib/rngd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index 9d6d5241..6674a53e 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -4,6 +4,15 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/bin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/bin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/bin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/bin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
index 35f6ae43..afba9b29 100644
--- a/policy/modules/contrib/rpcbind.fc
+++ b/policy/modules/contrib/rpcbind.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+/usr/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index 71c90c7e..9faf3c42 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -1,12 +1,22 @@
/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
+/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/rshd.fc b/policy/modules/contrib/rshd.fc
index 9ad0d58d..b77f12dc 100644
--- a/policy/modules/contrib/rshd.fc
+++ b/policy/modules/contrib/rshd.fc
@@ -1,4 +1,7 @@
/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/bin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/bin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/policy/modules/contrib/rwho.fc b/policy/modules/contrib/rwho.fc
index 5a630a99..fd5fdf71 100644
--- a/policy/modules/contrib/rwho.fc
+++ b/policy/modules/contrib/rwho.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+/usr/bin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
+
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index 753a009c..e104d2ba 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -9,10 +9,14 @@
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/bin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0)
diff --git a/policy/modules/contrib/samhain.fc b/policy/modules/contrib/samhain.fc
index 39d915d9..76b448c8 100644
--- a/policy/modules/contrib/samhain.fc
+++ b/policy/modules/contrib/samhain.fc
@@ -2,6 +2,9 @@
/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
+/usr/bin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
+/usr/bin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
+
/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
diff --git a/policy/modules/contrib/sanlock.fc b/policy/modules/contrib/sanlock.fc
index b8a7a0a2..6c6f3dec 100644
--- a/policy/modules/contrib/sanlock.fc
+++ b/policy/modules/contrib/sanlock.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+/usr/bin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+
/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
diff --git a/policy/modules/contrib/sasl.fc b/policy/modules/contrib/sasl.fc
index 1ec050a2..72551273 100644
--- a/policy/modules/contrib/sasl.fc
+++ b/policy/modules/contrib/sasl.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+/usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/policy/modules/contrib/sblim.fc b/policy/modules/contrib/sblim.fc
index 84fa5384..c2aed416 100644
--- a/policy/modules/contrib/sblim.fc
+++ b/policy/modules/contrib/sblim.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/usr/bin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+/usr/bin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
diff --git a/policy/modules/contrib/sensord.fc b/policy/modules/contrib/sensord.fc
index bcd8a2ed..1216f4bf 100644
--- a/policy/modules/contrib/sensord.fc
+++ b/policy/modules/contrib/sensord.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
+/usr/bin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc
index 8c66d707..096fd47c 100644
--- a/policy/modules/contrib/setroubleshoot.fc
+++ b/policy/modules/contrib/setroubleshoot.fc
@@ -1,3 +1,5 @@
+/usr/bin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --git a/policy/modules/contrib/shibboleth.fc b/policy/modules/contrib/shibboleth.fc
index 0e05da75..fc32f7c9 100644
--- a/policy/modules/contrib/shibboleth.fc
+++ b/policy/modules/contrib/shibboleth.fc
@@ -1,5 +1,7 @@
/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0)
+/usr/bin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
+
/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0)
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
index e92567aa..aae46ecb 100644
--- a/policy/modules/contrib/shorewall.fc
+++ b/policy/modules/contrib/shorewall.fc
@@ -3,6 +3,9 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/usr/bin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/usr/bin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
index e6730a03..03a2230c 100644
--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
@@ -1,5 +1,7 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
+/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/contrib/slpd.fc b/policy/modules/contrib/slpd.fc
index be0072b4..77ff516b 100644
--- a/policy/modules/contrib/slpd.fc
+++ b/policy/modules/contrib/slpd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0)
+/usr/bin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
+
/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
/var/log/slpd\.log.* -- gen_context(system_u:object_r:slpd_log_t,s0)
diff --git a/policy/modules/contrib/smartmon.fc b/policy/modules/contrib/smartmon.fc
index 92988a26..daff956c 100644
--- a/policy/modules/contrib/smartmon.fc
+++ b/policy/modules/contrib/smartmon.fc
@@ -1,6 +1,8 @@
/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
/etc/rc\.d/init\.d/smartmontools -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+/usr/bin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
diff --git a/policy/modules/contrib/smokeping.fc b/policy/modules/contrib/smokeping.fc
index e92613ff..c75825e8 100644
--- a/policy/modules/contrib/smokeping.fc
+++ b/policy/modules/contrib/smokeping.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
+/usr/bin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/smstools.fc b/policy/modules/contrib/smstools.fc
index d77f5b5f..12a58511 100644
--- a/policy/modules/contrib/smstools.fc
+++ b/policy/modules/contrib/smstools.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+/usr/bin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
+
/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc
index c3d5ed71..8974ac9d 100644
--- a/policy/modules/contrib/snmp.fc
+++ b/policy/modules/contrib/snmp.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/usr/bin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/bin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/bin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 1e2faf00..97797bd6 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -2,9 +2,10 @@
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
-/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc
index 704e2dab..d445530f 100644
--- a/policy/modules/contrib/sosreport.fc
+++ b/policy/modules/contrib/sosreport.fc
@@ -1,3 +1,5 @@
+/usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
+
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc
index 038f0315..d1880f66 100644
--- a/policy/modules/contrib/soundserver.fc
+++ b/policy/modules/contrib/soundserver.fc
@@ -5,6 +5,7 @@
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index 58dce766..bc2dbadf 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -5,16 +5,17 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
diff --git a/policy/modules/contrib/speedtouch.fc b/policy/modules/contrib/speedtouch.fc
index 0caf3cc0..48fe2da3 100644
--- a/policy/modules/contrib/speedtouch.fc
+++ b/policy/modules/contrib/speedtouch.fc
@@ -1,3 +1,5 @@
+/usr/bin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_var_run_t,s0)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index 7051c3e1..4d838b27 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/usr/bin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
+
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
index 6ff3e253..ef8a215b 100644
--- a/policy/modules/contrib/sssd.fc
+++ b/policy/modules/contrib/sssd.fc
@@ -2,6 +2,8 @@
/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
+/usr/bin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
diff --git a/policy/modules/contrib/sxid.fc b/policy/modules/contrib/sxid.fc
index 95299487..92d3ff1a 100644
--- a/policy/modules/contrib/sxid.fc
+++ b/policy/modules/contrib/sxid.fc
@@ -1,3 +1,4 @@
+/usr/bin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
diff --git a/policy/modules/contrib/tboot.fc b/policy/modules/contrib/tboot.fc
index 437e1d5d..8c3e66c4 100644
--- a/policy/modules/contrib/tboot.fc
+++ b/policy/modules/contrib/tboot.fc
@@ -1 +1,3 @@
+/usr/bin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
+
/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc
index 034ec7f6..57fe2bf1 100644
--- a/policy/modules/contrib/tcpd.fc
+++ b/policy/modules/contrib/tcpd.fc
@@ -1 +1,3 @@
+/usr/bin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
+
/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index 0e086e71..d6980334 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+/usr/bin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc
index 3d7d07aa..05d4726c 100644
--- a/policy/modules/contrib/telnet.fc
+++ b/policy/modules/contrib/telnet.fc
@@ -1,3 +1,5 @@
+/usr/bin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
+
/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
index fb0b982d..dbd7f2a8 100644
--- a/policy/modules/contrib/tftp.fc
+++ b/policy/modules/contrib/tftp.fc
@@ -1,5 +1,7 @@
/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/usr/bin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/bin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/bin/tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc
index be16a4c0..1989d090 100644
--- a/policy/modules/contrib/tgtd.fc
+++ b/policy/modules/contrib/tgtd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/bin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc
index d19a6cf0..f4ce55e1 100644
--- a/policy/modules/contrib/tmpreaper.fc
+++ b/policy/modules/contrib/tmpreaper.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/bin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/bin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/contrib/transproxy.fc b/policy/modules/contrib/transproxy.fc
index c4aa885e..ce0eb7d6 100644
--- a/policy/modules/contrib/transproxy.fc
+++ b/policy/modules/contrib/transproxy.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/transproxy -- gen_context(system_u:object_r:transproxy_initrc_exec_t,s0)
+/usr/bin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
+
/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/policy/modules/contrib/tripwire.fc b/policy/modules/contrib/tripwire.fc
index a27298be..77b259a4 100644
