Systemd fixes from Russell Coker.

author: Chris PeBenito <pebenito@ieee.org> 2017-02-23 20:03:23 -0500
committer: Jason Zaman <jason@perfinion.com> 2017-02-25 22:22:23 +0800
commit: 5b8acde37136f75ce5a52f1b6a0604d3f35dacc7 (patch)
tree: 6399183d2aea489938b6e9f3b78a5b8f116f9c35
parent: Module version bump for ntp fixes from cgzones. (diff)
download: hardened-refpolicy-5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.tar.gz
hardened-refpolicy-5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.tar.bz2
hardened-refpolicy-5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.zip
24 files changed, 1011 insertions, 65 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 08e2e8af..b51a25ac 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
 
 ########################################
 ## <summary>
+##     Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	List all of the device nodes in a device directory.
 ## </summary>
 ## <param name="domain">
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##     Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
 ##	Relabel from/to all sysfs types.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 66bc754e..470f0f00 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.2)
+policy_module(devices, 1.20.3)
 
 ########################################
 #
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
+optional_policy(`
+	systemd_tmpfilesd_managed(device_t, fifo_file)
+')
+
 #
 # Type for /dev/agpgart
 #
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6babfb90..0d6fe3c5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
+##     manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
 
 ########################################
 ## <summary>
+##     Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##     Relable all pid files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
 
 ########################################
 ## <summary>
+##     Create all pid sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all pid named pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+        gen_require(`
+                attribute spoolfile;
+        ')
+
+        allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+        gen_require(`
+                attribute spoolfile;
+        ')
+
+        allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
 ##	Delete all process ID directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 7c861cc1..63ec6591 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.4)
+policy_module(files, 1.23.5)
 
 ########################################
 #
@@ -174,6 +174,10 @@ type var_run_t;
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(var_run_t, lnk_file)
+')
+
 #
 # var_spool_t is the type of /var/spool
 #
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 55ce2bd2..5bac5fb3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -162,9 +162,18 @@ interface(`auth_login_pgm_domain',`
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
+	userdom_search_user_runtime($1)
+	userdom_read_user_tmpfs_files($1)
+
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
+
+	optional_policy(`
+		systemd_read_logind_state($1)
+		systemd_write_inherited_logind_sessions_pipes($1)
+		systemd_use_passwd_agent_fds($1)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b4273689..43c83620 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.10.1)
+policy_module(authlogin, 2.10.2)
 
 ########################################
 #
@@ -85,6 +85,10 @@ files_type(var_auth_t)
 type wtmp_t;
 logging_log_file(wtmp_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(faillog_t, file)
+')	systemd_tmpfilesd_managed(var_auth_t, dir)
+
 ########################################
 #
 # Check password local policy
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index fe085d15..b08e7a2a 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -57,7 +57,9 @@ ifdef(`distro_gentoo', `
 /run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/sm-notify\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
+/run/wd_keepalive\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4a36e12a..162ce266 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -209,7 +209,7 @@ interface(`init_ranged_domain',`
 #
 interface(`init_daemon_domain',`
 	gen_require(`
-		type initrc_t;
+		type init_t, initrc_t;
 		role system_r;
 		attribute daemon;
 	')
@@ -240,6 +240,8 @@ interface(`init_daemon_domain',`
 		init_domain($1, $2)
 		# this may be because of late labelling
 		kernel_dgram_send($1)
+
+		allow $1 init_t:unix_dgram_socket sendto;
 	')
 
 	optional_policy(`
@@ -400,8 +402,10 @@ interface(`init_system_domain',`
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute systemprocess;
 	')
 
+	typeattribute $1 systemprocess;
 	application_domain($1, $2)
 
 	role system_r types $1;
@@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',`
 	')
 ')
 
