- Allow du running in logwatch_t read hwdata.

- Allow sys_admin capability for antivirus domians.
- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
- Add support for pnp4nagios.
- Add missing labeling for /var/lib/cockpit.
- Label resolv.conf as docker_share_t under docker so we can read within a container
- Remove labeling for rabbitmqctl
- setfscreate in pki.te is not capability class.
- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
- Allow wine domains to create cache dirs.
- Allow newaliases to systemd inhibit pipes.
- Add fixes for pki-tomcat scriptlet handling.
- Allow user domains to manage all gnome home content
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
This commit is contained in:
Miroslav Grepl 2014-09-18 10:08:27 +02:00
parent 6021c02dec
commit 0399c8ba54
3 changed files with 2013 additions and 3940 deletions

File diff suppressed because it is too large Load Diff

View File

@ -2998,7 +2998,7 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000..83590aa
index 0000000..8cc6120
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,273 @@
@ -3068,7 +3068,7 @@ index 0000000..83590aa
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_override chown kill setgid setuid };
+allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
@ -13677,10 +13677,10 @@ index 5f306dd..e01156f 100644
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 0000000..b71de28
index 0000000..bb87537
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,8 @@
@@ -0,0 +1,10 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
@ -13689,6 +13689,8 @@ index 0000000..b71de28
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000..573dcae
@ -24321,10 +24323,10 @@ index 0000000..fd679a1
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
index 0000000..76eb32e
index 0000000..2a614ed
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,364 @@
@@ -0,0 +1,365 @@
+
+## <summary>The open-source application container engine.</summary>
+
@ -24622,6 +24624,7 @@ index 0000000..76eb32e
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
+')
+
@ -30749,10 +30752,10 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d61..c416ef4 100644
index ab09d61..0734f6b 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,78 @@
@@ -1,52 +1,76 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
@ -30843,42 +30846,44 @@ index ab09d61..c416ef4 100644
#
template(`gnome_role_template',`
- gen_require(`
- attribute gnomedomain, gkeyringd_domain;
+ gen_require(`
attribute gnomedomain, gkeyringd_domain;
+ attribute gnomedomain, gkeyringd_domain, gnome_home_type;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gnome_home_t;
+ type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
+ class dbus send_msg;
- type gconf_home_t;
+ class dbus send_msg;
')
########################################
@@ -76,12 +102,12 @@ template(`gnome_role_template',`
@@ -74,14 +98,11 @@ template(`gnome_role_template',`
allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
domtrans_pattern($3, gconfd_exec_t, gconfd_t)
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
- allow $3 gconfd_t:process { ptrace signal_perms };
+ allow $3 gconfd_t:process { signal_perms };
+ allow $3 gconfd_t:unix_stream_socket connectto;
+ allow $3 gconfd_t:unix_stream_socket connectto;
ps_process_pattern($3, gconfd_t)
+
########################################
#
# Gkeyringd policy
@@ -89,37 +115,85 @@ template(`gnome_role_template',`
@@ -89,37 +110,85 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+ allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms };
+ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
@ -30970,7 +30975,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -127,18 +201,18 @@ template(`gnome_role_template',`
@@ -127,18 +196,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
@ -30994,7 +30999,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',`
@@ -146,119 +215,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
@ -31151,7 +31156,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',`
@@ -266,15 +330,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
@ -31178,7 +31183,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',`
@@ -282,57 +352,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
@ -31286,7 +31291,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',`
@@ -340,15 +442,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
@ -31310,7 +31315,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -356,22 +466,18 @@ interface(`gnome_manage_config',`
@@ -356,22 +461,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
@ -31338,7 +31343,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',`
@@ -379,53 +480,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
@ -31400,7 +31405,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',`
@@ -433,17 +518,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
@ -31423,7 +31428,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
@@ -451,23 +537,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
@ -31451,7 +31456,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -475,22 +561,18 @@ interface(`gnome_read_generic_gconf_home_content',`
@@ -475,22 +556,18 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
@ -31478,7 +31483,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -498,79 +580,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
@@ -498,79 +575,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
## </summary>
## </param>
#
@ -31576,7 +31581,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -579,12 +641,12 @@ interface(`gnome_home_filetrans_gnome_home',`
@@ -579,12 +636,12 @@ interface(`gnome_home_filetrans_gnome_home',`
## </param>
## <param name="private_type">
## <summary>
@ -31591,7 +31596,7 @@ index ab09d61..c416ef4 100644
## </summary>
## </param>
## <param name="name" optional="true">
@@ -593,18 +655,18 @@ interface(`gnome_home_filetrans_gnome_home',`
@@ -593,18 +650,18 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
@ -31616,7 +31621,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -612,46 +674,80 @@ interface(`gnome_gconf_home_filetrans',`
@@ -612,46 +669,80 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@ -31714,7 +31719,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -659,46 +755,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
@@ -659,46 +750,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
@ -31739,22 +31744,22 @@ index ab09d61..c416ef4 100644
## </summary>
-## <param name="role_prefix">
+## <param name="domain">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The class of the object to be created.
+## </summary>
+## </param>
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
## </summary>
## </param>
+## </summary>
+## </param>
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
@ -31796,7 +31801,7 @@ index ab09d61..c416ef4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -706,12 +820,985 @@ interface(`gnome_stream_connect_gkeyringd',`
@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@ -31806,10 +31811,8 @@ index ab09d61..c416ef4 100644
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
@ -31950,9 +31953,10 @@ index ab09d61..c416ef4 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
')
files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@ -41933,7 +41937,7 @@ index be0ab84..3ebbcc0 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
index ab65034..28f63b5 100644
index ab65034..dd17cb0 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@ -41981,12 +41985,13 @@ index ab65034..28f63b5 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -100,23 +108,14 @@ libs_read_lib_files(logwatch_t)
@@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
-miscfiles_read_localization(logwatch_t)
-
+miscfiles_read_hwdata(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
@ -42005,7 +42010,7 @@ index ab65034..28f63b5 100644
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
@@ -160,6 +159,12 @@ optional_policy(`
@@ -160,6 +161,12 @@ optional_policy(`
')
optional_policy(`
@ -42018,7 +42023,7 @@ index ab65034..28f63b5 100644
rpc_search_nfs_state_data(logwatch_t)
')
@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t)
@@ -187,6 +194,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@ -49813,7 +49818,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c..58ba0ce 100644
index ff1d68c..c8070da 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@ -49954,7 +49959,8 @@ index ff1d68c..58ba0ce 100644
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
+
-userdom_use_user_terminals(system_mail_t)
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
@ -49964,8 +49970,7 @@ index ff1d68c..58ba0ce 100644
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-userdom_use_user_terminals(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
@ -50078,7 +50083,18 @@ index ff1d68c..58ba0ce 100644
')
optional_policy(`
@@ -287,42 +331,36 @@ optional_policy(`
@@ -279,6 +323,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inhibit_pipes(system_mail_t)
+')
+
+optional_policy(`
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
@@ -287,42 +335,36 @@ optional_policy(`
')
optional_policy(`
@ -50131,7 +50147,7 @@ index ff1d68c..58ba0ce 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +369,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -50201,7 +50217,7 @@ index ff1d68c..58ba0ce 100644
')
optional_policy(`
@@ -381,24 +423,49 @@ optional_policy(`
@@ -381,24 +427,49 @@ optional_policy(`
########################################
#
@ -52385,15 +52401,16 @@ index 0000000..79f1250
+
+fs_getattr_xattr_fs(naemon_t)
diff --git a/nagios.fc b/nagios.fc
index d78dfc3..02f18ac 100644
index d78dfc3..40e1c77 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,109 @@
@@ -1,88 +1,113 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
@ -52423,8 +52440,11 @@ index d78dfc3..02f18ac 100644
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
@ -52806,7 +52826,7 @@ index 0641e97..cad402c 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
index 7b3e682..6d966d5 100644
index 7b3e682..a22a321 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@ -52884,17 +52904,18 @@ index 7b3e682..6d966d5 100644
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
@@ -110,7 +118,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
+manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t)
@@ -123,7 +133,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@ -52902,7 +52923,7 @@ index 7b3e682..6d966d5 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t)
@@ -143,7 +152,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@ -52910,7 +52931,7 @@ index 7b3e682..6d966d5 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t)
@@ -153,8 +161,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@ -52919,7 +52940,7 @@ index 7b3e682..6d966d5 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
@@ -178,35 +183,37 @@ optional_policy(`
@@ -178,35 +184,37 @@ optional_policy(`
#
# CGI local policy
#
@ -52975,7 +52996,7 @@ index 7b3e682..6d966d5 100644
')
########################################
@@ -229,9 +236,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
@@ -229,9 +237,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@ -52986,7 +53007,7 @@ index 7b3e682..6d966d5 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
@@ -252,8 +259,8 @@ dev_read_urand(nrpe_t)
@@ -252,8 +260,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
@ -52996,7 +53017,7 @@ index 7b3e682..6d966d5 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
@@ -262,8 +269,6 @@ auth_use_nsswitch(nrpe_t)
@@ -262,8 +270,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@ -53005,7 +53026,7 @@ index 7b3e682..6d966d5 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
@@ -310,15 +315,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
@@ -310,15 +316,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@ -53024,7 +53045,7 @@ index 7b3e682..6d966d5 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
@@ -345,6 +350,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -345,6 +351,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@ -53034,7 +53055,7 @@ index 7b3e682..6d966d5 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
@@ -357,9 +365,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
@@ -357,9 +366,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@ -53048,7 +53069,7 @@ index 7b3e682..6d966d5 100644
corecmd_exec_bin(nagios_services_plugin_t)
@@ -391,6 +401,11 @@ optional_policy(`
@@ -391,6 +402,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@ -53060,7 +53081,7 @@ index 7b3e682..6d966d5 100644
')
optional_policy(`
@@ -411,6 +426,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
@@ -411,6 +427,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@ -53068,7 +53089,7 @@ index 7b3e682..6d966d5 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
@@ -420,14 +436,18 @@ dev_read_sysfs(nagios_system_plugin_t)
@@ -420,14 +437,18 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@ -53089,7 +53110,7 @@ index 7b3e682..6d966d5 100644
#######################################
#
# Event local policy
@@ -442,11 +462,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
@@ -442,11 +463,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@ -65000,10 +65021,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..d9513e4
index 0000000..0cb8f0a
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,279 @@
@@ -0,0 +1,280 @@
+policy_module(pki,10.0.11)
+
+########################################
@ -65077,9 +65098,9 @@ index 0000000..d9513e4
+# pki-tomcat local policy
+#
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid };
+dontaudit pki_tomcat_t self:capability net_admin;
+allow pki_tomcat_t self:process { signal setsched signull execmem };
+allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+allow pki_tomcat_t self:tcp_socket { accept listen };
@ -65090,6 +65111,7 @@ index 0000000..d9513e4
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms;
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
@ -76487,10 +76509,10 @@ index f47c8e8..3710974 100644
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
index c5ad6de..2bf7656 100644
index c5ad6de..af2d46f 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
@@ -1,10 +1,19 @@
@@ -1,10 +1,18 @@
/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
@ -76499,7 +76521,6 @@ index c5ad6de..2bf7656 100644
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmqctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
+
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
@ -92206,18 +92227,23 @@ index e2544e1..d3fbd78 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
index 7292dc0..103278d 100644
index 7292dc0..26fc8f4 100644
--- a/slocate.te
+++ b/slocate.te
@@ -44,6 +44,7 @@ dev_getattr_all_blk_files(locate_t)
@@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_list_isid_type_dirs(locate_t)
+files_getattr_isid_type(locate_t)
files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
+files_getattr_all_chr_files(locate_t)
+files_getattr_all_blk_files(locate_t)
files_getattr_all_pipes(locate_t)
@@ -62,7 +63,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
@@ -62,7 +66,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@ -92225,7 +92251,7 @@ index 7292dc0..103278d 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
@@ -71,3 +71,8 @@ ifdef(`enable_mls',`
@@ -71,3 +74,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@ -100952,7 +100978,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
index 34a8917..85774c6 100644
index 34a8917..21add3e 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@ -100977,7 +101003,8 @@ index 34a8917..85774c6 100644
# Local policy
#
allow usbmuxd_t self:capability { kill setgid setuid };
-allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:capability { chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
allow usbmuxd_t self:process { signal signull };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
@ -104077,7 +104104,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
index f03dcf5..b1e7d75 100644
index f03dcf5..fe1bceb 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,227 @@
@ -104378,7 +104405,7 @@ index f03dcf5..b1e7d75 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -153,299 +230,134 @@ ifdef(`enable_mls',`
@@ -153,299 +230,135 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@ -104742,6 +104769,7 @@ index f03dcf5..b1e7d75 100644
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain virtd_t:tun_socket attach_queue;
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
@ -104755,7 +104783,7 @@ index f03dcf5..b1e7d75 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -455,42 +367,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
@@ -455,42 +368,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -104802,7 +104830,7 @@ index f03dcf5..b1e7d75 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
@@ -503,23 +402,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
@@ -503,23 +403,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@ -104833,7 +104861,7 @@ index f03dcf5..b1e7d75 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -527,24 +423,16 @@ corecmd_exec_shell(virtd_t)
@@ -527,24 +424,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@ -104861,7 +104889,7 @@ index f03dcf5..b1e7d75 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
@@ -555,22 +443,27 @@ dev_rw_vhost(virtd_t)
@@ -555,22 +444,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@ -104894,7 +104922,7 @@ index f03dcf5..b1e7d75 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
@@ -601,15 +494,18 @@ term_use_ptmx(virtd_t)
@@ -601,15 +495,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@ -104914,7 +104942,7 @@ index f03dcf5..b1e7d75 100644
selinux_validate_context(virtd_t)
@@ -620,18 +516,26 @@ seutil_read_file_contexts(virtd_t)
@@ -620,18 +517,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@ -104951,7 +104979,7 @@ index f03dcf5..b1e7d75 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -640,7 +544,7 @@ tunable_policy(`virt_use_nfs',`
@@ -640,7 +545,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@ -104960,7 +104988,7 @@ index f03dcf5..b1e7d75 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
@@ -665,20 +569,12 @@ optional_policy(`
@@ -665,20 +570,12 @@ optional_policy(`
')
optional_policy(`
@ -104981,7 +105009,7 @@ index f03dcf5..b1e7d75 100644
')
optional_policy(`
@@ -691,20 +587,26 @@ optional_policy(`
@@ -691,20 +588,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@ -105012,7 +105040,7 @@ index f03dcf5..b1e7d75 100644
')
optional_policy(`
@@ -712,11 +614,18 @@ optional_policy(`
@@ -712,11 +615,18 @@ optional_policy(`
')
optional_policy(`
@ -105031,7 +105059,7 @@ index f03dcf5..b1e7d75 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
@@ -727,11 +636,19 @@ optional_policy(`
@@ -727,11 +637,19 @@ optional_policy(`
')
optional_policy(`
@ -105053,7 +105081,7 @@ index f03dcf5..b1e7d75 100644
kernel_write_xen_state(virtd_t)
xen_exec(virtd_t)
@@ -746,44 +663,277 @@ optional_policy(`
@@ -746,44 +664,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@ -105353,7 +105381,7 @@ index f03dcf5..b1e7d75 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +944,18 @@ kernel_write_xen_state(virsh_t)
@@ -794,25 +945,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@ -105380,7 +105408,7 @@ index f03dcf5..b1e7d75 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +964,25 @@ fs_search_auto_mountpoints(virsh_t)
@@ -821,23 +965,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@ -105414,7 +105442,7 @@ index f03dcf5..b1e7d75 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +1001,20 @@ optional_policy(`
@@ -856,14 +1002,20 @@ optional_policy(`
')
optional_policy(`
@ -105436,7 +105464,7 @@ index f03dcf5..b1e7d75 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
@@ -888,49 +1039,65 @@ optional_policy(`
@@ -888,49 +1040,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@ -105520,7 +105548,7 @@ index f03dcf5..b1e7d75 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1109,16 @@ dev_read_urand(virtd_lxc_t)
@@ -942,17 +1110,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@ -105540,7 +105568,7 @@ index f03dcf5..b1e7d75 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,8 +1130,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
@@ -964,8 +1131,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -105564,7 +105592,7 @@ index f03dcf5..b1e7d75 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1155,317 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1156,317 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -106020,7 +106048,7 @@ index f03dcf5..b1e7d75 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1478,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1479,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -106035,7 +106063,7 @@ index f03dcf5..b1e7d75 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1496,8 @@ optional_policy(`
@@ -1192,9 +1497,8 @@ optional_policy(`
########################################
#
@ -106046,7 +106074,7 @@ index f03dcf5..b1e7d75 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1510,219 @@ kernel_read_network_state(virt_bridgehelper_t)
@@ -1207,5 +1511,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -107573,7 +107601,7 @@ index fd2b6cc..938c4a7 100644
+')
+
diff --git a/wine.te b/wine.te
index 491b87b..72ce165 100644
index 491b87b..2a79df4 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
@ -107589,7 +107617,7 @@ index 491b87b..72ce165 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
@@ -25,56 +26,59 @@ role wine_roles types wine_t;
@@ -25,56 +26,63 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@ -107601,30 +107629,30 @@ index 491b87b..72ce165 100644
# Local policy
#
+domain_mmap_low(wine_t)
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
+
+optional_policy(`
+ unconfined_domain(wine_t)
+')
-can_exec(wine_t, wine_exec_t)
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
-can_exec(wine_t, wine_exec_t)
+########################################
+#
+# Common wine domain policy
+#
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+allow wine_domain self:process { execstack execmem execheap };
+allow wine_domain self:fifo_file manage_fifo_file_perms;
-domain_mmap_low(wine_t)
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+can_exec(wine_domain, wine_exec_t)
+
-domain_mmap_low(wine_t)
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
@ -107659,19 +107687,21 @@ index 491b87b..72ce165 100644
optional_policy(`
- rtkit_scheduled(wine_t)
+ rtkit_scheduled(wine_domain)
+ gnome_create_generic_cache_dir(wine_domain)
')
optional_policy(`
- unconfined_domain(wine_t)
+ rtkit_scheduled(wine_domain)
')
optional_policy(`
- xserver_read_xdm_pid(wine_t)
- xserver_rw_shm(wine_t)
+ xserver_read_xdm_pid(wine_domain)
+ xserver_rw_shm(wine_domain)
')
-optional_policy(`
- xserver_read_xdm_pid(wine_t)
- xserver_rw_shm(wine_t)
-')
+
diff --git a/wireshark.te b/wireshark.te
index ff6ef38..436d3bf 100644
--- a/wireshark.te

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 81%{?dist}
Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Thu Sep 18 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-82
- Allow du running in logwatch_t read hwdata.
- Allow sys_admin capability for antivirus domians.
- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
- Add support for pnp4nagios.
- Add missing labeling for /var/lib/cockpit.
- Label resolv.conf as docker_share_t under docker so we can read within a container
- Remove labeling for rabbitmqctl
- setfscreate in pki.te is not capability class.
- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
- Allow wine domains to create cache dirs.
- Allow newaliases to systemd inhibit pipes.
- Add fixes for pki-tomcat scriptlet handling.
- Allow user domains to manage all gnome home content
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
* Thu Sep 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-81
- Label /usr/lib/erlang/erts.*/bin files as bin_t
- Added changes related to rabbitmq daemon.