--- a/policy/modules/contrib/tripwire.fc
+++ b/policy/modules/contrib/tripwire.fc
@@ -1,5 +1,10 @@
/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
+/usr/bin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/bin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/bin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/bin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
+
/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc
index d22fde30..21ea1295 100644
--- a/policy/modules/contrib/tuned.fc
+++ b/policy/modules/contrib/tuned.fc
@@ -3,6 +3,8 @@
/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0)
/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
+/usr/bin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
diff --git a/policy/modules/contrib/tzdata.fc b/policy/modules/contrib/tzdata.fc
index 04b85488..c8448c68 100644
--- a/policy/modules/contrib/tzdata.fc
+++ b/policy/modules/contrib/tzdata.fc
@@ -1 +1,3 @@
+/usr/bin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
+
/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc
index d5f8ac0b..ca27a1d2 100644
--- a/policy/modules/contrib/ulogd.fc
+++ b/policy/modules/contrib/ulogd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/usr/bin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
diff --git a/policy/modules/contrib/updfstab.fc b/policy/modules/contrib/updfstab.fc
index b62ab19e..27ac178d 100644
--- a/policy/modules/contrib/updfstab.fc
+++ b/policy/modules/contrib/updfstab.fc
@@ -1,2 +1,5 @@
+/usr/bin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/bin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+
/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/policy/modules/contrib/uptime.fc b/policy/modules/contrib/uptime.fc
index d15608f6..535dda0b 100644
--- a/policy/modules/contrib/uptime.fc
+++ b/policy/modules/contrib/uptime.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/uptimed -- gen_context(system_u:object_r:uptimed_initrc_exec_t,s0)
+/usr/bin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
+
/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_var_run_t,s0)
diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc
index 66604b50..72188740 100644
--- a/policy/modules/contrib/usbmodules.fc
+++ b/policy/modules/contrib/usbmodules.fc
@@ -1 +1,3 @@
+/usr/bin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/contrib/usbmuxd.fc b/policy/modules/contrib/usbmuxd.fc
index 413eef4b..dd949dde 100644
--- a/policy/modules/contrib/usbmuxd.fc
+++ b/policy/modules/contrib/usbmuxd.fc
@@ -1,3 +1,5 @@
+/usr/bin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc
index 9fe12582..6a2cd2f0 100644
--- a/policy/modules/contrib/userhelper.fc
+++ b/policy/modules/contrib/userhelper.fc
@@ -1,5 +1,6 @@
/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
+/usr/bin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/policy/modules/contrib/usernetctl.fc b/policy/modules/contrib/usernetctl.fc
index ddaf787d..72f38b1b 100644
--- a/policy/modules/contrib/usernetctl.fc
+++ b/policy/modules/contrib/usernetctl.fc
@@ -1 +1,3 @@
+/usr/bin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
+
/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/contrib/uucp.fc b/policy/modules/contrib/uucp.fc
index ec159fe5..21b5d723 100644
--- a/policy/modules/contrib/uucp.fc
+++ b/policy/modules/contrib/uucp.fc
@@ -1,6 +1,7 @@
/etc/rc\.d/init\.d/uucp -- gen_context(system_u:object_r:uucpd_initrc_exec_t,s0)
/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0)
+/usr/bin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
diff --git a/policy/modules/contrib/uuidd.fc b/policy/modules/contrib/uuidd.fc
index 03f98e30..d0a8520d 100644
--- a/policy/modules/contrib/uuidd.fc
+++ b/policy/modules/contrib/uuidd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+/usr/bin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
+
/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc
index e93b95c3..5d3f0915 100644
--- a/policy/modules/contrib/varnishd.fc
+++ b/policy/modules/contrib/varnishd.fc
@@ -4,6 +4,7 @@
/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
+/usr/bin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
/usr/bin/varnishncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
diff --git a/policy/modules/contrib/vbetool.fc b/policy/modules/contrib/vbetool.fc
index d00970f1..af6c0e38 100644
--- a/policy/modules/contrib/vbetool.fc
+++ b/policy/modules/contrib/vbetool.fc
@@ -1 +1,3 @@
+/usr/bin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
+
/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc
index e03441a3..13aecb58 100644
--- a/policy/modules/contrib/vdagent.fc
+++ b/policy/modules/contrib/vdagent.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0)
+/usr/bin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc
index 83e6b4d4..ded76282 100644
--- a/policy/modules/contrib/vhostmd.fc
+++ b/policy/modules/contrib/vhostmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+/usr/bin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..b1f9b1c8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -24,7 +24,12 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
+/usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc
index f84b61a5..f668cde9 100644
--- a/policy/modules/contrib/vlock.fc
+++ b/policy/modules/contrib/vlock.fc
@@ -1,3 +1,4 @@
-/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc
index ea5a13b5..b1557721 100644
--- a/policy/modules/contrib/vmware.fc
+++ b/policy/modules/contrib/vmware.fc
@@ -9,9 +9,11 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 400d7f76..c3e1ad90 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -3,6 +3,7 @@
/run/vnstat.* gen_context(system_u:object_r:vnstatd_pid_t,s0)
/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
/usr/lib/systemd/system/vnstat\.service -- gen_context(system_u:object_r:vnstatd_unit_t,s0)
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
index 1cd43c66..3e40c477 100644
--- a/policy/modules/contrib/vpn.fc
+++ b/policy/modules/contrib/vpn.fc
@@ -1,4 +1,5 @@
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+/usr/bin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc
index 093ebc6d..1e4f1158 100644
--- a/policy/modules/contrib/watchdog.fc
+++ b/policy/modules/contrib/watchdog.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+/usr/bin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
diff --git a/policy/modules/contrib/wdmd.fc b/policy/modules/contrib/wdmd.fc
index b0fbf65a..849f93cc 100644
--- a/policy/modules/contrib/wdmd.fc
+++ b/policy/modules/contrib/wdmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
+/usr/bin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+
/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index be0374df..ac5439f9 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -7,6 +7,15 @@
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/bin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/bin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/bin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc
index 4c9f1409..076e8544 100644
--- a/policy/modules/contrib/zabbix.fc
+++ b/policy/modules/contrib/zabbix.fc
@@ -1,11 +1,14 @@
/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc
index 0c173382..3ded81f8 100644
--- a/policy/modules/contrib/zebra.fc
+++ b/policy/modules/contrib/zebra.fc
@@ -8,6 +8,11 @@
/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/usr/bin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc
index adfd4a21..ca923534 100644
--- a/policy/modules/contrib/zosremote.fc
+++ b/policy/modules/contrib/zosremote.fc
@@ -1 +1,3 @@
+/usr/bin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
+
/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 7342da73bcae2a72c74f015e1cbf4e6064ff1eee
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:21 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7342da73
java: error messages terminal printout
Minor fixes for the java module (print error messages to the terminal).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/java.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index c4aaa66b..96494b16 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -167,10 +167,12 @@ ifdef(`distro_gentoo',`
corecmd_search_bin(java_t)
+dev_read_sysfs(java_t)
+
locallogin_use_fds(java_t)
userdom_read_user_tmp_files(java_t)
-userdom_use_user_ttys(java_t)
+userdom_use_user_terminals(java_t)
optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: ec9d897b9e69d1ba90b25c871b12bd72ae6f3b31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 1 22:44:21 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec9d897b
Module version bump for minor fixes from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index c30623de..f97985e1 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.2)
+policy_module(evolution, 2.6.3)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 96494b16..9c5c7f2c 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.2)
+policy_module(java, 2.9.3)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index dcde3ffe..ce63f0ee 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.2)
+policy_module(loadkeys, 1.11.3)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index c9c04040..6c73283c 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.1)
+policy_module(plymouthd, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 4a2b3510..0e38114a 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.1)
+policy_module(shutdown, 1.4.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 90bc58d30413ce90fc5f6b86da4114f539d374f0
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:15 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90bc58d3
shutdown: send msg to syslog
Update the shutdown module so that it can send messages to
syslog.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/shutdown.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 6a0b126e..4a2b3510 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -42,6 +42,8 @@ domain_use_interactive_fds(shutdown_t)
files_delete_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)
+fs_getattr_xattr_fs(shutdown_t)
+
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)
@@ -55,6 +57,7 @@ init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
+logging_send_syslog_msg(shutdown_t)
miscfiles_read_localization(shutdown_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: d4c00f71309403b77db1cdf60a1da0de877d7b30
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:53 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4c00f71
loadkeys: use init fds (system bootup)
Update the loadkeys module so that it can use init file descriptors (to
