From 0c41682fc4fdc051f5ced7998b1840083077cab7 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Thu, 30 Mar 2023 14:33:57 +0000
Subject: [PATCH] cloudinit: Add permissions derived from sysadm.

Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/admin/cloudinit.if    |   76 ++
 policy/modules/admin/cloudinit.te    | 1028 +++++++++++++++++++++++++-
 policy/modules/admin/rpm.fc          |    2 +
 policy/modules/admin/rpm.te          |   20 +-
 policy/modules/admin/usermanage.te   |   14 +-
 policy/modules/services/ssh.if       |   25 +
 policy/modules/system/fstools.te     |    5 +
 policy/modules/system/init.if        |   20 +
 policy/modules/system/selinuxutil.te |    5 +
 policy/modules/system/systemd.if     |    2 +-
 policy/modules/system/systemd.te     |    4 +-
 policy/modules/system/udev.te        |    2 +
 policy/modules/system/unconfined.if  |   19 +
 policy/modules/system/userdomain.if  |   19 +
 policy/support/obj_perm_sets.spt     |    1 +
 15 files changed, 1216 insertions(+), 26 deletions(-)

diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if
index 604f56dc4..1d9d54daa 100644
--- a/policy/modules/admin/cloudinit.if
+++ b/policy/modules/admin/cloudinit.if
@@ -57,6 +57,25 @@ interface(`cloudinit_write_runtime_files',`
 	write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Read and write cloud-init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_rw_runtime_files',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_search_runtime($1)
+	rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Create cloud-init runtime files.
@@ -125,3 +144,60 @@ interface(`cloudinit_getattr_state_files',`
 	allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
 	allow $1 cloud_init_state_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Write inherited cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_write_inherited_tmp_files',`
+	gen_require(`
+		type cloud_init_t, cloud_init_tmp_t;
+	')
+
+	allow $1 cloud_init_t:fd use;
+	allow $1 cloud_init_tmp_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_rw_tmp_files',`
+	gen_require(`
+		type cloud_init_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_create_tmp_files',`
+	gen_require(`
+		type cloud_init_tmp_t;
+	')
+
+	files_search_tmp($1)
+	create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
index 80c17374b..0c80a32ad 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -9,6 +9,13 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+## <p>
+## Enable support for cloud-init to manage all non-security files.
+## </p>
+## </desc>
+gen_tunable(cloudinit_manage_non_security, false)
+
 type cloud_init_t;
 type cloud_init_exec_t;
 init_system_domain(cloud_init_t, cloud_init_exec_t)
@@ -23,18 +30,21 @@ files_mountpoint(cloud_init_runtime_t)
 type cloud_init_state_t;
 files_type(cloud_init_state_t)
 
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
 allow cloud_init_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid };
-dontaudit cloud_init_t self:capability { net_admin sys_tty_config };
+dontaudit cloud_init_t self:capability { net_admin sys_admin sys_tty_config };
 allow cloud_init_t self:fifo_file rw_fifo_file_perms;
 allow cloud_init_t self:unix_dgram_socket create_socket_perms;
 allow cloud_init_t self:passwd passwd;
 
-allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr };
+allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms read setattr };
 logging_log_filetrans(cloud_init_t, cloud_init_log_t, file)
 
 manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
@@ -48,12 +58,23 @@ manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
 manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
 files_var_lib_filetrans(cloud_init_t, cloud_init_state_t, { dir file lnk_file })
 
-auth_domtrans_chk_passwd(cloud_init_t)
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { dir file lnk_file })
 
-corecmd_exec_bin(cloud_init_t)
-corecmd_exec_shell(cloud_init_t)
+auth_run_chk_passwd(cloud_init_t, system_r)
 
-corenet_dontaudit_tcp_bind_generic_node(cloud_init_t)
+corecmd_exec_all_executables(cloud_init_t)
+
+corenet_all_recvfrom_netlabel(cloud_init_t)
+corenet_tcp_sendrecv_generic_if(cloud_init_t)
+corenet_tcp_sendrecv_generic_node(cloud_init_t)
+corenet_tcp_connect_all_ports(cloud_init_t)
+corenet_tcp_bind_generic_node(cloud_init_t)
+corenet_tcp_bind_all_unreserved_ports(cloud_init_t)
+corenet_udp_bind_generic_node(cloud_init_t)
+corenet_udp_bind_all_unreserved_ports(cloud_init_t)
 
 dbus_system_bus_client(cloud_init_t)
 
