* Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91

- Added interface userdom_dontaudit_manage_user_home_dirs - Fix unconfined_server_dbus_chat() interface. - Add unconfined_server_dbus_chat() inteface. - Allow login domains to create kernel keyring with different level. - Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256) - Make tuned as unconfined domain. - Added support for linuxptp policy. BZ(1149693) - make zoneminder as dbus client by default. - Allow bluetooth read/write uhid devices. BZ (1161169) - Add fixes for hypervkvp daemon - Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. - Make plymouthd as nsswitch domain to make it working with sssd. - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory.
2014-11-07 22:58:35 +01:00 · 2014-11-07 22:58:35 +01:00 · 062b36f481
commit 062b36f481
parent bfb6adef8b
3 changed files with 676 additions and 352 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -9707,7 +9707,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
 ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 851769e..055c97c 100644
+index 851769e..a069dc3 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@ -9757,7 +9757,13 @@ index 851769e..055c97c 100644
 dev_read_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
-@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
+@@ -105,12 +119,12 @@ dev_rw_generic_usb_dev(bluetooth_t)
 dev_read_urand(bluetooth_t)
 dev_rw_input_dev(bluetooth_t)
 dev_rw_wireless(bluetooth_t)
 +dev_rw_uhid_dev(bluetooth_t)
 domain_use_interactive_fds(bluetooth_t)
 domain_dontaudit_search_all_domains_state(bluetooth_t)
 files_read_etc_runtime_files(bluetooth_t)
@ -9765,7 +9771,7 @@ index 851769e..055c97c 100644
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t)
 logging_send_syslog_msg(bluetooth_t)
@ -9773,7 +9779,7 @@ index 851769e..055c97c 100644
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
-@@ -130,6 +142,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@ -9784,7 +9790,7 @@ index 851769e..055c97c 100644
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
-@@ -200,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
 domain_read_all_domains_state(bluetooth_helper_t)
 files_read_etc_runtime_files(bluetooth_helper_t)
@ -10317,15 +10323,23 @@ index 687d4c4..3c5a83a 100644
 +	unconfined_domain(boinc_project_t)
 +')
 diff --git a/brctl.te b/brctl.te
-index c5a9113..6ad8ccb 100644
+index c5a9113..1919abd 100644
 --- a/brctl.te
 +++ b/brctl.te
-@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
+@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
 allow brctl_t self:tcp_socket create_socket_perms;
 kernel_request_load_module(brctl_t)
 +kernel_read_system_state(brctl_t)
 kernel_read_network_state(brctl_t)
 kernel_read_sysctl(brctl_t)
@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
 domain_use_interactive_fds(brctl_t)
 -files_read_etc_files(brctl_t)
- 
+-
 term_dontaudit_use_console(brctl_t)
 -miscfiles_read_localization(brctl_t)
@ -12488,7 +12502,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..e7c249d 100644
+index e5b621c..f975594 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -12519,7 +12533,7 @@ index e5b621c..e7c249d 100644
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,24 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -12541,10 +12555,11 @@ index e5b621c..e7c249d 100644
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
-
+ 
-optional_policy(`
+ optional_policy(`
 -	mta_send_mail(chronyd_t)
-')
+    timemaster_stream_connect(chronyd_t)
 ')
 diff --git a/cinder.fc b/cinder.fc
 new file mode 100644
 index 0000000..4b318b7
@ -15514,7 +15529,7 @@ index 0000000..54b4b04
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 0000000..ccff09f
+index 0000000..4772f64
 --- /dev/null
 +++ b/conman.te
@@ -0,0 +1,55 @@
@ -15557,7 +15572,7 @@ index 0000000..ccff09f
 +manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
 +files_pid_filetrans(conman_t, conman_var_run_t, file)
 +
-+auth_read_passwd(conman_t)
+auth_use_nsswitch(conman_t)
 +
 +corenet_tcp_bind_generic_node(conman_t)
 +corenet_tcp_bind_conman_port(conman_t)
@ -20732,7 +20747,7 @@ index dda905b..ccd0ba9 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..e1b35aa 100644
