Description: Make strict configuration work
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-09-13

Index: refpolicy/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy.orig/policy/modules/roles/sysadm.te
+++ refpolicy/policy/modules/roles/sysadm.te
@@ -43,6 +43,8 @@ init_shutdown_system(sysadm_t)
 init_manage_all_units(sysadm_t)
 initrc_manage_service(sysadm_t)
 
+selinux_read_policy(sysadm_t)
+
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -102,6 +104,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	system_mail_role(sysadm_r)
+')
+
+optional_policy(`
 	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -270,6 +270,15 @@ dev_delete_generic_chr_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 
+ifdef(`distro_debian',`
+	# for systemd access to /run before transition
+	fs_search_tmpfs(kernel_t)
+	# also for systemd before transition
+	selinux_compute_create_context(kernel_t)
+	kernel_read_unlabeled_state(kernel_t)
+')
+
+
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
Index: refpolicy/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/filesystem.if
+++ refpolicy/policy/modules/kernel/filesystem.if
@@ -788,6 +788,42 @@ interface(`fs_manage_cgroup_dirs',`
 
 ########################################
 ## <summary>
+##     Relabel pstore directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
+########################################
+## <summary>
+##      Get the attributes of a pstore filesystem.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`getattr_pstorefs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+allow $1 pstore_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Relabel cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -838,7 +874,6 @@ interface(`fs_read_cgroup_files',`
 interface(`fs_read_cgroup_links',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
 	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
@@ -847,6 +882,26 @@ interface(`fs_read_cgroup_links',`
 
 ########################################
 ## <summary>
+##	Create cgroup lnk_files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_links',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
@@ -4410,6 +4465,24 @@ interface(`fs_read_tmpfs_symlinks',`
 ')
 
 ########################################
+## <summary>
+##	Relabelfrom tmpfs link files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
 ## <summary>
 ##	Read and write character nodes on tmpfs filesystems.
 ## </summary>
Index: refpolicy/policy/modules/system/init.te
===================================================================
--- refpolicy.orig/policy/modules/system/init.te
+++ refpolicy/policy/modules/system/init.te
@@ -145,9 +145,15 @@ can_exec(init_t, init_exec_t)
 allow init_t initrc_t:unix_stream_socket connectto;
 
 # For /var/run/shutdown.pid.
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
 allow init_t init_var_run_t:file manage_file_perms;
 files_pid_filetrans(init_t, init_var_run_t, file)
 
+# for /run/initctl
+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
+
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
+
 # for systemd to manage service file symlinks
 allow init_t init_var_run_t:file manage_lnk_file_perms;
 
@@ -161,13 +167,18 @@ kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
 
+domain_read_all_domains_state(init_t)
+
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+fs_relabel_pstore_dirs(init_t)
+dev_read_urand(init_t)
 logging_create_devlog_dev(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
+dev_relabel_generic_symlinks(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -181,6 +192,9 @@ files_read_etc_files(init_t)
 files_rw_generic_pids(init_t)
 files_manage_etc_runtime_files(init_t)
 files_etc_filetrans_etc_runtime(init_t, file)
+files_relabelto_etc_runtime(init_t)
+files_list_usr(init_t)
+
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
 # file descriptors inherited from the rootfs:
@@ -329,11 +343,21 @@ ifdef(`init_systemd',`
 	')
 ')
 
+fs_relabelfrom_tmpfs_symlinks(init_t)
+
 ifdef(`distro_debian',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
 
 	allow init_t initrc_var_run_t:file manage_file_perms;
 	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+	fs_manage_tmpfs_files(initrc_t)
+	sysnet_write_config(initrc_t)
+	sysnet_create_config(initrc_t)
+	sysnet_manage_config(initrc_t)
+
+	optional_policy(`
+		postfix_read_config(initrc_t)
+	')
 ')
 
 ifdef(`distro_gentoo',`
@@ -349,6 +373,12 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
+	modutils_read_module_config(init_t)
+	modutils_read_module_deps(init_t)
+	modutils_read_module_objects(init_t)
+')
+
+optional_policy(`
 	auth_rw_login_records(init_t)
 ')
 
@@ -372,6 +402,8 @@ optional_policy(`
 	udev_read_db(init_t)
 	udev_relabelto_db(init_t)
 	udev_create_kobject_uevent_socket(init_t)
+	# for systemd to read udev status
+	udev_read_pid_files(init_t)
 ')
 
 #optional_policy(`
@@ -408,6 +440,9 @@ term_create_pty(initrc_t, initrc_devpts_
 # Going to single user mode
 init_telinit(initrc_t)
 