@@ -61,19 +82,23 @@ dev_getattr_all_blk_files(cloud_init_t)
 # /sys/devices/pci0000:00/0000:00:03.0/net/eth0/address
 dev_read_sysfs(cloud_init_t)
 
+domain_read_all_domains_state(cloud_init_t)
+domain_obj_id_change_exemption(cloud_init_t)
+
 files_manage_config_dirs(cloud_init_t)
 files_relabel_config_dirs(cloud_init_t)
 files_manage_config_files(cloud_init_t)
 files_relabel_config_files(cloud_init_t)
+files_manage_mnt_dirs(cloud_init_t)
 
 fs_getattr_all_fs(cloud_init_t)
 fs_search_tmpfs(cloud_init_t)
 fs_search_cgroup_dirs(cloud_init_t)
 fs_read_iso9660_files(cloud_init_t)
 
-fstools_domtrans(cloud_init_t)
+fstools_run(cloud_init_t, system_r)
 
-hostname_domtrans(cloud_init_t)
+hostname_run(cloud_init_t, system_r)
 
 kernel_read_system_state(cloud_init_t)
 kernel_read_kernel_sysctls(cloud_init_t)
@@ -85,30 +110,854 @@ logging_send_syslog_msg(cloud_init_t)
 
 miscfiles_read_localization(cloud_init_t)
 
-mount_domtrans(cloud_init_t)
+mount_run(cloud_init_t, system_r)
+
+selinux_set_enforce_mode(cloud_init_t)
+selinux_set_all_booleans(cloud_init_t)
+selinux_set_parameters(cloud_init_t)
+selinux_read_policy(cloud_init_t)
 
 seutil_read_default_contexts(cloud_init_t)
+seutil_run_semanage(cloud_init_t, system_r)
+seutil_run_setfiles(cloud_init_t, system_r)
 
-ssh_domtrans_keygen(cloud_init_t)
+ssh_run_keygen(cloud_init_t, system_r)
 ssh_manage_home_files(cloud_init_t)
 ssh_create_home_dirs(cloud_init_t)
 ssh_setattr_home_dirs(cloud_init_t)
 # Read public keys
 ssh_read_server_keys(cloud_init_t)
 
-sysnet_domtrans_ifconfig(cloud_init_t)
+sysnet_run_ifconfig(cloud_init_t, system_r)
 
 term_write_console(cloud_init_t)
 
 udev_manage_rules_files(cloud_init_t)
 udev_read_runtime_files(cloud_init_t)
 
-usermanage_domtrans_useradd(cloud_init_t)
-usermanage_domtrans_groupadd(cloud_init_t)
-usermanage_domtrans_passwd(cloud_init_t)
+usermanage_run_useradd(cloud_init_t, system_r)
+usermanage_run_groupadd(cloud_init_t, system_r)
+usermanage_run_passwd(cloud_init_t, system_r)
+
+tunable_policy(`cloudinit_manage_non_security',`
+	files_manage_non_security_dirs(cloud_init_t)
+	files_manage_non_security_files(cloud_init_t)
+	files_relabel_non_security_dirs(cloud_init_t)
+	files_relabel_non_security_files(cloud_init_t)
+')
 