+index 62d22cb..f8ab4af 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -20858,7 +20873,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -103,91 +129,84 @@ template(`dbus_role_template',`
+@@ -103,91 +129,88 @@ template(`dbus_role_template',`
 #
 interface(`dbus_system_bus_client',`
 	gen_require(`
@ -20888,6 +20903,10 @@ index 62d22cb..e1b35aa 100644
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 -
 	dbus_read_config($1)
 +
 +    optional_policy(`
 +        unconfined_server_dbus_chat($1)
 +    ')
 ')
 #######################################
@ -20984,7 +21003,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
@ -21009,7 +21028,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
+@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
 ##	</summary>
 ## </param>
 #
@ -21081,7 +21100,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
 ##	</summary>
 ## </param>
 #
@ -21107,7 +21126,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
+@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
 ##	</summary>
 ## </param>
 #
@ -21174,7 +21193,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
+@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
@ -21198,7 +21217,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
 ##	</summary>
 ## </param>
 #
@ -21224,7 +21243,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -21257,7 +21276,7 @@ index 62d22cb..e1b35aa 100644
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
-@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
@ -21367,7 +21386,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',`
 ##	</summary>
 ## </param>
 #
@ -21391,7 +21410,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -498,98 +492,100 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +496,100 @@ interface(`dbus_connect_system_bus',`
 ##	</summary>
 ## </param>
 #
@ -21535,7 +21554,7 @@ index 62d22cb..e1b35aa 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -597,28 +593,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +597,50 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
@ -26210,7 +26229,7 @@ index 9a21639..26c5986 100644
 ')
 +
 diff --git a/drbd.te b/drbd.te
-index f2516cc..6f78534 100644
+index f2516cc..70ddc24 100644
 --- a/drbd.te
 +++ b/drbd.te
@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
@ -26247,7 +26266,7 @@ index f2516cc..6f78534 100644
 kernel_read_system_state(drbd_t)
-+auth_read_passwd(drbd_t)
+auth_use_nsswitch(drbd_t)
 +
 +can_exec(drbd_t, drbd_exec_t)
 +
@ -35169,10 +35188,10 @@ index 6517fad..b7ca833 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
 ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..6f859e1 100644
+index 4eb7041..ccb563e 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,72 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,81 @@ policy_module(hypervkvp, 1.0.0)
 # Declarations
 #
@ -35207,7 +35226,7 @@ index 4eb7041..6f859e1 100644
 #
 -# Local policy
 +# hyperv domain local policy
- #
+#
 +
 +allow hyperv_domain self:capability net_admin;
 +allow hyperv_domain self:netlink_socket create_socket_perms;
@ -35223,23 +35242,32 @@ index 4eb7041..6f859e1 100644
 +########################################
 #
 +# hypervkvp local policy
-+#
+ #
-+
+ 
 -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
 -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
 +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
 +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
 +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
 +
 +domain_read_all_domains_state(hypervkvp_t)
 +
 +files_dontaudit_search_home(hypervkvp_t)
 +
 +logging_send_syslog_msg(hypervkvp_t)
 +
 +sysnet_dns_name_resolve(hypervkvp_t)
- 
+sysnet_domtrans_dhcpc(hypervkvp_t)
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+systemd_exec_systemctl(hypervkvp_t)
 +
 +userdom_dontaudit_search_admin_dir(hypervkvp_t)
 +
 +optional_policy(`
 +    netutils_domtrans_ping(hypervkvp_t)
 +')
 +
 +optional_policy(`
 +    sysnet_exec_ifconfig(hypervkvp_t)
 +')
 +
@ -35414,7 +35442,7 @@ index fbb54e7..05c3777 100644
 ########################################
 diff --git a/inetd.te b/inetd.te
