fedora-selinux
diff --git a/chronyd.if b/chronyd.if
@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',`
 	manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
 ')
 
+######################################
+## <summary>
+##      Create objects in /var/run
+##	with chronyd runtime private file type.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`chronyd_pid_filetrans',`
+        gen_require(`
+                type chronyd_var_run_t;
+        ')
+
+        files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp")
+')
+
 ####################################
 ## <summary>
 ##	All of the rules required to

diff --git a/chronyd.te b/chronyd.te
@@ -52,6 +52,7 @@ allow chronyd_t self:capability2 block_suspend;
 allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:tcp_socket { accept listen };
 allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
@@ -111,6 +112,9 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
+corenet_tcp_bind_ntske_port(chronyd_t)
+corenet_tcp_connect_ntske_port(chronyd_t)
+
 domain_dontaudit_getsession_all_domains(chronyd_t)
 userdom_dontaudit_list_user_home_dirs(chronyd_t)
 

diff --git a/keepalived.te b/keepalived.te
@@ -62,6 +62,7 @@ auth_use_nsswitch(keepalived_t)
 corecmd_exec_bin(keepalived_t)
 corecmd_exec_shell(keepalived_t)
 
+corenet_raw_bind_generic_node(keepalived_t)
 corenet_tcp_connect_connlcli_port(keepalived_t)
 corenet_tcp_connect_http_port(keepalived_t)
 corenet_tcp_connect_mysqld_port(keepalived_t)

diff --git a/ldap.te b/ldap.te
@@ -57,8 +57,8 @@ allow slapd_t self:process { setsched signal } ;
 allow slapd_t self:fifo_file rw_fifo_file_perms;
 allow slapd_t self:tcp_socket { accept listen };
 
-allow slapd_t slapd_cert_t:dir list_dir_perms;
-read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+manage_dirs_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+manage_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
 read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
 
 manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)

diff --git a/openvswitch.te b/openvswitch.te
@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
 # openvswitch local policy
 #
 
-allow openvswitch_t self:capability { dac_override dac_read_search net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+allow openvswitch_t self:capability { dac_override dac_read_search fowner net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
 allow openvswitch_t self:capability2 block_suspend;
 allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
 allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@@ -41,6 +41,7 @@ allow openvswitch_t self:tcp_socket create_stream_socket_perms;
 allow openvswitch_t self:netlink_socket create_socket_perms;
 allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
 allow openvswitch_t self:netlink_generic_socket create_socket_perms;
+allow openvswitch_t self:netlink_netfilter_socket create_socket_perms;
 allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow openvswitch_t self:system { module_load };
 

diff --git a/pcp.fc b/pcp.fc
@@ -1,24 +1,23 @@
 /etc/rc\.d/init\.d/pmcd		--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pmlogger 	--      gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pmproxy 	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/pmwebd      --       gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pmie      --       gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/pmmgr    --      gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
 
 /usr/bin/pmie       --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
 /usr/bin/pmcd	    --	    gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
 /usr/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
 /usr/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
-/usr/bin/pmwebd	    --	    gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
-/usr/bin/pmmgr      --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
 
 
 /usr/libexec/pcp/bin/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
 /usr/libexec/pcp/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
 /usr/libexec/pcp/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
-/usr/libexec/pcp/bin/pmwebd	--	gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
 /usr/libexec/pcp/bin/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
-/usr/libexec/pcp/bin/pmmgr  --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+/usr/libexec/pcp/lib/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/usr/libexec/pcp/lib/pmlogger	--	gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/usr/libexec/pcp/lib/pmproxy	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+/usr/libexec/pcp/lib/pmie	--	gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
 
 /usr/share/pcp/lib/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
 

diff --git a/pcp.if b/pcp.if
@@ -65,9 +65,7 @@ interface(`pcp_admin',`
         type pcp_pmcd_t;
         type pcp_pmlogger_t;
         type pcp_pmproxy_t;
-        type pcp_pmwebd_t;
         type pcp_pmie_t;
-        type pcp_pmmgr_t;
         type pcp_var_run_t;
     ')
 
@@ -80,22 +78,14 @@ interface(`pcp_admin',`
     allow $1 pcp_pmproxy_t:process signal_perms;
     ps_process_pattern($1, pcp_pmproxy_t)
 