 optional_policy(`
-	rpm_domtrans(cloud_init_t)
+	abrt_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	accountsd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	acct_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	afs_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	aide_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	aisexecd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	amanda_run_recover(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	amavis_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	amtu_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	apt_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	aptcacher_run_acngtool(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	arpwatch_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	automount_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	avahi_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	backup_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	bacula_run_admin(cloud_init_t, system_r)
+	bacula_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	bind_admin(cloud_init_t, system_r)
+	bind_run_ndc(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	bird_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	bitlbee_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	boinc_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	bootloader_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	bugzilla_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cachefilesd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	calamaris_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	canna_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	certbot_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	certmaster_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	certmonger_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	certwatch_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cfengine_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cgroup_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	chkrootkit_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	chronyd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	clamav_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	clock_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cobbler_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	collectd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	condor_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	consoletype_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	container_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	corosync_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	couchdb_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cron_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ctdb_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cups_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cvs_admin(cloud_init_t, system_r)
+	cvs_exec(cloud_init_t)
+')
+
+optional_policy(`
+	cyphesis_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	cyrus_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dante_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ddclient_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	devicekit_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dev_rw_xen(cloud_init_t)
+')
+
+optional_policy(`
+	dhcpd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dictd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dirmngr_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	distcc_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dkim_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dmidecode_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dnsmasq_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dovecot_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dphysswapfile_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	dpkg_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	drbd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	entropyd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	exim_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	fail2ban_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	fapolicyd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	fcoe_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	fetchmail_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	firewalld_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	firstboot_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ftp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	gatekeeper_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	gdomap_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	glance_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	glusterfs_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	gssproxy_admin(cloud_init_t)
+')
+
+optional_policy(`
+	hostname_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	hwloc_admin(cloud_init_t)
+	hwloc_run_dhwd(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	hypervkvp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	i18n_input_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	icecast_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ifplugd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	inn_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	iodine_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ipsec_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	iptables_admin(cloud_init_t, system_r)
+	iptables_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	irqbalance_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	iscsi_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	isnsd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	jabber_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	kdump_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	kerberos_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	kerneloops_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	keystone_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	knot_admin(cloud_init_t, system_r)
+	knot_run_client(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	kismet_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ksmtuned_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	l2tp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ldap_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	libs_run_ldconfig(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	lightsquid_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	likewise_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	lircd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	lldpad_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	logrotate_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	lsmd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	lvm_admin(cloud_init_t, system_r)
+	lvm_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	mandb_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	mcelog_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	memcached_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	minidlna_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	minissdpd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	modutils_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	mongodb_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	monit_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	monop_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	mpd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	mrtg_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	munin_stream_connect(cloud_init_t)
+')
+
+optional_policy(`
+	mysql_admin(cloud_init_t, system_r)
+	mysql_stream_connect(cloud_init_t)
+')
+
+optional_policy(`
+	nagios_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	nessus_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	netlabel_run_mgmt(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	netutils_run(cloud_init_t, system_r)
+	netutils_run_ping(cloud_init_t, system_r)
+	netutils_run_traceroute(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	networkmanager_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	nis_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	nscd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+        nsd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	nslcd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ntop_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ntp_admin(cloud_init_t, system_r)
+	corenet_udp_bind_ntp_port(cloud_init_t)
+')
+
+optional_policy(`
+	numad_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	nut_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	oident_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	openct_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	openhpi_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	opensm_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	openvpn_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	openvswitch_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pacemaker_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pads_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pcscd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pegasus_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	perdition_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pingd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pkcs_admin_slotd(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	plymouthd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	portage_run(cloud_init_t, system_r)
+	portage_run_fetch(cloud_init_t, system_r)
+	portage_run_gcc_config(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	portmap_run_helper(cloud_init_t, system_r)
+	portmap_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	portreserve_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	postfix_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	postfixpolicyd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	postgrey_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ppp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	prelude_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	privoxy_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	psad_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	puppet_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pxe_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	pyzor_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	qpidd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	quantum_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	quota_run(cloud_init_t, system_r)
+	quota_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rabbitmq_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	radius_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	radvd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	raid_run_mdadm(system_r, cloud_init_t)
+	raid_admin_mdadm(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	redis_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	resmgr_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rhsmcertd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rkhunter_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rngd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rpc_admin(cloud_init_t, system_r)
+	rpc_domtrans_nfsd(cloud_init_t)
+')
+
+optional_policy(`
+	rpcbind_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rpm_run(cloud_init_t, system_r)
+	rpm_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rsync_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rtkit_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	rwho_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	samba_admin(cloud_init_t, system_r, system_r)
+	samba_run_smbcontrol(cloud_init_t, system_r)
+	samba_run_smbmount(cloud_init_t, system_r)
+	samba_run_net(cloud_init_t, system_r)
+	samba_run_winbind_helper(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	samhain_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sanlock_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sasl_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sblim_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sensord_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	setrans_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	setroubleshoot_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	shorewall_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	slpd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	smartmon_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	smokeping_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	smstools_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	snmp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	snort_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	soundserver_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	spamassassin_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sssd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	stapserver_admin(cloud_init_t, system_r)
 ')
 
 optional_policy(`
@@ -126,13 +975,156 @@ optional_policy(`
 ')
 
 optional_policy(`
+	svnserve_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sysnet_run_ifconfig(cloud_init_t, system_r)
+	sysnet_run_dhcpc(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	sysstat_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	init_start_system(cloud_init_t)
+	init_stop_system(cloud_init_t)
+	init_reload(cloud_init_t)
 	init_get_system_status(cloud_init_t)
-	init_start_all_units(cloud_init_t)
-	init_stop_all_units(cloud_init_t)
-	init_get_all_units_status(cloud_init_t)
+	init_manage_all_units(cloud_init_t)
+	init_manage_all_unit_files(cloud_init_t)
+	init_relabel_all_unit_files(cloud_init_t)
 	init_list_all_units(cloud_init_t)
 