+######################################
+## <summary>
+##	Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_dyntrans',`
+	gen_require(`
+		type init_t;
+	')
+
+	dyntrans_pattern($1, init_t)
+')
+
 ########################################
 ## <summary>
 ##	Mark the file type as a daemon pid file, allowing initrc_t
@@ -708,6 +730,7 @@ interface(`init_stream_connect',`
 
 	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
 	files_search_pids($1)
+	allow $1 init_t:unix_stream_socket getattr;
 ')
 
 ########################################
@@ -1225,23 +1248,24 @@ interface(`init_write_initctl',`
 #
 interface(`init_telinit',`
 	gen_require(`
-		type initctl_t;
+		type initctl_t, init_t;
 	')
 
-	dev_list_all_dev_nodes($1)
+	ps_process_pattern($1, init_t)
+	allow $1 init_t:process signal;
+	# upstart uses a datagram socket instead of initctl pipe
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 init_t:unix_dgram_socket sendto;
+	#576913
+	allow $1 init_t:unix_stream_socket connectto;
+
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 
-	init_exec($1)
+	corecmd_exec_bin($1)
 
-	tunable_policy(`init_upstart',`
-		gen_require(`
-			type init_t;
-		')
+	dev_list_all_dev_nodes($1)
 
-		# upstart uses a datagram socket instead of initctl pipe
-		allow $1 self:unix_dgram_socket create_socket_perms;
-		allow $1 init_t:unix_dgram_socket sendto;
-	')
+	init_exec($1)
 ')
 
 ########################################
@@ -1370,6 +1394,37 @@ interface(`init_domtrans_script',`
 
 ########################################
 ## <summary>
+##	Execute labelled init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans_labeled_script',`
+	gen_require(`
+		type initrc_t;
+		attribute init_script_file_type;
+		attribute initrc_transition_domain;
+	')
+
+	typeattribute $1 initrc_transition_domain;
+
+	files_list_etc($1)
+	domtrans_pattern($1, init_script_file_type, initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 init_script_file_type:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
 ##	Execute a init script in a specified domain.
 ## </summary>
 ## <desc>
@@ -1440,8 +1495,10 @@ interface(`init_manage_script_service',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
+		attribute initrc_transition_domain;
 	')
 
+	typeattribute $1 initrc_transition_domain;
 	domtrans_pattern($1, $2, initrc_t)
 	files_search_etc($1)
 ')
@@ -1574,6 +1631,7 @@ interface(`init_run_daemon',`
 interface(`init_startstop_all_script_services',`
 	gen_require(`
 		attribute init_script_file_type;
+		class service { start status stop };
 	')
 
 	allow $1 init_script_file_type:service { start status stop };
@@ -1789,12 +1847,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
-	read_files_pattern($1, initrc_t, initrc_t)
-	read_lnk_files_pattern($1, initrc_t, initrc_t)
-	list_dirs_pattern($1, initrc_t, initrc_t)
-
-	# should move this to separate interface
-	allow $1 initrc_t:process getattr;
+	ps_process_pattern($1, initrc_t)
 ')
 
 ########################################
@@ -2378,7 +2431,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
-	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+	dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -2419,6 +2472,98 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
+#######################################
+## <summary>
+##	Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir list_dir_perms;
+	create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##      Rename init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`init_rename_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	rename_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##      Rename and de init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`init_delete_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	delete_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to write to
+##  init sock file.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_pid_pipes',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a43bf19b..54ca2ceb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.5)
+policy_module(init, 2.2.6)
 
 gen_require(`
 	class passwd rootok;
@@ -16,13 +16,22 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(init_daemons_use_tty, false)
+
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
 attribute systemdunit;
+attribute initrc_transition_domain;
 
 # Mark process types as daemons
 attribute daemon;
+attribute systemprocess;
 
 # Mark file type as a daemon pid file
 attribute daemonpidfile;
@@ -33,7 +42,7 @@ attribute daemonrundir;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -110,6 +119,7 @@ ifdef(`enable_mls',`
 