-index c6450df..93445b7 100644
+index c6450df..a28aa13 100644
 --- a/inetd.te
 +++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@ -35487,7 +35515,7 @@ index c6450df..93445b7 100644
 ########################################
 #
 # Child local policy
-@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
 kernel_read_network_state(inetd_child_t)
 kernel_read_system_state(inetd_child_t)
@ -35498,11 +35526,13 @@ index c6450df..93445b7 100644
 +corenet_udp_sendrecv_generic_node(inetd_child_t)
 +corenet_tcp_sendrecv_all_ports(inetd_child_t)
 +corenet_udp_sendrecv_all_ports(inetd_child_t)
 +
 +corecmd_bin_entry_type(inetd_child_t)
 +
 dev_read_urand(inetd_child_t)
 fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
 logging_send_syslog_msg(inetd_child_t)
@ -41863,6 +41893,238 @@ index d8c2442..ef30d42 100644
 corenet_sendrecv_generic_server_packets(srvsvcd_t)
 corenet_tcp_sendrecv_generic_if(srvsvcd_t)
 corenet_tcp_sendrecv_generic_node(srvsvcd_t)
 diff --git a/linuxptp.fc b/linuxptp.fc
 new file mode 100644
 index 0000000..d2061a9
 --- /dev/null
 +++ b/linuxptp.fc
@@ -0,0 +1,11 @@
 +/usr/lib/systemd/system/phc2sys.*		--	gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
 +
 +/usr/lib/systemd/system/ptp4l.*			--	gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
 +
 +/usr/lib/systemd/system/timemaster.*		--	gen_context(system_u:object_r:timemaster_unit_file_t,s0)
 +
 +/usr/sbin/ptp4l					--	gen_context(system_u:object_r:ptp4l_exec_t,s0)
 +/usr/sbin/phc2sys				--	gen_context(system_u:object_r:phc2sys_exec_t,s0)
 +/usr/sbin/timemaster				--	gen_context(system_u:object_r:timemaster_exec_t,s0)
 +
 +/var/run/timemaster(/.*)?				gen_context(system_u:object_r:timemaster_var_run_t,s0)
 diff --git a/linuxptp.if b/linuxptp.if
 new file mode 100644
 index 0000000..8d6873f
 --- /dev/null
 +++ b/linuxptp.if
@@ -0,0 +1,59 @@
 +## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
 +
 +########################################
 +## <summary>
 +##	Execute domain in the phc2sys domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`linuxptp_domtrans_phc2sys',`
 +	gen_require(`
 +		type phc2sys_t, phc2sys_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute domain in the phc2sys domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`linuxptp_domtrans_ptp4l',`
 +	gen_require(`
 +		type ptp4l_t, ptp4l_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
 +')
 +######################################
 +## <summary>
 +##  Connect to timemaster using a unix
 +##  domain stream socket.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`timemaster_stream_connect',`
 +	gen_require(`
 +        	type timemaster_t, timemaster_var_run_t;
 +        ')
 +
 +        files_search_pids($1)
 +        stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
 +')
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
 index 0000000..5a1445c
 --- /dev/null
 +++ b/linuxptp.te
@@ -0,0 +1,144 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type timemaster_t;
 +type timemaster_exec_t;
 +init_daemon_domain(timemaster_t, timemaster_exec_t)
 +
 +type timemaster_var_run_t;
 +files_pid_file(timemaster_var_run_t)
 +
 +type timemaster_unit_file_t;
 +systemd_unit_file(timemaster_unit_file_t)
 +
 +type phc2sys_t;
 +type phc2sys_exec_t;
 +init_daemon_domain(phc2sys_t, phc2sys_exec_t)
 +
 +type phc2sys_unit_file_t;
 +systemd_unit_file(phc2sys_unit_file_t)
 +
 +type ptp4l_t;
 +type ptp4l_exec_t;
 +init_daemon_domain(ptp4l_t, ptp4l_exec_t)
 +
 +type ptp4l_unit_file_t;
 +systemd_unit_file(ptp4l_unit_file_t)
 +
 +########################################
 +#
 +# timemaster local policy
 +#
 +
 +allow timemaster_t self:process { signal_perms setcap};
 +allow timemaster_t self:fifo_file rw_fifo_file_perms;
 +allow timemaster_t self:capability { setuid sys_time kill setgid };
 +allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
 +allow timemaster_t self:shm create_shm_perms;
 +allow timemaster_t self:udp_socket create_socket_perms;
 +
 +allow timemaster_t ptp4l_t:process signal;
 +allow timemaster_t phc2sys_t:process signal;
 +
 +manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
 +files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
 +