+# for logsave in strict configuration
+fstools_write_log(initrc_t)
+
 can_exec(initrc_t, init_script_file_type)
 
 create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
@@ -427,6 +462,8 @@ manage_fifo_files_pattern(initrc_t, init
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_create_pid_dir(initrc_t)
+files_setattr_pid_dirs(initrc_t)
 
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -474,6 +511,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
 corenet_sendrecv_all_client_packets(initrc_t)
 
+dev_create_subdir(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
 dev_dontaudit_read_kmsg(initrc_t)
@@ -1324,15 +1362,19 @@ optional_policy(`
 	mta_read_aliases(init_t)
 ')
 
+# for systemd
+kernel_load_module(init_t)
+
 ifdef(`init_systemd',`
 	allow init_t self:system { status reboot halt reload };
 
 	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow init_t self:process { setsockcreate setfscreate setrlimit };
-	allow init_t self:process { getcap setcap };
+	allow init_t self:process { getcap setcap getsched setsched };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+	allow init_t self:netlink_selinux_socket create_socket_perms;
 	# Until systemd is fixed
 	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
 	allow init_t self:udp_socket create_socket_perms;
@@ -1348,6 +1390,7 @@ ifdef(`init_systemd',`
 	kernel_read_software_raid_state(init_t)
 	kernel_unmount_debugfs(init_t)
 	kernel_setsched(init_t)
+	kernel_rw_unix_sysctls(init_t)
 
 	dev_write_kmsg(init_t)
 	dev_write_urand(init_t)
@@ -1365,6 +1408,7 @@ ifdef(`init_systemd',`
 	# systemd writes to /dev/watchdog on shutdown
 	dev_write_watchdog(init_t)
 
+	files_read_all_pids(init_t)
 	files_search_all(init_t)
 	files_mounton_all_mountpoints(init_t)
 	files_unmount_all_file_type_fs(init_t)
@@ -1388,6 +1432,7 @@ ifdef(`init_systemd',`
 	fs_getattr_all_fs(init_t)
 	fs_manage_cgroup_dirs(init_t)
 	fs_manage_cgroup_files(init_t)
+	fs_create_cgroup_links(init_t)
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_manage_tmpfs_dirs(init_t)
 	fs_mount_all_fs(init_t)
@@ -1414,13 +1459,16 @@ ifdef(`init_systemd',`
 	systemd_manage_unit_dirs(init_t)
 	systemd_manage_all_unit_files(init_t)
 	systemd_manage_lnk_file_passwd_run(init_t)
+	systemd_manage_passwd_run(init_t)
 
 	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-
+	allow init_t init_var_run_t:sock_file manage_sock_file_perms;
+	selinux_compute_access_vector(init_t)
 	allow initrc_t init_script_file_type:service { stop start status reload };
-
-
+	auth_manage_var_auth(init_t)
+	init_rw_stream_sockets(initrc_t)
 ')
+
 auth_use_nsswitch(init_t)
 auth_rw_login_records(init_t)
 
Index: refpolicy/policy/modules/contrib/mta.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.if
+++ refpolicy/policy/modules/contrib/mta.if
@@ -121,6 +121,23 @@ interface(`mta_role',`
 
 ########################################
 ## <summary>
+##	Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`system_mail_role',`
+	gen_require(`
+		type system_mail_t;
+	')
+	role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
 ##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">
Index: refpolicy/policy/modules/system/modutils.if
===================================================================
--- refpolicy.orig/policy/modules/system/modutils.if
+++ refpolicy/policy/modules/system/modutils.if
@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
 
 ########################################
 ## <summary>
+##	Read the kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_read_module_objects',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	files_list_kernel_modules($1)
+	allow $1 modules_object_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>
Index: refpolicy/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dpkg.te
+++ refpolicy/policy/modules/contrib/dpkg.te
@@ -72,6 +72,7 @@ allow dpkg_t dpkg_lock_t:file manage_fil
 manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+can_exec(dpkg_t, dpkg_tmp_t)
 
 manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
 manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
@@ -87,6 +88,9 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
 kernel_read_system_state(dpkg_t)
 kernel_read_kernel_sysctls(dpkg_t)
 
+# for dpkg-preconfigure
+kernel_request_load_module(dpkg_t)
+
 corecmd_exec_all_executables(dpkg_t)
 
 corenet_all_recvfrom_unlabeled(dpkg_t)
@@ -208,8 +212,10 @@ optional_policy(`
 # Script Local policy
 #
 