-    allow $1 pcp_pmwebd_t:process signal_perms;
-    ps_process_pattern($1, pcp_pmwebd_t)
-
     allow $1 pcp_pmie_t:process signal_perms;
     ps_process_pattern($1, pcp_pmie_t)
 
-    allow $1 pcp_pmmgr_t:process signal_perms;
-    ps_process_pattern($1, pcp_pmmgr_t)
-
     tunable_policy(`deny_ptrace',`',`
         allow $1 pcp_pmcd_t:process ptrace;
         allow $1 pcp_pmlogger_t:process ptrace;
         allow $1 pcp_pmproxy_t:process ptrace;
-        allow $1 pcp_pmwebd_t:process ptrace;
         allow $1 pcp_pmie_t:process ptrace;
-        allow $1 pcp_pmmgr_t:process ptrace;
     ')
 
     files_search_pids($1)

diff --git a/pcp.te b/pcp.te
@@ -1,4 +1,4 @@
-policy_module(pcp, 1.0.0)
+policy_module(pcp, 1.1.0)
 
 ########################################
 #
@@ -25,9 +25,7 @@ attribute pcp_domain;
 pcp_domain_template(pmcd)
 pcp_domain_template(pmlogger)
 pcp_domain_template(pmproxy)
-pcp_domain_template(pmwebd)
 pcp_domain_template(pmie)
-pcp_domain_template(pmmgr)
 pcp_domain_template(plugin)
 
 type pcp_log_t;
@@ -217,50 +215,6 @@ optional_policy(`
     ')
 ')
 
-########################################
-#
-# pcp_pmwebd local  policy
-#
-
-kernel_read_system_state(pcp_pmwebd_t)
-
-corecmd_exec_shell(pcp_pmwebd_t)
-
-corenet_tcp_bind_generic_node(pcp_pmwebd_t)
-
-optional_policy(`
-    dbus_system_bus_client(pcp_pmwebd_t)
-
-    optional_policy(`
-        avahi_dbus_chat(pcp_pmwebd_t)
-    ')
-')
-
-########################################
-#
-# pcp_pmmgr local  policy
-#
-
-allow pcp_pmmgr_t self:process { setpgid };
-allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
-allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
-
-kernel_read_system_state(pcp_pmmgr_t)
-
-corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
-
-corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
-corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
-
-corecmd_exec_bin(pcp_pmmgr_t)
-
-logging_send_syslog_msg(pcp_pmmgr_t)
-
-optional_policy(`
-    pcp_pmie_exec(pcp_pmmgr_t)
-    pcp_pmlogger_exec(pcp_pmmgr_t)
-')
-
 ########################################
 #
 # pcp_pmie local  policy

diff --git a/redis.if b/redis.if
@@ -203,11 +203,11 @@ interface(`redis_read_pid_files',`
 #
 interface(`redis_stream_connect',`
 	gen_require(`
-		type redisd_t, redis_var_run_t;
+		type redis_t, redis_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, redis_var_run_t, redis_var_run_t, redisd_t)
+	stream_connect_pattern($1, redis_var_run_t, redis_var_run_t, redis_t)
 ')
 
 ########################################

diff --git a/rpc.fc b/rpc.fc
@@ -4,6 +4,7 @@
 # /etc
 #
 /etc/exports		--	gen_context(system_u:object_r:exports_t,s0)
+/etc/exports\.d(/.*)?		gen_context(system_u:object_r:exports_t,s0)
 /etc/rc\.d/init\.d/nfs	 --	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/nfslock --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rpcidmapd --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)

diff --git a/rpm.fc b/rpm.fc
@@ -8,6 +8,7 @@
 /usr/bin/dnf-automatic  --  gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/dnf-[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdb 			--	gen_context(system_u:object_r:rpmdb_exec_t,s0)
 /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /bin/yum-builddep		--	gen_context(system_u:object_r:rpm_exec_t,s0)

diff --git a/rpm.if b/rpm.if
@@ -113,6 +113,50 @@ interface(`rpm_exec',`
 	can_exec($1, rpm_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute rpmdb in the rpmdb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rpmdb_domtrans_rpmdb',`
+	gen_require(`
+		type rpmdb_t, rpmdb_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rpmdb_exec_t, rpmdb_t)
+')
+
+########################################
+## <summary>
+##	Execute rpmdb in the rpmdb domain,
+##	and allow the specified role the rpmdb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpmdb_run_rpmdb',`
+	gen_require(`
+		attribute_role rpmdb_roles;
+	')
+
+	rpmdb_domtrans_rpmdb($1)
+	roleattribute $2 rpmdb_roles;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit to execute a rpm.