print out messages during boot).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/loadkeys.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index d99a28bf..dcde3ffe 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -23,6 +23,8 @@ allow loadkeys_t self:unix_stream_socket { connect create };
kernel_read_system_state(loadkeys_t)
+init_use_fds(loadkeys_t)
+
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 2461473627beea7a5e372c1b3f244c5e30f3438b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:02 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24614736
plymouth: pid interface usability
Improve the usability of one plymouth interface.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/plymouthd.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if
index 30e751f1..54cd777a 100644
--- a/policy/modules/contrib/plymouthd.if
+++ b/policy/modules/contrib/plymouthd.if
@@ -228,6 +228,7 @@ interface(`plymouthd_read_pid_files',`
')
files_search_pids($1)
+ allow $1 plymouthd_var_run_t:dir search_dir_perms;
allow $1 plymouthd_var_run_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: b8a604ac7ca611afbf53c9e07724030c0555fd30
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 4 12:27:23 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 16:02:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8a604ac
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/acpi.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/brctl.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbskk.te | 2 +-
policy/modules/contrib/dcc.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/hwloc.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/ktalk.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/lockdev.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minidlna.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oav.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelink.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rdisc.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/speedtouch.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/tboot.te | 2 +-
policy/modules/contrib/tcpd.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tftp.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/tzdata.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/usbmuxd.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
policy/modules/contrib/zosremote.te | 2 +-
223 files changed, 223 insertions(+), 223 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 8c52ac9b..9fb4f3ff 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.7.0)
+policy_module(abrt, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index fb2e1ebe..dfe0ec7c 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.2)
+policy_module(acct, 1.7.3)
########################################
#
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
index 0cd3d884..083dfe92 100644
--- a/policy/modules/contrib/acpi.te
+++ b/policy/modules/contrib/acpi.te
@@ -1,4 +1,4 @@
-policy_module(acpi, 1.0.0)
+policy_module(acpi, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index b95757a5..8b7c7765 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.10.0)
+policy_module(afs, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 6202f38c..a3ea7e6a 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.3.1)
+policy_module(aiccu, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 06b61940..1e5dffe4 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.4.0)
+policy_module(aisexec, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 6946ef0a..7654ae0e 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.2)
+policy_module(alsa, 1.16.3)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index ecf15211..6b058e02 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.16.0)
+policy_module(amanda, 1.16.1)
#######################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 44913b37..f0722742 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.17.0)
+policy_module(amavis, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e69a6c9a..47e47b05 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.5)
+policy_module(apache, 2.12.6)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index e1586b36..fcb60aa3 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.12.1)
+policy_module(apcupsd, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 8c1ded68..441c0f3c 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.14.0)
+policy_module(arpwatch, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 9c6a947f..3291031a 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.17.0)
+policy_module(asterisk, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 09b82b0c..f99ecc18 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.18.0)
+policy_module(automount, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index b2e43eed..e38e0b09 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.18.0)
+policy_module(avahi, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 20b92c3f..aac922f7 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.4.0)
+policy_module(bacula, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index 24e70b89..cc84cd9f 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.3.0)
+policy_module(bcfg2, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 25329fdb..2351e024 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.1)
+policy_module(bind, 1.18.2)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index dcf8f0bd..27df06b2 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.3.0)
+policy_module(bird, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 90ff0dc6..b30a5ec4 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.1)
+policy_module(bitlbee, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 75d739da..208a146b 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.7.0)
+policy_module(bluetooth, 3.7.1)
########################################
#
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index fd789b5f..4582159b 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.1)
+policy_module(brctl, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index c92149d1..954dc2a8 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.3.1)
+policy_module(cachefilesd, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index f9443343..6bf2d777 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.3.0)
+policy_module(callweaver, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index ea8f64b5..9fee410c 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.14.0)
+policy_module(canna, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index bc766e74..7da9d409 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.10.1)
+policy_module(ccs, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index f6c9d20d..0770f117 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.5.0)
+policy_module(certmonger, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index c888ff23..d381792e 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.2.0)
+policy_module(cfengine, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 3599d7a2..9705e1af 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.5.1)
+policy_module(cgroup, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 618f6cf5..3e9a1c5b 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.4.0)
+policy_module(chronyd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 729d7820..8b31ca11 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.7.0)
+policy_module(cipe, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 11e568a6..5706540d 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.1)
+policy_module(clamav, 1.14.2)
## <desc>
## <p>
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index b9a57b18..6a667109 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -1,4 +1,4 @@
-policy_module(clogd, 1.2.0)
+policy_module(clogd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index ece1a1ce..22c88cfd 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.3.0)
+policy_module(cmirrord, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index e9e6d135..4d375ce5 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.3.0)
+policy_module(collectd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index 9b7b3706..9a4a146e 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -1,4 +1,4 @@
-policy_module(comsat, 1.8.0)
+policy_module(comsat, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index fbb70249..18012be1 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.4.0)
+policy_module(condor, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a2a51ba8..06451dff 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.12.0)
+policy_module(consolekit, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 771582f0..c8ecef1c 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.3.0)
+policy_module(corosync, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 31ee1073..57ef751c 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.1)
+policy_module(courier, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index cff0e16c..0d255fce 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.6.1)
+policy_module(cpucontrol, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 15e6bdb4..49e58a0b 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.4)
+policy_module(cron, 2.11.5)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 4f9c3f06..e62f3912 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.4.0)
+policy_module(ctdb, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 88a73ce4..2b81255f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.4)
+policy_module(cups, 1.21.5)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 124f2c58..bcabb498 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.11.0)
+policy_module(dante, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te
index f55c4208..6b5a7471 100644
--- a/policy/modules/contrib/dbskk.te
+++ b/policy/modules/contrib/dbskk.te
@@ -1,4 +1,4 @@
-policy_module(dbskk, 1.6.0)
+policy_module(dbskk, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 9b1c25e7..eb05bbda 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.13.0)
+policy_module(dcc, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index 333d3094..6e3f3bd2 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.12.0)
+policy_module(ddclient, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 8d1263ae..4e67816a 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -1,4 +1,4 @@
-policy_module(ddcprobe, 1.3.0)