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid ipc_lock sys_chroot sys_nice mknod setfcap };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod audit_write setfcap };
+
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -220,6 +226,8 @@ allow dpkg_script_t self:shm create_shm_
 allow dpkg_script_t self:sem create_sem_perms;
 allow dpkg_script_t self:msgq create_msgq_perms;
 allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;
 
 allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
 
@@ -233,9 +241,11 @@ allow dpkg_script_t dpkg_script_tmpfs_t:
 allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
 allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
 fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+usermanage_domtrans_passwd(dpkg_script_t)
 
 kernel_read_kernel_sysctls(dpkg_script_t)
 kernel_read_system_state(dpkg_script_t)
+auth_manage_shadow(dpkg_script_t)
 
 corecmd_exec_all_executables(dpkg_script_t)
 
@@ -274,13 +284,13 @@ selinux_compute_access_vector(dpkg_scrip
 selinux_compute_create_context(dpkg_script_t)
 selinux_compute_relabel_context(dpkg_script_t)
 selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
 
 storage_raw_read_fixed_disk(dpkg_script_t)
 storage_raw_write_fixed_disk(dpkg_script_t)
 
 term_use_all_terms(dpkg_script_t)
 
-auth_dontaudit_getattr_shadow(dpkg_script_t)
 files_manage_non_auth_files(dpkg_script_t)
 
 init_all_labeled_script_domtrans(dpkg_script_t)
Index: refpolicy/policy/modules/system/userdomain.te
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.te
+++ refpolicy/policy/modules/system/userdomain.te
@@ -70,6 +70,10 @@ attribute admindomain;
 # all user domains
 attribute userdomain;
 
+ifdef(`distro_debian', `
+        dpkg_read_db(userdomain)
+')
+
 # unprivileged user domains
 attribute unpriv_userdomain;
 
Index: refpolicy/policy/modules/services/ssh.if
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.if
+++ refpolicy/policy/modules/services/ssh.if
@@ -349,6 +349,8 @@ template(`ssh_role_template',`
 	allow $1_ssh_agent_t self:process { setrlimit signal };
 	allow $1_ssh_agent_t self:capability setgid;
 
+	allow $1_ssh_agent_t self:fifo_file rw_file_perms;
+
 	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
 
 	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -432,6 +434,7 @@ template(`ssh_role_template',`
 	optional_policy(`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
+		xdm_sigchld($1_ssh_agent_t)
 	')
 ')
 
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if
+++ refpolicy/policy/modules/system/userdomain.if
@@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_vm_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -78,6 +79,12 @@ template(`userdom_base_user_template',`
 	dev_dontaudit_getattr_all_blk_files($1_t)
 	dev_dontaudit_getattr_all_chr_files($1_t)
 
+	# for X session unlock
+	allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+	# for KDE
+	allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
+
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc. Do not audit these denials.
 	domain_dontaudit_read_all_domains_state($1_t)
@@ -108,6 +115,14 @@ template(`userdom_base_user_template',`
 
 	sysnet_read_config($1_t)
 
+	# kdeinit wants systemd status
+	init_status($1_t)
+
+	optional_policy(`
+		apt_read_cache($1_t)
+		apt_read_db($1_t)
+	')
+
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
Index: refpolicy/policy/modules/contrib/gnome.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/gnome.if
+++ refpolicy/policy/modules/contrib/gnome.if
@@ -76,6 +76,8 @@ template(`gnome_role_template',`
 
 	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+	allow $3 gconfd_t:dbus send_msg;
+	allow gconfd_t $3:dbus send_msg;
 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
 
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te
+++ refpolicy/policy/modules/system/selinuxutil.te
@@ -195,6 +195,7 @@ seutil_libselinux_linked(load_policy_t)
 
 userdom_use_user_terminals(load_policy_t)
 userdom_use_all_users_fds(load_policy_t)
+dev_read_urand(load_policy_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -327,6 +328,8 @@ files_pid_filetrans(restorecond_t, resto
 kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
 kernel_read_system_state(restorecond_t)
+kernel_getattr_debugfs(restorecond_t)
+getattr_pstorefs(restorecond_t)
 
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_dontaudit_list_nfs(restorecond_t)
@@ -462,6 +465,7 @@ kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
 corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)
 
 dev_read_urand(semanage_t)
 