 # Use capabilities. old rule:
 allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
@@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto;
 allow init_t init_var_run_t:file manage_file_perms;
 files_pid_filetrans(init_t, init_var_run_t, file)
 
+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
 
@@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
@@ -199,6 +213,10 @@ ifdef(`init_systemd',`
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
 
+	allow init_t systemprocess:process { dyntransition siginh };
+	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
 	allow init_t self:capability2 { audit_read block_suspend };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -206,6 +224,18 @@ ifdef(`init_systemd',`
 	allow init_t self:netlink_selinux_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
+	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+	allow init_t daemon:unix_dgram_socket create_socket_perms;
+	allow init_t daemon:tcp_socket create_stream_socket_perms;
+	allow init_t daemon:udp_socket create_socket_perms;
+	allow daemon init_t:unix_dgram_socket sendto;
+
+	allow init_run_all_scripts_domain systemdunit:service { status start stop };
+
+	allow systemprocess init_t:unix_dgram_socket sendto;
+	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
+	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
 	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -269,6 +299,9 @@ ifdef(`init_systemd',`
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
 
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
 
@@ -355,6 +388,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_read_db(init_t)
+	udev_relabelto_db(init_t)
+')
+
+optional_policy(`
 	unconfined_domain(init_t)
 ')
 
@@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
 
+allow initrc_t daemon:process siginh;
+
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
@@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
 domain_signull_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
@@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
@@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t)
 # cjp: not sure why these are here; should use mount policy
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
 mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
@@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t)
 mls_process_write_all_levels(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t)
 auth_delete_pam_console_data(initrc_t)
 auth_use_nsswitch(initrc_t)
 
+init_get_system_status(initrc_t)
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
 libs_exec_ld_so(initrc_t)
@@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
 
 seutil_read_config(initrc_t)
 
@@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
 	kernel_getattr_core_if(initrc_t)
@@ -643,6 +703,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		alsa_read_lib(initrc_t)
 	')
 
@@ -663,7 +727,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
-	kernel_dontaudit_use_fds(initrc_t)
+	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
@@ -707,8 +771,25 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
+		bind_setattr_zone_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		devicekit_append_inherited_log_files(initrc_t)
+	')
+
+	optional_policy(`
+		gnome_manage_gconf_config(initrc_t)
+	')
+
+	optional_policy(`
+		pulseaudio_stream_connect(initrc_t)
 	')
 
 	optional_policy(`
@@ -716,6 +797,9 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
+	optional_policy(`
+		rpcbind_stream_connect(initrc_t)
+	')
 
 	optional_policy(`
 		sysnet_rw_dhcp_config(initrc_t)
@@ -734,7 +818,32 @@ ifdef(`distro_suse',`
 	')
 ')
 
+ifdef(`enabled_mls',`
+	optional_policy(`
+		# allow init scripts to su
+		su_restricted_domain_template(initrc, initrc_t, system_r)
+		# Allow initrc_su_t, now defined, to transition to postgresql_t
+		postgresql_domtrans(initrc_su_t)
+		# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
+		allow initrc_su_t initrc_devpts_t:chr_file { read write };
+	')
+')
+
 ifdef(`init_systemd',`
+	allow init_t self:system { status reboot halt reload };
+
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
+	allow init_t self:process { getcap setcap };
+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	# Until systemd is fixed
+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+	allow init_t self:udp_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+	allow initrc_t init_t:system { status reboot halt reload };
+	allow init_t self:capability2 audit_read;
 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
 	files_lock_filetrans(initrc_t, initrc_lock_t, file)
 
@@ -746,11 +855,25 @@ ifdef(`init_systemd',`
 	files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
 
 	create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+	allow initrc_t systemd_unit_t:service reload;
 
 	manage_files_pattern(initrc_t, systemdunit, systemdunit)
 	manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+	allow initrc_t systemdunit:service reload;
+	allow initrc_t init_script_file_type:service { stop start status reload };
 
 	kernel_dgram_send(initrc_t)
+	kernel_list_unlabeled(init_t)
+	kernel_read_network_state(init_t)
+	kernel_rw_kernel_sysctl(init_t)
+	kernel_rw_net_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
+	kernel_read_software_raid_state(init_t)
+	kernel_unmount_debugfs(init_t)
+	kernel_setsched(init_t)
+
+	auth_relabel_login_records(init_t)
+	auth_relabel_pam_console_data_dirs(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -760,28 +883,83 @@ ifdef(`init_systemd',`
 	corecmd_bin_domtrans(init_t, initrc_t)
 	corecmd_shell_domtrans(init_t, initrc_t)
 
-	files_read_boot_files(initrc_t)
+	dev_write_kmsg(init_t)
+	dev_write_urand(init_t)
+	dev_rw_lvm_control(init_t)
+	dev_rw_autofs(init_t)
+	dev_manage_generic_symlinks(init_t)
+	dev_manage_generic_dirs(init_t)
+	dev_manage_generic_files(init_t)
+	dev_manage_null_service(initrc_t)
+	dev_read_generic_chr_files(init_t)
+	dev_relabel_generic_dev_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_dev_files(init_t)
+	dev_manage_sysfs_dirs(init_t)
+	dev_relabel_sysfs_dirs(init_t)
+	# systemd writes to /dev/watchdog on shutdown
+	dev_write_watchdog(init_t)
+
 	# Allow initrc_t to check /etc/fstab "service." It appears that
 	# systemd is conflating files and services.
+	files_create_all_pid_pipes(init_t)
+	files_create_all_pid_sockets(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_create_lock_dirs(init_t)
+	files_delete_all_pids(init_t)
+	files_delete_all_spool_sockets(init_t)
+	files_exec_generic_pid_files(init_t)
 	files_get_etc_unit_status(initrc_t)
+	files_list_locks(init_t)
+	files_list_spool(init_t)
+	files_list_var(init_t)
+	files_manage_all_pid_dirs(init_t)
+	files_manage_generic_tmp_dirs(init_t)
+	files_manage_urandom_seed(init_t)
+	files_mounton_all_mountpoints(init_t)
+	files_read_boot_files(initrc_t)
+	files_relabel_all_lock_dirs(init_t)
+	files_relabel_all_pid_dirs(init_t)
+	files_relabel_all_pid_files(init_t)
+	files_search_all(init_t)
 	files_setattr_pid_dirs(initrc_t)
+	files_unmount_all_file_type_fs(init_t)
 
-	selinux_set_enforce_mode(initrc_t)
+	fs_getattr_all_fs(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_manage_cgroup_dirs(init_t)
+	fs_manage_cgroup_files(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_manage_tmpfs_dirs(init_t)
+	fs_mount_all_fs(init_t)
+	fs_remount_all_fs(init_t)
+	fs_unmount_all_fs(init_t)
+	fs_search_cgroup_dirs(daemon)
 
-	init_stream_connect(initrc_t)
+	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
+	init_read_script_state(init_t)
 	init_rw_stream_sockets(initrc_t)
-	init_get_all_units_status(initrc_t)
 	init_stop_all_units(initrc_t)
+	init_stream_connect(initrc_t)
 
 	# Create /etc/audit.rules.prev after firstboot remediation
 	logging_manage_audit_config(initrc_t)
 
+	selinux_compute_create_context(init_t)
+	selinux_set_enforce_mode(initrc_t)
+	selinux_unmount_fs(init_t)
+	selinux_validate_context(init_t)
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(initrc_t)
+	seutil_read_file_contexts(init_t)
 
+	storage_getattr_removable_dev(init_t)
+	systemd_manage_all_units(init_t)
 	systemd_start_power_units(initrc_t)
 
+	term_relabel_pty_dirs(init_t)
+
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)
@@ -800,6 +978,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
+	# webmin seems to cause this.
+	apache_search_sys_content(daemon)
 ')
 
 optional_policy(`
@@ -821,6 +1001,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
+	domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
@@ -837,6 +1018,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_read_pipes(initrc_t)
+	# managing /etc/cron.d/mailman content
+	cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
@@ -853,9 +1040,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
+	dbus_manage_lib_files(initrc_t)
+
+	init_dbus_chat(initrc_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
+		consolekit_manage_log(initrc_t)
 	')
 
 	optional_policy(`
@@ -897,6 +1088,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
 	inn_exec_config(initrc_t)
 ')
 
@@ -937,6 +1133,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
+	lpd_manage_spool(init_t)
 ')
 
 optional_policy(`
@@ -960,6 +1157,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_read_config(initrc_t)
+	mta_write_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
@@ -982,6 +1180,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
@@ -1024,8 +1226,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
-	# why is this needed:
-	rpm_manage_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1044,15 +1244,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# allow init scripts to su
-	su_restricted_domain_template(initrc, initrc_t, system_r)
-	# Allow initrc_su_t, now defined, to transition to postgresql_t
-	postgresql_domtrans(initrc_su_t)
-	# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
-	allow initrc_su_t initrc_devpts_t:chr_file { read write };
-')
-
-optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
 	ssh_setattr_key_files(initrc_t)
 ')
@@ -1066,7 +1257,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
@@ -1082,6 +1272,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	domain_role_change_exemption(initrc_t)
+
+	mcs_file_read_all(initrc_t)
+	mcs_file_write_all(initrc_t)
+	mcs_killall(initrc_t)
+
 	unconfined_domain(initrc_t)
 
 	ifdef(`distro_redhat',`
@@ -1092,6 +1288,15 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+	optional_policy(`
+		rtkit_scheduled(initrc_t)
+	')
+')
+
+optional_policy(`
+	rpm_read_db(initrc_t)
+	rpm_delete_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1178,3 +1383,63 @@ ifdef(`distro_gentoo',`
 		udev_pid_filetrans_rules(initrc_t, dir, "rules.d")
 	')
 ')
+
+########################################
+#
+# Rules applied to all daemons
+#
+
+domain_dontaudit_use_interactive_fds(daemon)
+
+# daemons started from init will
+# inherit fds from init for the console
+term_dontaudit_use_console(daemon)
+
+init_dontaudit_use_fds(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+tunable_policy(`init_daemons_use_tty',`
+	term_use_unallocated_ttys(daemon)
+	term_use_generic_ptys(daemon)
+	term_use_all_ttys(daemon)
+	term_use_all_ptys(daemon)
+',`
+	term_dontaudit_use_unallocated_ttys(daemon)
+	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_ttys(daemon)
+	term_dontaudit_use_all_ptys(daemon)
+ ')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(daemon)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(daemon)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(daemon)
+	unconfined_dontaudit_rw_stream_sockets(daemon)
+')
+
+optional_policy(`
+	userdom_dontaudit_rw_all_users_stream_sockets(daemon)
+	userdom_dontaudit_read_user_tmp_files(daemon)
+	userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
+########################################
+#
+# Rules applied to all system processes
+#
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+optional_policy(`
+	userdom_dontaudit_search_user_home_dirs(systemprocess)
+	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+	userdom_dontaudit_write_user_tmp_files(systemprocess)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 6258954a..b7098cd5 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -8,8 +8,9 @@
 
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /usr/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
@@ -54,6 +55,8 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
 /run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
 /run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index ba463497..102c4319 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -841,6 +841,24 @@ interface(`logging_append_all_logs',`
 
 ########################################
 ## <summary>
+##      Append to all log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_append_all_inherited_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
+## <summary>
 ##	Read all log files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 10d2fc9f..9a6c714a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.2)
+policy_module(logging, 1.25.3)
 
 ########################################
 #
@@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms;
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
 
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -405,6 +406,9 @@ files_search_spool(syslogd_t)
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
+# for systemd but can not be conditional
+files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+
 # manage temporary files
 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t)
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
@@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t)
 
 miscfiles_read_localization(syslogd_t)
 
+seutil_read_config(syslogd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
-	# systemd-journald permissions
-
-	allow syslogd_t self:capability { chown setgid setuid };
+	# for systemd-journal
+	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+	allow syslogd_t self:capability2 audit_read;
+	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+	allow syslogd_t init_var_run_t:file { read write create open };
+	allow syslogd_t var_run_t:dir create;
 
-	kernel_use_fds(syslogd_t)
 	kernel_getattr_dgram_sockets(syslogd_t)
-	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)
+	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_use_fds(syslogd_t)
+
+	dev_read_kmsg(syslogd_t)
+	dev_read_urand(syslogd_t)
+	dev_write_kmsg(syslogd_t)
 
+	domain_read_all_domains_state(syslogd_t)
+
+	init_create_pid_dirs(syslogd_t)
 	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_rename_pid_files(syslogd_t)
+	init_delete_pid_files(syslogd_t)
 	init_dgram_send(syslogd_t)
+	init_read_pid_pipes(syslogd_t)
+	init_read_state(syslogd_t)
+
+	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_pid_files(syslogd_t)
 ')
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 5774034f..88fa9442 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',`
 	files_add_entry_lock_dirs($1)
 ')
 
+########################################
+## <summary>
+##      Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`lvm_rw_inherited_pid_pipes',`
+	gen_require(`
+		type lvm_var_run_t;
+	')
+
+	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 58e03ff2..f8fed91d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.2)
+policy_module(lvm, 1.19.3)
 
 ########################################
 #
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 85a29e3d..ec4d8dc0 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.0)
+policy_module(miscfiles, 1.12.1)
 
 ########################################
 #
@@ -41,6 +41,10 @@ files_type(locale_t)
 type man_t alias catman_t;
 files_type(man_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(man_t, dir)
+')
+
 type man_cache_t;
 files_type(man_cache_t)
 
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 6eb0a5a3..2264336d 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
 /usr/bin/systemd-stdio-bridge		--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
 /usr/bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
 /usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -32,15 +33,21 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+/var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 /run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b07d2c5b..69ee084f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+	allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+	allow $1 systemd_logind_var_run_t:file read_file_perms;
 ')
 
 ######################################
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
 	allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##      Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_t, systemd_sessions_var_run_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	allow $1 systemd_sessions_var_run_t:fifo_file write;
+	allow systemd_logind_t $1:process signal;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
 	write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
 ')
 
+#######################################
+## <summary>
+##  Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+##  type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+##  object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfilesd_managed',`
+	gen_require(`
+		type systemd_tmpfiles_t;
+	')
+
+	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
 ########################################
 ## <summary>
 ##   Allow process to relabel to systemd_kmod_conf_t.
@@ -137,6 +181,82 @@ interface(`systemd_relabelto_kmod_files',`
 
 ########################################
 ## <summary>
+##      allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain that owns the fds
+##      </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent_fds',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+	')
+
+	allow systemd_passwd_agent_t $1:fd use;
+')
+
+########################################
+## <summary>
+##      Transition to systemd_passwd_var_run_t when creating dirs
+## </summary>
+## <param name="domain">
+##      <summary>
+##	Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_filetrans_passwd_runtime_dirs',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+##      manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_all_units',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_dirs_pattern($1, systemdunit, systemdunit)
+	manage_files_pattern($1, systemdunit, systemdunit)
+	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+##      Allow domain to create/manage systemd_journal_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_journal_files',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
+## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 904c777a..19e6947a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.5)
+policy_module(systemd, 1.3.6)
 
 #########################################
 #
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
 ## </desc>
 gen_tunable(systemd_tmpfiles_manage_all, false)
 
+## <desc>
+## <p>
+## Allow systemd-nspawn to create a labelled namespace with the same types
+## as parent environment
+## </p>
+## </desc>
+gen_tunable(systemd_nspawn_labeled_namespace, false)
+
 attribute systemd_log_parse_env_type;
 
 type systemd_activate_t;
@@ -57,6 +65,9 @@ type systemd_coredump_t;
 type systemd_coredump_exec_t;
 init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
 
+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
 type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -65,6 +76,10 @@ type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
 
+type systemd_journal_t;
+files_type(systemd_journal_t)
+logging_log_file(systemd_journal_t)
+
 type systemd_locale_t;
 type systemd_locale_exec_t;
 init_system_domain(systemd_locale_t, systemd_locale_exec_t)
@@ -85,10 +100,21 @@ type systemd_machined_t;
 type systemd_machined_exec_t;
 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
 
+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
 init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@@ -108,6 +134,9 @@ type systemd_passwd_agent_t;
 type systemd_passwd_agent_exec_t;
 init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
 type systemd_sessions_t;
 type systemd_sessions_exec_t;
 init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Backlight local policy
 #
 
+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
+
 allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
@@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
+# for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
+# for /run/udev/data/+backlight*
 udev_read_pid_files(systemd_backlight_t)
 
 #######################################
@@ -292,6 +325,14 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
+########################################
+#
+# Nspawn local policy
+#
+
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+
+
 #########################################
 #
 # Resolved local policy
@@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
-kernel_read_system_state(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
@@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t)
 allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index d4c92ccb..847b65bf 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -315,6 +315,26 @@ interface(`udev_pid_filetrans_db',`
 
 ########################################
 ## <summary>
+##      Allow process to relabelto udev database
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 udev_var_run_t:file relabelto_file_perms;
+	allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+')
+
+########################################
+## <summary>
 ## 	Search through udev pid content
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d6034f30..08057d3d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.2)
+policy_module(udev, 1.21.3)
 
 ########################################
 #
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 3bf66058..3f7f66a7 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -483,6 +483,25 @@ interface(`unconfined_stream_connect',`
 
 ########################################
 ## <summary>
+##      Do not audit attempts to read and write
+##      unconfined domain stream.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or write
 ##	unconfined domain tcp sockets.
 ## </summary>
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index dc319d53..c1d4df8e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.0)
+policy_module(unconfined, 3.9.1)
 
 ########################################
 #
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 45c0339f..0799c18c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1137,6 +1137,10 @@ template(`userdom_unpriv_user_template', `
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind($1_t)
+	')
 ')
 
 #######################################
@@ -3276,6 +3280,35 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
+##     Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to read and write inherited user
+##     TTYs and PTYs. This will allow the domain to
+##     interact with the user via the terminal. Typically
+##     all interactive applications will require this
+##     access.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write a user TTYs and PTYs.
 ## </summary>
 ## <desc>
@@ -3718,6 +3751,25 @@ interface(`userdom_write_user_tmp_files',`
 
 ########################################
 ## <summary>
+##      Do not audit attempts to write users
+##      temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">
@@ -4085,3 +4137,22 @@ interface(`userdom_relabel_user_certs',`
 	relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
 	relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unserdomain stream.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_all_users_stream_sockets',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index df3b9572..3d60070c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.1)
+policy_module(userdomain, 4.13.2)
 
 ########################################
 #
author	Chris PeBenito <pebenito@ieee.org>	2017-02-23 20:03:23 -0500
committer	Jason Zaman <jason@perfinion.com>	2017-02-25 22:22:23 +0800
commit	5b8acde37136f75ce5a52f1b6a0604d3f35dacc7 (patch)
tree	6399183d2aea489938b6e9f3b78a5b8f116f9c35
parent	Module version bump for ntp fixes from cgzones. (diff)
download	hardened-refpolicy-5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.tar.gz hardened-refpolicy-5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.tar.bz2 hardened-refpolicy-5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.zip