+policy_module(ddcprobe, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 2fbf84ed..77d18aee 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.14.0)
+policy_module(dhcp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index c390b549..13947f21 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.10.0)
+policy_module(dictd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 5ffc618b..2cb15e39 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.1)
+policy_module(dkim, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index aa8e3e6d..93000a01 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.6.0)
+policy_module(dmidecode, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index ee961ce2..e7278d0a 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.14.0)
+policy_module(dnsmasq, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index e6c58402..c48910d0 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.3.0)
+policy_module(dnssectrigger, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index d18f9adc..208d9957 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.1)
+policy_module(dovecot, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 5a308095..fe11baec 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.2)
+policy_module(dphysswapfile, 1.0.3)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e781815d..730e38f6 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.7)
+policy_module(dpkg, 1.11.8)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index 0d1e6366..e7907f2b 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.2.1)
+policy_module(drbd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 991b6219..a788c570 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.11.0)
+policy_module(entropyd, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 66421ff3..389aa302 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.10.0)
+policy_module(exim, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 5caedf9f..5a6e57ca 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.0.1)
+policy_module(fakehwclock, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 706874f3..20714983 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.3.0)
+policy_module(fcoe, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index d7fdd5eb..2619a20b 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.12.0)
+policy_module(finger, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 70f5fb43..c05dff4e 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.5.1)
+policy_module(firewalld, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index e5c5ecdb..a1afc1b7 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.13.1)
+policy_module(firstboot, 1.13.2)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 7e81e249..f18dc97b 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.20.0)
+policy_module(ftp, 1.20.1)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 01dc4562..504f10e4 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.10.0)
+policy_module(gatekeeper, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 07bd10d7..c32ed752 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.4.0)
+policy_module(glusterfs, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 4e2b5f9c..4452e0e6 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.1)
+policy_module(gpm, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index 6f4e8b79..20c377aa 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.4.0)
+policy_module(gpsd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 997f3e3b..bce0de22 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.2)
+policy_module(hal, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 90b148ec..135d8844 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.3.0)
+policy_module(hddtemp, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
index 716a590e..e6d6e0ae 100644
--- a/policy/modules/contrib/hwloc.te
+++ b/policy/modules/contrib/hwloc.te
@@ -1,4 +1,4 @@
-policy_module(hwloc, 1.1.0)
+policy_module(hwloc, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 5f3e48da..8af768a4 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.1.0)
+policy_module(hypervkvp, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index d1a42660..6cb963ca 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.11.0)
+policy_module(i18n_input, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 4f1223db..46cc865a 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.3.0)
+policy_module(ifplugd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 70ecd1e5..678cacdf 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.1)
+policy_module(inetd, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index dc5c007e..fd579875 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.13.0)
+policy_module(inn, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index b316ec5b..f0896487 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.2)
+policy_module(iodine, 1.2.3)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 94c9c233..75aaa8f9 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.10.0)
+policy_module(ircd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index b8cea5ec..0c78171b 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.9.0)
+policy_module(irqbalance, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 8061f7ea..ebd7b255 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.11.1)
+policy_module(iscsi, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 83356b97..1afc0a09 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.2.0)
+policy_module(isns, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 36f603c3..954f3613 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.1)
+policy_module(jabber, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index fb6f1378..659b3aeb 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.2)
+policy_module(kdump, 1.5.3)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index d226156e..2c75d8ec 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.14.0)
+policy_module(kerberos, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 58ee9516..f974f045 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.2)
+policy_module(kerneloops, 1.6.3)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index f03cf59a..bbfdb4c8 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.4.0)
+policy_module(ksmtuned, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
index 52f3be7e..bcd12a05 100644
--- a/policy/modules/contrib/ktalk.te
+++ b/policy/modules/contrib/ktalk.te
@@ -1,4 +1,4 @@
-policy_module(ktalk, 1.10.0)
+policy_module(ktalk, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index b1696618..e893b789 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.2)
+policy_module(kudzu, 1.12.3)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index b45a216f..a0f598e1 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.3.0)
+policy_module(l2tp, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 023884ab..35a1ff33 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.15.0)
+policy_module(ldap, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 21d18a3c..a0673fd5 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.5.0)
+policy_module(likewise, 1.5.1)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 88078024..1be40213 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.4.0)
+policy_module(lircd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 803bf48f..b30a33d1 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.3.0)
+policy_module(lldpad, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te
index 61db5a0a..f60ee157 100644
--- a/policy/modules/contrib/lockdev.te
+++ b/policy/modules/contrib/lockdev.te
@@ -1,4 +1,4 @@
-policy_module(lockdev, 1.5.0)
+policy_module(lockdev, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 1c63e097..b0176afb 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.3)
+policy_module(logrotate, 1.18.4)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index d2b54207..0e115309 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.1)
+policy_module(logwatch, 1.14.2)
#################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 8ebe2435..64fd6e50 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.2)
+policy_module(lpd, 1.15.3)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index d8dcb317..2da0a226 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.3.0)
+policy_module(mailscanner, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 8e62b7a8..d5e1cba0 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.5.0)
+policy_module(mcelog, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 8295ca64..96c0c59d 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.1)
+policy_module(milter, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 3ab4189d..7b8aa39d 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.1.0)
+policy_module(minidlna, 1.1.1)
#############################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index d16cdb1b..5145a16a 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.3.0)
+policy_module(minissdpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 20c99b63..b4236dd7 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.4.0)
+policy_module(modemmanager, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 0207d0ac..b8a92025 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.3)
+policy_module(mon, 1.0.4)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 091f315b..9337497d 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.10.0)
+policy_module(monop, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index caa21fb9..a330ed83 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.6)
+policy_module(mta, 2.8.7)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 6fe1ce56..04d9c9e9 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.19.1)
+policy_module(mysql, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index e14a3f35..ba5114fa 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.11.0)
+policy_module(nessus, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index c6d62977..1614b533 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.5)
+policy_module(networkmanager, 1.20.6)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index c49ecb0b..11a3bde2 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.15.1)
+policy_module(nis, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index dfd1adf8..93daee41 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.15.0)
+policy_module(nscd, 1.15.1)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 911aa8ca..8851506f 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.10.0)