 	systemd_exec_systemctl(cloud_init_t)
 	systemd_dbus_chat_hostnamed(cloud_init_t)
 	systemd_dbus_chat_logind(cloud_init_t)
+	systemd_list_journal_dirs(cloud_init_t)
+	systemd_read_journal_files(cloud_init_t)
+')
+
+optional_policy(`
+	tboot_run_txtstat(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	tcsd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	tftp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	tgtd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	tor_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	transproxy_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	tripwire_run_siggen(cloud_init_t, system_r)
+	tripwire_run_tripwire(cloud_init_t, system_r)
+	tripwire_run_twadmin(cloud_init_t, system_r)
+	tripwire_run_twprint(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	tzdata_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	udev_run_udevadm(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	ulogd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	unconfined_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	uptime_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	uucp_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	uuidd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	varnishd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	varnishd_admin_varnishlog(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	vdagent_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	vhostmd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	virt_admin(cloud_init_t, system_r)
+	virt_stream_connect(cloud_init_t)
+')
+
+optional_policy(`
+	vnstatd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	vpn_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	watchdog_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	wdmd_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	webalizer_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	wireguard_admin(cloud_init_t, system_r)
+	wireguard_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	vlock_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	zabbix_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	zarafa_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	zebra_admin(cloud_init_t, system_r)
+')
+
+optional_policy(`
+	zfs_admin(cloud_init_t, system_r)
 ')
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 7dd671cb4..7efcf71de 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -52,11 +52,13 @@ ifdef(`distro_redhat',`
 /usr/share/yumex/yum_childtask\.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /var/cache/bcfg2(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/t?dnf(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 /var/cache/yum(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 
 /var/lib/alternatives(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/dnf(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/rpm(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/t?dnf(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/YaST2(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/yum(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 6879580d5..1a2210bc8 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -46,9 +46,19 @@ init_unit_file(rpm_unit_t)
 type rpm_var_lib_t;
 files_type(rpm_var_lib_t)
 
+optional_policy(`
+	# delete locks
+	systemd_tmpfilesd_managed(rpm_var_lib_t)
+')
+
 type rpm_var_cache_t;
 files_type(rpm_var_cache_t)
 
+optional_policy(`
+	# delete locks
+	systemd_tmpfilesd_managed(rpm_var_cache_t)
+')
+
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
@@ -90,6 +100,7 @@ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(rpm_t, rpm_log_t, file)
 
+allow rpm_t rpm_tmp_t:dir watch;
 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
@@ -101,6 +112,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+allow rpm_t rpm_var_cache_t:dir watch;
 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
@@ -211,6 +223,8 @@ seutil_read_file_contexts(rpm_t)
 
 userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
+userdom_watch_user_runtime_dirs(rpm_t)
+userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
 
 ifdef(`init_systemd', `
 	systemd_use_logind_fds(rpm_t)
@@ -335,7 +349,7 @@ term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
 term_use_all_terms(rpm_script_t)
 
-auth_dontaudit_getattr_shadow(rpm_script_t)
+auth_dontaudit_read_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)
 
 init_domtrans_script(rpm_script_t)
@@ -358,6 +372,7 @@ seutil_run_setfiles(rpm_script_t, rpm_roles)
 seutil_run_semanage(rpm_script_t, rpm_roles)
 
 userdom_use_all_users_fds(rpm_script_t)
+userdom_user_runtime_root_filetrans_user_runtime(rpm_script_t, dir)
 
 ifdef(`distro_redhat',`
 	optional_policy(`
@@ -400,11 +415,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_domtrans(rpm_script_t)
+	udev_run_udevadm(rpm_script_t, rpm_roles)
 ')
 
 optional_policy(`
 	unconfined_domtrans(rpm_script_t)
+	unconfined_write_inherited_pipes(rpm_script_t)
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index c78e3c02e..daeaa090e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -262,6 +262,10 @@ optional_policy(`
 	apt_use_fds(groupadd_t)
 ')
 
+optional_policy(`
+	cloudinit_write_inherited_tmp_files(groupadd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(groupadd_t)
 ')
@@ -291,7 +295,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_use_fds(groupadd_t)
+	unconfined_write_inherited_pipes(groupadd_t)
 ')
 
 ########################################
@@ -475,7 +479,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config };
 dontaudit useradd_t self:cap_userns sys_ptrace;
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
@@ -571,6 +575,10 @@ optional_policy(`
 	apt_use_fds(useradd_t)
 ')
 