 +kernel_read_network_state(timemaster_t)
 +
 +auth_use_nsswitch(timemaster_t)
 +
 +corenet_udp_bind_generic_node(timemaster_t)
 +corenet_udp_bind_ntp_port(timemaster_t)
 +
 +logging_send_syslog_msg(timemaster_t)
 +
 +sysnet_read_config(timemaster_t)
 +
 +optional_policy(`
 +	chronyd_domtrans(timemaster_t)
 +	chronyd_rw_shm(timemaster_t)
 +')
 +
 +optional_policy(`
 +	gpsd_rw_shm(timemaster_t)
 +')
 +
 +optional_policy(`
 +	linuxptp_domtrans_ptp4l(timemaster_t)
 +')
 +
 +optional_policy(`
 +	linuxptp_domtrans_phc2sys(timemaster_t)
 +')
 +
 +########################################
 +#
 +# phc2sys local policy
 +#
 +
 +allow phc2sys_t self:capability sys_time;
 +allow phc2sys_t self:fifo_file rw_fifo_file_perms;
 +allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
 +allow phc2sys_t self:shm create_shm_perms;
 +allow phc2sys_t self:udp_socket create_socket_perms;
 +
 +allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
 +
 +manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
 +files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
 +
 +logging_send_syslog_msg(phc2sys_t)
 +
 +optional_policy(`
 +	chronyd_rw_shm(phc2sys_t)
 +')
 +
 +optional_policy(`
 +	gpsd_rw_shm(phc2sys_t)
 +')
 +
 +optional_policy(`
 +	ntp_rw_shm(phc2sys_t)
 +')
 +
 +########################################
 +#
 +# ptp4l local policy
 +#
 +
 +allow ptp4l_t self:fifo_file rw_fifo_file_perms;
 +allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
 +allow ptp4l_t self:shm create_shm_perms;
 +allow ptp4l_t self:udp_socket create_socket_perms;
 +allow ptp4l_t self:capability { net_admin net_raw sys_time };
 +allow ptp4l_t self:netlink_route_socket { bind create getattr nlmsg_read };
 +
 +allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
 +
 +manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
 +manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
 +files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
 +
 +corenet_udp_bind_generic_node(ptp4l_t)
 +corenet_udp_bind_reserved_port(ptp4l_t)
 +
 +logging_send_syslog_msg(ptp4l_t)
 +
 +optional_policy(`
 +	chronyd_rw_shm(ptp4l_t)
 +')
 +
 +optional_policy(`
 +	gpsd_rw_shm(ptp4l_t)
 +')
 +
 diff --git a/lircd.if b/lircd.if
 index dff21a7..b6981c8 100644
 --- a/lircd.if
@ -58029,18 +58291,20 @@ index 8ec7859..719cffd 100644
 fs_getattr_all_fs(ntop_t)
 fs_search_auto_mountpoints(ntop_t)
 diff --git a/ntp.fc b/ntp.fc
-index af3c91e..6882a3f 100644
+index af3c91e..2d41c4c 100644
 --- a/ntp.fc
 +++ b/ntp.fc
-@@ -13,6 +13,8 @@
+@@ -13,7 +13,10 @@
 /usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 /usr/sbin/sntp	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 +/usr/lib/systemd/system/ntpd.*               --      gen_context(system_u:object_r:ntpd_unit_file_t,s0)
 +
 /var/lib/ntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 +/var/lib/sntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/log/ntp.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
 diff --git a/ntp.if b/ntp.if
 index e96a309..2bacc3f 100644
 --- a/ntp.if
@ -58242,7 +58506,7 @@ index e96a309..2bacc3f 100644
 +    files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
 ')
 diff --git a/ntp.te b/ntp.te
-index f81b113..5c71385 100644
+index f81b113..6f94328 100644
 --- a/ntp.te
 +++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@ -58255,15 +58519,16 @@ index f81b113..5c71385 100644
 type ntp_conf_t;
 files_config_file(ntp_conf_t)
-@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen };
+@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 +files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp")
 +files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
 allow ntpd_t ntp_conf_t:file read_file_perms;
-@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@ -58274,7 +58539,7 @@ index f81b113..5c71385 100644
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
 kernel_request_load_module(ntpd_t)
@ -58298,7 +58563,7 @@ index f81b113..5c71385 100644
 corecmd_exec_bin(ntpd_t)
 corecmd_exec_shell(ntpd_t)
-@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
 domain_dontaudit_list_all_domains_state(ntpd_t)
 files_read_etc_runtime_files(ntpd_t)
@ -58315,7 +58580,7 @@ index f81b113..5c71385 100644