+policy_module(nsd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 30639e64..eb6ed983 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.7.0)
+policy_module(nslcd, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 025f5d4a..1b5251a5 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.12.0)
+policy_module(ntop, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 89b31bf3..cbd5fd18 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.4)
+policy_module(ntp, 1.16.5)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index d38ced7b..0a12ac89 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.6.1)
+policy_module(nut, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te
index b09c4c41..4a171f13 100644
--- a/policy/modules/contrib/oav.te
+++ b/policy/modules/contrib/oav.te
@@ -1,4 +1,4 @@
-policy_module(oav, 1.10.0)
+policy_module(oav, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index 507d6d24..dd34cec0 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.11.1)
+policy_module(oddjob, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index c1f42dc1..6d19804e 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.4.0)
+policy_module(oident, 2.4.1)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 5002e6ac..c4157e74 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.9.0)
+policy_module(openct, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index ea840550..d33d901a 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.3.0)
+policy_module(openhpi, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 54170a62..49c3dc0e 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.1)
+policy_module(openvpn, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 218470bb..d5509e77 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.3.0)
+policy_module(pacemaker, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 5d8ccb2f..63a42663 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.2)
+policy_module(pcmcia, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index e33dc6b6..1b3b1302 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.12.0)
+policy_module(pcscd, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index b2138295..1648e483 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.12.0)
+policy_module(pegasus, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 2975c2cc..42df124f 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.1)
+policy_module(perdition, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index fbe72918..6614fd9e 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.2.0)
+policy_module(pingd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index b10f18e7..eeb4bacd 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.3.0)
+policy_module(pkcs, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 6c73283c..71467854 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.2)
+policy_module(plymouthd, 1.4.3)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 2a8c850b..b894502e 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.13.1)
+policy_module(portmap, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index a09698ce..298d5905 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.6.1)
+policy_module(portreserve, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index b34887c9..217bebaf 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -1,4 +1,4 @@
-policy_module(portslave, 1.8.0)
+policy_module(portslave, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1b562bab..33f2cdd1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.2)
+policy_module(postfix, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index be84e714..082b2a06 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.1)
+policy_module(postfixpolicyd, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 4fe73487..0628a4e5 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.1)
+policy_module(postgrey, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 6d34d7b7..8f05b2d6 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.2)
+policy_module(ppp, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index 784b81ae..3198c925 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.11.1)
+policy_module(prelink, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 4f14f0b6..5c8efc5d 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.7.1)
+policy_module(prelude, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index ce344917..5205da69 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.14.0)
+policy_module(privoxy, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index b94e44a9..53fc70b2 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.4.0)
+policy_module(psad, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 8694d852..c9ef2a2c 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.7.0)
+policy_module(pxe, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 455f2c0e..99b31343 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.7.0)
+policy_module(qmail, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index edae1871..4a7e0bf9 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.3.0)
+policy_module(qpid, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 95fc0aa3..6100ff21 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.9.1)
+policy_module(quota, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index bbe4e1ce..0d3a0c57 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.15.0)
+policy_module(radius, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 41df3b57..b9972ee5 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.16.0)
+policy_module(radvd, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 49c7dbb4..011b2967 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.17.1)
+policy_module(raid, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
index ea6d2d92..d4b488de 100644
--- a/policy/modules/contrib/rdisc.te
+++ b/policy/modules/contrib/rdisc.te
@@ -1,4 +1,4 @@
-policy_module(rdisc, 1.8.1)
+policy_module(rdisc, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index ec587591..e70c52a6 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.15.1)
+policy_module(readahead, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index b5162055..362cc355 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.4.0)
+policy_module(redis, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index 25e40670..3fce4733 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.5.1)
+policy_module(resmgr, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 905c3d44..e63c628f 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.6.0)
+policy_module(rgmanager, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 85a3a066..2cf91164 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.6.0)
+policy_module(rhcs, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index e576ff12..f2e9c806 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.10.1)
+policy_module(ricci, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 94d41e81..fa544703 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.12.0)
+policy_module(rlogin, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index ee1f1349..6f41db77 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.4.0)
+policy_module(rngd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0b9a71fc..a8a83400 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.2)
+policy_module(rpc, 1.19.3)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index abe55b18..75b5725f 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.2)
+policy_module(rpcbind, 1.11.3)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 2e3596b0..2dcf018c 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.2)
+policy_module(rpm, 1.19.3)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 78a8f3c7..4cff9508 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.9.1)
+policy_module(rshd, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 0cd90acd..9b731982 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.8.0)
+policy_module(rwho, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 06323b49..2bde1870 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.20.1)
+policy_module(samba, 1.20.2)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 9618e95c..20972aa3 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.4.1)
+policy_module(samhain, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index fccc1c29..b818f2b6 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.3.0)
+policy_module(sanlock, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 235a66d8..daf996eb 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.18.0)
+policy_module(sasl, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 77632c25..9a901bd5 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.3.0)
+policy_module(sblim, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index f5d4288a..572bf7cf 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.2.0)
+policy_module(sensord, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 68f546fe..2d8adf9e 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.15.0)
+policy_module(setroubleshoot, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 0d742041..7ed9e3f9 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.2.0)
+policy_module(shibboleth, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index e7249426..a56cab4a 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.2)
+policy_module(shorewall, 1.6.3)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 0e38114a..881f6c1f 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.2)
+policy_module(shutdown, 1.4.3)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index f4f1edfd..116f3e35 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.3.0)
+policy_module(slpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 1ad706c7..74925838 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.1)
+policy_module(smartmon, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index cc19c38d..ed86ad9a 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.4.0)
+policy_module(smokeping, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 55096f6a..e18a79b6 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.2.0)
+policy_module(smstools, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index fe37b52d..134094e8 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.16.0)
+policy_module(snmp, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 536efd00..6ccb88d2 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.14.0)