+optional_policy(`
+	cloudinit_write_inherited_tmp_files(useradd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(useradd_t)
 ')
@@ -602,5 +610,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_use_fds(useradd_t)
+	unconfined_write_inherited_pipes(useradd_t)
 ')
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index f5477977e..dcbabf6b0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -813,6 +813,31 @@ interface(`ssh_domtrans_keygen',`
 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
 ')
 
+######################################
+## <summary>
+##	Execute the ssh key generator in the ssh keygen domain,
+##	and allow the specified	role the ssh keygen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_run_keygen',`
+	gen_require(`
+		type ssh_keygen_t;
+	')
+
+	ssh_domtrans_keygen($1)
+	role $2 types ssh_keygen_t;
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index d72272953..d5e090c28 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -200,6 +200,11 @@ optional_policy(`
 	amanda_append_log_files(fsadm_t)
 ')
 
+optional_policy(`
+	cloudinit_rw_tmp_files(fsadm_t)
+	cloudinit_create_tmp_files(fsadm_t)
+')
+
 optional_policy(`
 	container_read_device_blk_files(fsadm_t)
 ')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f92766c60..d0ab6357f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3793,6 +3793,26 @@ interface(`init_manage_all_unit_files',`
 	manage_lnk_files_pattern($1, systemdunit, systemdunit)
 ')
 
+########################################
+## <summary>
+##	Relabel from and to systemd unit types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	list_dirs_pattern($1, systemdunit, systemdunit)
+	read_lnk_files_pattern($1, systemdunit, systemdunit)
+	relabel_files_pattern($1, systemdunit, systemdunit)
+')
+
 #########################################
 ## <summary>
 ##	Associate the specified domain to be a domain whose
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 37fc446b4..a120183c7 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -220,6 +220,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_write_inherited_pipes(load_policy_t)
         # leaked file descriptors
         unconfined_dontaudit_read_pipes(load_policy_t)
 ')
@@ -533,6 +534,10 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)
 
+# Python module compilations
+libs_dontaudit_manage_lib_dirs(semanage_t)
+libs_dontaudit_manage_lib_files(semanage_t)
+
 logging_send_syslog_msg(semanage_t)
 
 miscfiles_read_localization(semanage_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index c54600c4f..28f0ad089 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1338,7 +1338,7 @@ interface(`systemd_write_logind_runtime_pipes',`
 
 	init_search_run($1)
 	files_search_runtime($1)
-	allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
+	allow $1 systemd_logind_runtime_t:fifo_file write_fifo_file_perms;
 ')
 
 ######################################
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 3db8b530b..c6adedcc5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -526,7 +526,7 @@ init_rename_runtime_files(systemd_generator_t)
 init_search_runtime(systemd_generator_t)
 init_setattr_runtime_files(systemd_generator_t)
 init_write_runtime_files(systemd_generator_t)
-init_list_unit_dirs(systemd_generator_t)
+init_list_all_units(systemd_generator_t)
 init_read_generic_units_files(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
@@ -559,7 +559,7 @@ ifdef(`distro_gentoo',`
 
 optional_policy(`
 	cloudinit_create_runtime_dirs(systemd_generator_t)
-	cloudinit_write_runtime_files(systemd_generator_t)
+	cloudinit_rw_runtime_files(systemd_generator_t)
 	cloudinit_create_runtime_files(systemd_generator_t)
 	cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 5e5832c53..7001efda9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -425,6 +425,8 @@ kernel_dontaudit_getattr_proc(udevadm_t)
 kernel_read_kernel_sysctls(udevadm_t)
 kernel_read_system_state(udevadm_t)
 
+selinux_use_status_page(udevadm_t)
+
 seutil_read_file_contexts(udevadm_t)
 
 storage_getattr_fixed_disk_dev(udevadm_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 2c01ef07d..658fc2218 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -386,6 +386,25 @@ interface(`unconfined_read_pipes',`
 	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_write_inherited_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fd use;
+	allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read unconfined domain unnamed pipes.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 48850cfb5..6823a8f97 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3641,6 +3641,25 @@ interface(`userdom_manage_user_runtime_dirs',`
 	userdom_search_user_runtime_root($1)
 ')
 
+########################################
+## <summary>
+##	Watch user runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_watch_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir watch;
+	userdom_search_user_runtime_root($1)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on user runtime dir
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 7faae0680..6e959d057 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -198,6 +198,7 @@ define(`getattr_fifo_file_perms',`{ getattr }')
 define(`setattr_fifo_file_perms',`{ setattr }')
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
 define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
 define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')