diff --git a/rpm.te b/rpm.te
@@ -3,6 +3,8 @@ policy_module(rpm, 1.16.0)
 attribute rpm_transition_domain;
 attribute_role rpm_script_roles;
 roleattribute system_r rpm_script_roles;
+attribute_role rpmdb_roles;
+roleattribute system_r rpmdb_roles;
 
 ########################################
 #
@@ -17,6 +19,11 @@ domain_system_change_exemption(rpm_t)
 domain_interactive_fd(rpm_t)
 role rpm_script_roles types rpm_t;
 
+type rpmdb_t;
+type rpmdb_exec_t;
+init_system_domain(rpmdb_t, rpmdb_exec_t)
+role rpmdb_roles types rpmdb_t;
+
 type debuginfo_exec_t;
 domain_entry_file(rpm_t, debuginfo_exec_t)
 
@@ -42,6 +49,9 @@ files_type(rpm_var_cache_t)
 type rpm_var_run_t;
 files_pid_file(rpm_var_run_t)
 
+type rpmdb_tmp_t;
+files_tmp_file(rpmdb_tmp_t)
+
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
@@ -250,6 +260,28 @@ optional_policy(`
 	unconfined_dbus_chat(rpm_script_t)
 ')
 
+########################################
+#
+# rpmdb local policy
+#
+
+allow rpmdb_t rpm_var_lib_t:file map;
+allow rpmdb_t rpmdb_tmp_t:file map;
+
+manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
+manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
+files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
+
+manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
+manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
+files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir })
+
+auth_dontaudit_read_passwd(rpmdb_t)
+
+files_rw_inherited_non_security_files(rpmdb_t)
+
+sysnet_dontaudit_read_config(rpmdb_t)
+
 ########################################
 #
 # rpm-script Local policy

diff --git a/rshd.fc b/rshd.fc
@@ -1,4 +1,3 @@
-
 /usr/kerberos/sbin/kshd	--	gen_context(system_u:object_r:rshd_exec_t,s0)
 
 /usr/sbin/in\.rexecd	--	gen_context(system_u:object_r:rshd_exec_t,s0)

diff --git a/squid.te b/squid.te
@@ -200,7 +200,7 @@ tunable_policy(`squid_connect_any',`
 ')
 
 tunable_policy(`squid_use_tproxy',`
-	allow squid_t self:capability net_admin;
+	allow squid_t self:capability { net_admin net_raw };
 	corenet_sendrecv_netport_server_packets(squid_t)
 	corenet_tcp_bind_netport_port(squid_t)
 	corenet_tcp_sendrecv_netport_port(squid_t)

diff --git a/virt.fc b/virt.fc
@@ -57,17 +57,18 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /var/run/libvirt/secrets(/.*)?		gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
 /var/run/libvirt/storage(/.*)?		gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
 
-/var/run/virtlogd\.pid		--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
-/var/run/virtlxcd\.pid		--      gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
-/var/run/virtqemud\.pid		--	gen_context(system_u:object_r:virtqemud_var_run_t,s0)
-/var/run/virtvboxd\.pid		--	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
+/var/run/virtlogd\.pid			--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/virtlxcd\.pid			--      gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/virtqemud\.pid			--	gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/virtvboxd\.pid			--	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
 /var/run/virtproxyd\.pid		--	gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
-/var/run/virtinterfaced\.pid	--	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
-/var/run/virtnetworkd\.pid	--	gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
-/var/run/virtnodedevd\.pid	--	gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
-/var/run/virtnwfilterd\.pid	--	gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
-/var/run/virtsecretd\.pid	--	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
-/var/run/virtstoraged\.pid	--	gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+/var/run/virtinterfaced\.pid		--	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/virtnetworkd\.pid		--	gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
+/var/run/virtnodedevd\.pid		--	gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/virtnwfilterd\.pid		--	gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/virtnwfilterd-binding\.pid     --	gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/virtsecretd\.pid		--	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/virtstoraged\.pid		--	gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
 
 /var/run/libvirt(/.*)?				gen_context(system_u:object_r:virt_var_run_t,s0)
 /var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
Original file line number	Diff line number	Diff line change
		@@ -1,4 +1,3 @@

		/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)

		/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)