 auth_use_nsswitch(ntpd_t)
-@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t)
 logging_send_syslog_msg(ntpd_t)
@ -61437,7 +61702,7 @@ index 0000000..776fda7
 +')
 diff --git a/opensm.te b/opensm.te
 new file mode 100644
-index 0000000..32d1db4
+index 0000000..de03e94
 --- /dev/null
 +++ b/opensm.te
@@ -0,0 +1,45 @@
@ -61478,7 +61743,7 @@ index 0000000..32d1db4
 +
 +kernel_read_system_state(opensm_t)
 +
-+auth_read_passwd(opensm_t)
+auth_use_nsswitch(opensm_t)
 +
 +corecmd_exec_bin(opensm_t)
 +
@ -66394,7 +66659,7 @@ index 30e751f..61feb3a 100644
 	admin_pattern($1, plymouthd_var_run_t)
 ')
 diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..d2f68fa 100644
+index 3078ce9..18872dc 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@ -66451,7 +66716,7 @@ index 3078ce9..d2f68fa 100644
 +logging_link_generic_logs(plymouthd_t)
 +logging_delete_generic_logs(plymouthd_t)
 +
-+auth_read_passwd(plymouthd_t)
+auth_use_nsswitch(plymouthd_t)
 +
 miscfiles_read_fonts(plymouthd_t)
 miscfiles_manage_fonts_cache(plymouthd_t)
@ -66836,7 +67101,7 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
 ')
 diff --git a/policykit.te b/policykit.te
-index ee91778..6df7cf0 100644
+index ee91778..b00a474 100644
 --- a/policykit.te
 +++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@ -67002,7 +67267,7 @@ index ee91778..6df7cf0 100644
 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,65 +159,79 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,65 +159,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@ -67032,6 +67297,7 @@ index ee91778..6df7cf0 100644
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 +userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
 +userdom_dontaudit_manage_user_home_dirs(policykit_auth_t)
 +userdom_read_admin_home_files(policykit_auth_t)
 optional_policy(`
@ -67094,7 +67360,7 @@ index ee91778..6df7cf0 100644
 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +239,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +240,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
 manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@ -67121,7 +67387,7 @@ index ee91778..6df7cf0 100644
 	optional_policy(`
 		consolekit_dbus_chat(policykit_grant_t)
 	')
-@@ -235,26 +260,28 @@ optional_policy(`
+@@ -235,26 +261,28 @@ optional_policy(`
 ########################################
 #
@ -67156,7 +67422,7 @@ index ee91778..6df7cf0 100644
 userdom_read_all_users_state(policykit_resolve_t)
 optional_policy(`
-@@ -266,6 +293,6 @@ optional_policy(`
+@@ -266,6 +294,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -87926,7 +88192,7 @@ index 50d07fb..bada62f 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..9c52c41 100644
+index 2b7c441..fdfd40f 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@ -88840,13 +89106,13 @@ index 2b7c441..9c52c41 100644
 -allow swat_t { nmbd_t smbd_t }:process { signal signull };
 +samba_domtrans_smbd(swat_t)
 +allow swat_t smbd_t:process { signal signull };
- 
+
 -allow swat_t smbd_var_run_t:file read_file_perms;
 -allow swat_t smbd_var_run_t:file { lock delete_file_perms };
 +samba_domtrans_nmbd(swat_t)
 +allow swat_t nmbd_t:process { signal signull };
 +allow nmbd_t swat_t:process signal;
-+
+ 
 -allow swat_t smbd_var_run_t:file read_file_perms;
 -allow swat_t smbd_var_run_t:file { lock delete_file_perms };
 +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
 +stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
 +
@ -89110,7 +89376,7 @@ index 2b7c441..9c52c41 100644
 ')
 optional_policy(`
-@@ -959,31 +1017,29 @@ optional_policy(`
+@@ -959,31 +1017,35 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -89132,10 +89398,15 @@ index 2b7c441..9c52c41 100644
 -domain_use_interactive_fds(winbind_helper_t)
 -
 -files_list_var_lib(winbind_helper_t)
-
+dev_read_urand(winbind_t)
 term_list_ptys(winbind_helper_t)
 +corecmd_exec_bin(winbind_helper_t)
 +
 +domain_use_interactive_fds(winbind_helper_t)
 +
 +files_list_tmp(winbind_helper_t)
 +
 auth_use_nsswitch(winbind_helper_t)
@ -89148,7 +89419,7 @@ index 2b7c441..9c52c41 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1053,38 @@ optional_policy(`
+@@ -997,25 +1059,38 @@ optional_policy(`
 ########################################
 #
@ -101545,7 +101816,7 @@ index e29db63..061fb98 100644
 	domain_system_change_exemption($1)
 	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 393a330..b500795 100644
+index 393a330..6893547 100644
 --- a/tuned.te
 +++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@ -101623,22 +101894,22 @@ index 393a330..b500795 100644
 files_dontaudit_search_home(tuned_t)
 -files_dontaudit_list_tmp(tuned_t)
 +files_list_tmp(tuned_t)
- 
+
 -fs_getattr_xattr_fs(tuned_t)
 +fs_getattr_all_fs(tuned_t)
 +fs_search_all(tuned_t)
 +fs_rw_hugetlbfs_files(tuned_t)
-+
+ 
 -fs_getattr_xattr_fs(tuned_t)
 +auth_use_nsswitch(tuned_t)
 logging_send_syslog_msg(tuned_t)
 +#bug in tuned
 +logging_manage_syslog_config(tuned_t)
 +logging_filetrans_named_conf(tuned_t)
 +
 +mount_read_pid_files(tuned_t)
 -miscfiles_read_localization(tuned_t)
 +mount_read_pid_files(tuned_t)
 +
 +modutils_domtrans_insmod(tuned_t)
 udev_read_pid_files(tuned_t)
@ -101675,6 +101946,14 @@ index 393a330..b500795 100644
 optional_policy(`
 	sysnet_domtrans_ifconfig(tuned_t)
 ')
@@ -96,3 +139,7 @@ optional_policy(`
 optional_policy(`
 	unconfined_dbus_send(tuned_t)
 ')
 +
 +optional_policy(`
 +    unconfined_domain(tuned_t)
 +')
 diff --git a/tvtime.if b/tvtime.if
 index 1bb0f7c..372be2f 100644
 --- a/tvtime.if
@ -105209,7 +105488,7 @@ index facdee8..c7a2d97 100644
 +	typeattribute $1 sandbox_caps_domain;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..f960625 100644
+index f03dcf5..f3d6203 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,241 @@
@ -106214,7 +106493,7 @@ index f03dcf5..f960625 100644
 +allow virt_domain self:process { setrlimit signal_perms getsched setsched };
 +allow virt_domain self:fifo_file rw_fifo_file_perms;
 +allow virt_domain self:shm create_shm_perms;
-+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms };
 +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
 +allow virt_domain self:tcp_socket create_stream_socket_perms;
 +allow virt_domain self:udp_socket create_socket_perms;
@ -112178,7 +112457,7 @@ index 0000000..fb0519e
 +
 diff --git a/zoneminder.te b/zoneminder.te
 new file mode 100644
-index 0000000..b66e76d
+index 0000000..184e3d5
 --- /dev/null
 +++ b/zoneminder.te
@@ -0,0 +1,187 @@
@ -112319,16 +112598,16 @@ index 0000000..b66e76d
 +
 +optional_policy(`
 +    tunable_policy(`zoneminder_run_sudo',`
 +        dbus_system_bus_client(zoneminder_t)
 +    ')
 +')
 +
 +optional_policy(`
 +    tunable_policy(`zoneminder_run_sudo',`
 +        sudo_exec(zoneminder_t)
 +        su_exec(zoneminder_t)
 +    ')
 +')
 +
 +optional_policy(`
 +    dbus_system_bus_client(zoneminder_t)
 +')
 +
 +
 +optional_policy(`
 +	mysql_stream_connect(zoneminder_t)
 +')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 90%{?dist}
+Release: 91%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,28 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
 - Added interface userdom_dontaudit_manage_user_home_dirs
 - Fix unconfined_server_dbus_chat() interface.
 - Add unconfined_server_dbus_chat() inteface.
 - Allow login domains to create kernel keyring with different level.
 - Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
 - Make tuned as unconfined domain.
 - Added support for linuxptp policy. BZ(1149693)
 - make zoneminder as dbus client by default.
 - Allow bluetooth read/write uhid devices. BZ (1161169)
 - Add fixes for hypervkvp daemon
 - Allow guest to connect to libvirt using unix_stream_socket.
 - Allow all bus client domains to dbus chat with unconfined_service_t.
 - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
 - Make opensm as nsswitch domain to make it working with sssd.
 - Allow brctl to read meminfo.
 - Allow winbind-helper to execute ntlm_auth in the caller domain.
 - Make plymouthd as nsswitch domain to make it working with sssd.
 - Make drbd as nsswitch domain to make it working with sssd.
 - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
 - Add support for /var/lib/sntp directory.
 * Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
 - Add support for /dev/nvme controllerdevice nodes created by nvme driver.
 - Add 15672 as amqp_port_t