+policy_module(snort, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 940f220a..0adbde7e 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.4.0)
+policy_module(sosreport, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 5b8bd927..18386afd 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.11.0)
+policy_module(soundserver, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 2f770d2d..74d30072 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.1)
+policy_module(spamassassin, 2.10.2)
########################################
#
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
index 70dcf8d4..e91ca9e4 100644
--- a/policy/modules/contrib/speedtouch.te
+++ b/policy/modules/contrib/speedtouch.te
@@ -1,4 +1,4 @@
-policy_module(speedtouch, 1.6.0)
+policy_module(speedtouch, 1.6.1)
#######################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index f4fd15e8..626e10bc 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.1)
+policy_module(squid, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index e273c904..2e9b28ac 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.4.0)
+policy_module(sssd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 010c40ce..3c9f9a73 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -1,4 +1,4 @@
-policy_module(sxid, 1.8.0)
+policy_module(sxid, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/tboot.te b/policy/modules/contrib/tboot.te
index 4961a362..02bae3b7 100644
--- a/policy/modules/contrib/tboot.te
+++ b/policy/modules/contrib/tboot.te
@@ -1,4 +1,4 @@
-policy_module(tboot, 1.0.0)
+policy_module(tboot, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te
index 2d6d2c23..32485347 100644
--- a/policy/modules/contrib/tcpd.te
+++ b/policy/modules/contrib/tcpd.te
@@ -1,4 +1,4 @@
-policy_module(tcpd, 1.5.0)
+policy_module(tcpd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index ca98bf86..36434768 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.3.0)
+policy_module(tcsd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 6007d763..f0da2757 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.12.0)
+policy_module(telnet, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
index cfaa2a19..02dfb404 100644
--- a/policy/modules/contrib/tftp.te
+++ b/policy/modules/contrib/tftp.te
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.13.0)
+policy_module(tftp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index c3761188..d21cf4b4 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.6.0)
+policy_module(tgtd, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index f96e6242..f6fad636 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.8.0)
+policy_module(tmpreaper, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 61b6f5cb..2e7c2f7e 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.10.0)
+policy_module(transproxy, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 47dc24b3..0a098f30 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -1,4 +1,4 @@
-policy_module(tripwire, 1.3.0)
+policy_module(tripwire, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index ba1e1471..5aef872b 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.4.0)
+policy_module(tuned, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te
index 221c43b8..55656375 100644
--- a/policy/modules/contrib/tzdata.te
+++ b/policy/modules/contrib/tzdata.te
@@ -1,4 +1,4 @@
-policy_module(tzdata, 1.5.0)
+policy_module(tzdata, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 50beee26..d2ac9c3c 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.4.0)
+policy_module(ulogd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 02754be8..735a3cc2 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -1,4 +1,4 @@
-policy_module(updfstab, 1.6.1)
+policy_module(updfstab, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 79c6c8ed..8130870c 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.8.0)
+policy_module(uptime, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index d4307b9d..84312dd4 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.3.1)
+policy_module(usbmodules, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
index a1d498e6..77f7a7e6 100644
--- a/policy/modules/contrib/usbmuxd.te
+++ b/policy/modules/contrib/usbmuxd.te
@@ -1,4 +1,4 @@
-policy_module(usbmuxd, 1.3.0)
+policy_module(usbmuxd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 9c7ac268..d620c666 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.10.0)
+policy_module(userhelper, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index 1c8b8dfd..3a4d5caa 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -1,4 +1,4 @@
-policy_module(usernetctl, 1.7.1)
+policy_module(usernetctl, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index d44d025f..7547ba14 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.14.0)
+policy_module(uucp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index 176ae298..fc83244f 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.3.0)
+policy_module(uuidd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index b36f69ca..bc464524 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.5.0)
+policy_module(varnishd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 09980a08..ed76f796 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -1,4 +1,4 @@
-policy_module(vbetool, 1.7.0)
+policy_module(vbetool, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 4ceabe08..dca28b43 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.4.0)
+policy_module(vdagent, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index f6636a99..8720c22f 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.3.0)
+policy_module(vhostmd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..4fb34894 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.11.0)
+policy_module(virt, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 3ef60af7..4e49bd9c 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -1,4 +1,4 @@
-policy_module(vlock, 1.2.1)
+policy_module(vlock, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index a4346aad..2332cc12 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.8.1)
+policy_module(vmware, 2.8.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index ee8ae063..1170dc37 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.2)
+policy_module(vnstatd, 1.3.3)
########################################
#
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 10fb1013..a6769a65 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.17.1)
+policy_module(vpn, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index bac0a747..c58a46bc 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.12.0)
+policy_module(watchdog, 1.12.1)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 24c3802e..03351241 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.3.0)
+policy_module(wdmd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 0d680116..5886a0c2 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.1)
+policy_module(xen, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index a021b743..3f45497a 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.10.0)
+policy_module(zabbix, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index bfc2d21d..25e66cae 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.15.0)
+policy_module(zebra, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index 7139cde4..67ea8925 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.2.1)
+policy_module(zosremote, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 83244b1264056d64fe3c979671a68ec3a80cd7dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:39:18 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83244b12
chromium: allow cap_userns for the sandbox
https://patchwork.kernel.org/patch/8785151/
policy/modules/contrib/chromium.te | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index cd1e1116..a4fba97c 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t)
#
# execmem for load in plugins
-allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
-allow chromium_t self:fifo_file rw_fifo_file_perms;;
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
allow chromium_t chromium_exec_t:file execute_no_trans;
@@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
corecmd_exec_bin(chromium_t)
# Look for /etc/gentoo-release through a shell invocation running find
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 17:02 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 343c6e0f96645d89fd64ec5f6434dc792a887b02
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:27:04 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=343c6e0f
openoffice: Move ooffice_rw_tmp_files() implementation.
policy/modules/contrib/openoffice.if | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
index 5a579e08..19f62381 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -51,38 +51,38 @@ interface(`ooffice_domtrans',`
########################################
## <summary>
-## Read and write temporary
-## openoffice files.
+## Do not audit attempts to execute
+## files in temporary directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`ooffice_rw_tmp_files',`
+interface(`ooffice_dontaudit_exec_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
- rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to execute
-## files in temporary directories.
+## Read and write temporary
+## openoffice files.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`ooffice_dontaudit_exec_tmp_files',`
+interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
- dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 17:02 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 071fdd0538b320a9a5ab69032836cf5d4702db67
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:27:27 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:02:01 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=071fdd05
Module version bump for openoffice fix from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index c595af2f..24a36b4e 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.2)
+policy_module(mozilla, 2.11.3)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 40e3d97f..fe241429 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.1)
+policy_module(openoffice, 1.1.2)
##############################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: a02b60e38aeebbef9175e93856bf455eef0a7ebc
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat May 13 15:55:57 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:56 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a02b60e3
openoffice: open files retrieved using mozilla
Let openoffice open files retrieved from the network using mozilla.
Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
policy/modules/contrib/mozilla.if | 18 ++++++++++++++++++
policy/modules/contrib/openoffice.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if
index ffda45d3..70390632 100644
--- a/policy/modules/contrib/mozilla.if
+++ b/policy/modules/contrib/mozilla.if
@@ -309,6 +309,24 @@ interface(`mozilla_execmod_user_plugin_home_files',`
allow $1 mozilla_plugin_home_t:file execmod;
')
+#######################################
+## <summary>
+## Read temporary mozilla files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_read_tmp_files',`
+ gen_require(`
+ type mozilla_tmp_t;
+ ')
+
+ read_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t)
+')
+
########################################
## <summary>
## Run mozilla in the mozilla domain.
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 0be66b6f..40e3d97f 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -128,6 +128,7 @@ optional_policy(`
optional_policy(`
mozilla_domtrans(ooffice_t)
+ mozilla_read_tmp_files(ooffice_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 5164572d4f1c9c12bcad411349ee23f196dcc524
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May 8 18:24:30 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5164572d
chronyd: Allow init scripts to create /run/chrony
Remark: So far, chronyd.fc only contains /run/chronyd, but chrony's
default location is actually /run/chrony, so I've added that to the fc.
This commit also fixes a bug in the fc: It said (/.*) instead of (/.*)?
policy/modules/contrib/chronyd.fc | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 94b601fd..ca2747e7 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -14,7 +14,7 @@
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd?(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 3e9a1c5b..62ddd0bf 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -28,7 +28,7 @@ type chronyd_var_log_t;
logging_log_file(chronyd_var_log_t)
type chronyd_var_run_t;
-files_pid_file(chronyd_var_run_t)
+init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: d79fb64e176175d6ee37237aa03b3b00d9d6fb89
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May 8 18:24:29 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d79fb64e
chronyd: Re-align fc file
policy/modules/contrib/chronyd.fc | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 66f001b8..94b601fd 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -1,22 +1,22 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
-/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
# Systend unit files
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
-/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
-/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
-/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
-/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
ifdef(`distro_gentoo',`
/etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 39f8b214d04e1176c9511873dcbbbc1207872608
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 11 23:53:36 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:55 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39f8b214
Module version bump for chronyd changes from Luis Ressel.
policy/modules/contrib/chronyd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 62ddd0bf..d1763c87 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.4.1)
+policy_module(chronyd, 1.4.2)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 45bc0742f768a7c1e1b180e6580ac471bba8f12a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 01:25:08 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 14:29:19 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45bc0742
rpm: Module version bump.
policy/modules/contrib/rpm.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9b1c1048..52c78614 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.20.0)
+policy_module(rpm, 1.20.1)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 46ecc9be82dfb821a26ecee1787c3261d79cf04c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec 12 09:05:17 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 09:05:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46ecc9be
chromium: map mime types
policy/modules/contrib/chromium.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 76f2583a..29e7fee7 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -132,6 +132,7 @@ manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+allow chromium_t chromium_xdg_cache_t:file map;
manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
@@ -162,6 +163,7 @@ domain_dontaudit_search_all_domains_state(chromium_t)
files_list_home(chromium_t)
files_search_home(chromium_t)
files_read_usr_files(chromium_t)
+files_map_usr_files(chromium_t)
files_read_etc_files(chromium_t)
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: d959ec112471aa95de755bc7ec46fc0ca06031d7
Author: Chad Hanson <dahchanson <AT> gmail <DOT> com>
AuthorDate: Mon Dec 11 04:04:36 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 14:26:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d959ec11
Allow rpm to relabel files at all levels
This patch adds MLS relabel ability to rpm per the previous email request: http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html
Signed-off-by: Chad Hanson <dahchanson <AT> gmail.com>
policy/modules/contrib/rpm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 44e8c7b5..9b1c1048 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -174,6 +174,7 @@ fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
+mls_file_relabel(rpm_t)
mls_file_upgrade(rpm_t)
mls_file_downgrade(rpm_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 5e18d3eb437717c6ad25e614c617b0cad5700879
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:55:43 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5e18d3eb
Replace deprecated mmap perm sets and pattern usage.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.if | 2 +-
policy/modules/contrib/gnome.if | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/postfix.te | 4 ++--
policy/modules/contrib/prelink.te | 6 +++---
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
12 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d28f4c2f..be12966a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -415,7 +415,7 @@ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+mmap_exec_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index 6177ef41..a3a4453a 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -72,7 +72,7 @@ allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
allow cobblerd_t cobbler_etc_t:file read_file_perms;
allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms;
-allow cobblerd_t cobbler_tmp_t:file mmap_file_perms;
+allow cobblerd_t cobbler_tmp_t:file mmap_exec_file_perms;
manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e165fec3..0ff59b94 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -84,7 +84,7 @@ manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+allow dpkg_t dpkg_var_lib_t:file mmap_exec_file_perms;
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 2c930fe5..aa1c637d 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -47,7 +47,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
-allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms;
manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 349d1b3b..3bfe581d 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -53,7 +53,7 @@ interface(`ftp_check_exec',`
')
corecmd_search_bin($1)
- allow $1 ftpd_exec_t:file mmap_file_perms;
+ allow $1 ftpd_exec_t:file mmap_exec_file_perms;
')
########################################
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 8ed95ee2..8b27d15a 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -805,5 +805,5 @@ interface(`gnome_mmap_gstreamer_orcexec',`
type gstreamer_orcexec_t;
')
- allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+ allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 8dad7633..e20b15f8 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -30,7 +30,7 @@ allow pingd_t self:rawip_socket create_socket_perms;
allow pingd_t pingd_etc_t:file read_file_perms;
read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
-mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_exec_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
corenet_all_recvfrom_unlabeled(pingd_t)
corenet_all_recvfrom_netlabel(pingd_t)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5905d4dc..067afc97 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -103,7 +103,7 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
-allow gcc_config_t portage_exec_t:file mmap_file_perms;
+allow gcc_config_t portage_exec_t:file mmap_exec_file_perms;
kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 383be1fc..eba65a15 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -120,7 +120,7 @@ allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
allow postfix_domain postfix_master_t:file read_file_perms;
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+allow postfix_domain postfix_exec_t:file { mmap_exec_file_perms lock };
allow postfix_domain postfix_master_t:process sigchld;
@@ -217,7 +217,7 @@ allow postfix_master_t postfix_data_t:file manage_file_perms;
allow postfix_master_t postfix_keytab_t:file read_file_perms;
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_exec_file_perms ioctl lock };
allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index db7d5974..43276472 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -53,10 +53,10 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -64,7 +64,7 @@ manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
+allow prelink_t prelink_object:file { manage_file_perms mmap_exec_file_perms relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 78af52df..58dc60fb 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -763,7 +763,7 @@ manage_files_pattern(swat_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
files_var_filetrans(swat_t, samba_var_t, dir, "samba")
-allow swat_t smbd_exec_t:file mmap_file_perms ;
+allow swat_t smbd_exec_t:file mmap_exec_file_perms ;
allow swat_t { winbind_t smbd_t }:process { signal signull };
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index ef4c5fa4..18779e5d 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -35,7 +35,7 @@ allow ulogd_t self:tcp_socket create_stream_socket_perms;
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
-mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_exec_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 0cb16fbd5d7bc0dfa8c5201e6dbb3f450f6e97a1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:26:22 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:26:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0cb16fbd
dropbox: mmap_file_perms is deprecated, use mmap_exec_file_perms instead
policy/modules/contrib/dropbox.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index f7f6125f..63f95c25 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -40,7 +40,7 @@ userdom_user_tmpfs_file(dropbox_tmpfs_t)
allow dropbox_t self:process { execmem signal_perms };
allow dropbox_t self:fifo_file rw_fifo_file_perms;
-allow dropbox_t dropbox_home_t:file mmap_file_perms;
+allow dropbox_t dropbox_home_t:file mmap_exec_file_perms;
# dropbox updates itself in /tmp then in ~/.dropbox-dist/
can_exec(dropbox_t, dropbox_exec_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: bbccb371e1eb5326abda8f934a66471c29fe4290
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:01:03 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:01:03 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbccb371
portage: sandbox must be able to map usr_t files
policy/modules/contrib/portage.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index a81a4d0d..240838d2 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -164,6 +164,7 @@ interface(`portage_compile_domain',`
files_exec_etc_files($1)
files_exec_usr_src_files($1)
+ files_map_usr_files($1)
# Came up with bug #496328
fs_getattr_tmpfs($1)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: f884129ee59182688f70ddba6600f0b63d3afa94
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:20 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f884129e
gpg: Add gpg_agent_use_card boolean for OpenPGP cards
policy/modules/contrib/gpg.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index ca600218..6e8f80d5 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
## </desc>
gen_tunable(gpg_agent_env_file, false)
+## <desc>
+## <p>
+## Determine whether GPG agent can use OpenPGP
+## cards or Yubikeys over USB
+## </p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')
+tunable_policy(`gpg_agent_use_card',`
+ dev_read_sysfs(gpg_agent_t)
+ dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_agent_t)
fs_manage_nfs_files(gpg_agent_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: f535dde10ac78ef53ae5dae23f848c2a2cafa55c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:21 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f535dde1
cachefilesd: make cachefilesd_cache_t a mountpoint
policy/modules/contrib/cachefilesd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index d225d745..d09ac561 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
init_script_file(cachefilesd_initrc_exec_t)
type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
+files_mountpoint(cachefilesd_cache_t)
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 2fc780e90665d3d003fa879a83d478c9f7da2196
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:41:47 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:41:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2fc780e9
portage: allow compile domains to map portage_tmp_t
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 240838d2..23c15ba7 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -117,7 +117,7 @@ interface(`portage_compile_domain',`
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
- allow $1 portage_tmp_t:file relabel_file_perms;
+ allow $1 portage_tmp_t:file { relabel_file_perms map };
allow $1 portage_tmp_t:dir relabel_dir_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 6f30ae2e7e7c4cc92ce84b78423ecafe721d3dea
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:23:38 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:23:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f30ae2e
portage: allow to map font files
policy/modules/contrib/portage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 067afc97..44bdca53 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -207,6 +207,7 @@ init_exec(portage_t)
libs_run_ldconfig(portage_t, portage_roles)
miscfiles_read_localization(portage_t)
+miscfiles_read_fonts(portage_t)
# run setfiles -r
seutil_run_setfiles(portage_t, portage_roles)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: a7744e40641af7c4564f532f5711709ae46e69ab
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:22 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7744e40
Set user_runtime_content_type for all remaining types in /run/user/%{UID}/
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/dirmngr.te | 1 +
policy/modules/contrib/gnome.te | 2 ++
policy/modules/contrib/gpg.te | 2 ++
policy/modules/contrib/pulseaudio.te | 1 +
5 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 1aa6dba1..142b02e6 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
type session_dbusd_runtime_t;
files_pid_file(session_dbusd_runtime_t)
+userdom_user_runtime_content(session_dbusd_runtime_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 75833a42..fa5898e4 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
type dirmngr_tmp_t;
userdom_user_tmp_file(dirmngr_tmp_t)
+userdom_user_runtime_content(dirmngr_tmp_t)
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index b6f14dbc..2988a541 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+userdom_user_runtime_content(gnome_keyring_tmp_t)
type gstreamer_orcexec_t;
application_executable_file(gstreamer_orcexec_t)
+userdom_user_runtime_content(gstreamer_orcexec_t)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 6e8f80d5..f020c0a1 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
type gpg_runtime_t;
files_pid_file(gpg_runtime_t)
+userdom_user_runtime_content(gpg_runtime_t)
type gpg_agent_t;
type gpg_agent_exec_t;
@@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
type gpg_agent_tmp_t;
userdom_user_tmp_file(gpg_agent_tmp_t)
+userdom_user_runtime_content(gpg_agent_tmp_t)
type gpg_secret_t;
userdom_user_home_content(gpg_secret_t)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index cc1db3d4..aa6042d7 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
type pulseaudio_tmp_t;
userdom_user_tmp_file(pulseaudio_tmp_t)
+userdom_user_runtime_content(pulseaudio_tmp_t)
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 1979ea290f6c6e381a1c1cd9219a68227f2febb5
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:29:02 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1979ea29
cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump.
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index d09ac561..97a70718 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.4.0)
+policy_module(cachefilesd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 142b02e6..395f0981 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.3)
+policy_module(dbus, 1.23.4)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index fa5898e4..064750e1 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.3.0)
+policy_module(dirmngr, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 2988a541..502e23e8 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.8.1)
+policy_module(gnome, 2.8.2)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f020c0a1..96b9cd12 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.3)
+policy_module(gpg, 2.12.4)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index aa6042d7..27c7c27c 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.10.2)
+policy_module(pulseaudio, 1.10.3)
########################################
#
^ permalink raw reply related [flat|nested] 132+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 132+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: d56f72e0072b149d996caa98425c90be16aa5410
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:19 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d56f72e0
dirmngr: allow filetrans in gpg_runtime_t
commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.
policy/modules/contrib/dirmngr.te | 3 +++
policy/modules/contrib/gpg.if | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 8f4cb991..75833a42 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
sysnet_dns_name_resolve(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
files_read_etc_files(dirmngr_t)
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+ gpg_stream_connect_agent(dirmngr_t)
')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 6266019b..359560f8 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_runtime_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_runtime_filetrans',`
+ gen_require(`
+ type gpg_runtime_t;
+ ')
+
+ filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## filetrans in gpg_secret_t dirs
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 132+ messages in thread
end of thread, other threads:[~2018-01-18 16:16 UTC | newest]
Thread overview: 132+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2018-01-18 16:15 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:02 Sven Vermeulen
2017-05-18 17:02 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-07-13 17:35 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-07 14:12 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-27 15:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-11 16:08 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-11 16:04 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-11 16:04 Sven Vermeulen
2015-06-09 14:25 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-11 16:04 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-09 13:59 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-09 13:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-09 13:34 Sven Vermeulen
2015-06-09 13:34 Sven Vermeulen
2015-06-09 13:30 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-05-25 16:15 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-09 13:24 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-16 11:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-16 11:30 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-16 11:13 Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:27 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:27 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:29 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox