diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index da424a118..2d939c2fa 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
fs_mount_fusefs(bootloader_t)
fs_mount_xattr_fs(bootloader_t)
fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
# for apt-cache
apt_read_db(bootloader_t)
- apt_read_cache(bootloader_t)
+ apt_manage_cache(bootloader_t)
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
@@ -203,6 +206,10 @@ optional_policy(`
fstools_exec(bootloader_t)
')
+optional_policy(`
+ gpm_getattr_gpmctl(bootloader_t)
+')
+
optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
hal_write_log(bootloader_t)
@@ -229,6 +236,10 @@ optional_policy(`
nscd_use(bootloader_t)
')
+optional_policy(`
+ raid_read_mdadm_pid(bootloader_t)
+')
+
optional_policy(`
rpm_rw_pipes(bootloader_t)
')
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index a5e88d6f4..c7e95a2e2 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
allow $1 dpkg_script_tmp_t:file map;
')
+
+########################################
+##
+## read dpkg_script_tmp_t links
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_read_script_tmp_links',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 356fb6d12..e024da28c 100644
--- a/policy/modules/services/gpm.if
+++ b/policy/modules/services/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
')
dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7f8c002e4..9b5e0fe00 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -821,6 +821,25 @@ interface(`auth_append_lastlog',`
allow $1 lastlog_t:file { append_file_perms lock };
')
+#######################################
+##
+## relabel the last logins log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_relabel_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
#######################################
##
## Read and write to the last logins log.
@@ -840,6 +859,25 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
+########################################
+##
+## Manage the last logins log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_manage_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ allow $1 lastlog_t:file manage_file_perms;
+ logging_rw_generic_log_dirs($1)
+')
+
########################################
##
## Execute pam programs in the pam domain.
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index eb3458aa5..6808e87a2 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
dpkg_map_script_tmp_files(kmod_t)
+ dpkg_read_script_tmp_links(kmod_t)
')
optional_policy(`
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index 091c805ed..063bf4813 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -46,6 +46,26 @@ interface(`raid_run_mdadm',`
roleattribute $1 mdadm_roles;
')
+########################################
+##
+## read mdadm pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mdadm_var_run_t:dir list_dir_perms;
+ allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
########################################
##
## Create, read, write, and delete
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 316f43625..8dde6487f 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+ optional_policy(`
+ # for /etc/resolv.conf symlink
+ networkmanager_read_pid_files($1)
+ ')
ifdef(`init_systemd',`
optional_policy(`
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 414487137..2dc35c041 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t)
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_tmpfs(systemd_tmpfiles_t)
+fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
+auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_lastlog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)