@@ -546,6 +550,8 @@ kernel_rw_pipes(setfiles_t)
 kernel_rw_unix_dgram_sockets(setfiles_t)
 kernel_dontaudit_list_all_proc(setfiles_t)
 kernel_dontaudit_list_all_sysctls(setfiles_t)
+kernel_getattr_debugfs(setfiles_t)
+getattr_pstorefs(setfiles_t)
 
 dev_read_urand(setfiles_t)
 dev_relabel_all_dev_nodes(setfiles_t)
@@ -563,6 +569,8 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_nfs(setfiles_t)
+
 fs_list_all(setfiles_t)
 fs_search_auto_mountpoints(setfiles_t)
 fs_relabelfrom_noxattr_fs(setfiles_t)
@@ -609,6 +617,12 @@ ifdef(`distro_debian',`
 	fs_rw_tmpfs_chr_files(setfiles_t)
 ')
 
+# for dpkg-statoverride running as setfiles_t
+optional_policy(`
+	dpkg_read_db(setfiles_t)
+	apt_use_fds(setfiles_t)
+')
+
 ifdef(`distro_redhat', `
 	fs_rw_tmpfs_chr_files(setfiles_t)
 	fs_rw_tmpfs_blk_files(setfiles_t)
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te
+++ refpolicy/policy/modules/services/xserver.te
@@ -259,7 +259,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
 allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")
 allow xauth_t xdm_t:process sigchld;
 
 kernel_request_load_module(xauth_t)
Index: refpolicy/policy/modules/contrib/apt.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apt.te
+++ refpolicy/policy/modules/contrib/apt.te
@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
 
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
 
 allow apt_t apt_var_log_t:file manage_file_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_var_log_t:dir list_dir_perms;
 
 can_exec(apt_t, apt_exec_t)
 
Index: refpolicy/policy/modules/kernel/files.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/files.if
+++ refpolicy/policy/modules/kernel/files.if
@@ -3248,6 +3248,26 @@ interface(`files_manage_etc_runtime_file
 
 ########################################
 ## <summary>
+##	Relabel files and dirs to etc_runtime_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabelto_etc_runtime',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	allow $1 etc_runtime_t:file relabelto;
+	allow $1 etc_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
 ##	Create, etc runtime objects with an automatic
 ##	type transition.
 ## </summary>
@@ -6246,6 +6266,24 @@ interface(`files_setattr_pid_dirs',`
 ')
 
 ########################################
+## <summary>
+##	Create a /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_pid_dir',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
 ## <summary>
 ##	Search the contents of runtime process
 ##	ID directories (/var/run).
Index: refpolicy/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
@@ -339,6 +339,7 @@ ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/bug/.*		--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
 ifdef(`distro_gentoo', `
Index: refpolicy/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy.orig/policy/modules/admin/usermanage.te
+++ refpolicy/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_override fsetid chown kill setuid sys_resource audit_write };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
Index: refpolicy/policy/modules/system/fstools.if
===================================================================
--- refpolicy.orig/policy/modules/system/fstools.if
+++ refpolicy/policy/modules/system/fstools.if
@@ -172,3 +172,21 @@ interface(`fstools_getattr_swap_files',`
 
 	allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Write to fsadm_log_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_write_log',`
+	gen_require(`
+		type fsadm_log_t;
+	')
+
+	allow $1 fsadm_log_t:file write_file_perms;
+')
Index: refpolicy/policy/support/file_patterns.spt
===================================================================
--- refpolicy.orig/policy/support/file_patterns.spt
+++ refpolicy/policy/support/file_patterns.spt
@@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
 define(`create_chr_files_pattern',`
 	allow $1 self:capability mknod;
 	allow $1 $2:dir add_entry_dir_perms;
-	allow $1 $3:chr_file create_chr_file_perms;
+	allow $1 $3:chr_file { create_chr_file_perms setattr };
 ')
 
 define(`delete_chr_files_pattern',`
Index: refpolicy/policy/modules/kernel/devices.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.if
+++ refpolicy/policy/modules/kernel/devices.if
@@ -5280,3 +5280,21 @@ interface(`create_devices_for_systemd_tm
 	allow $1 vhost_device_t:chr_file { getattr setattr relabelfrom relabelto create };
 	allow $1 sound_device_t:chr_file { getattr setattr relabelfrom relabelto create };
 ')
+
+########################################
+## <summary>
+##      Create subdir of /dev
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_create_subdir',`
+        gen_require(`
+                type device_t;
+        ')
+       allow $1 device_t:dir { add_entry_dir_perms create };
+       allow $1 device_t:dir search_dir_perms;
+')
Index: refpolicy/policy/modules/contrib/mta.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.te
+++ refpolicy/policy/modules/contrib/mta.te
@@ -210,6 +210,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	apt_use_fds(system_mail_t)
+	apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
 	apache_dontaudit_append_log(system_mail_t)
