* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125

- Define ipa_var_run_t type - Allow certmonger to manage renewal.lock. BZ(1213256) - Add ipa_manage_pid_files interface. - Add rules for netlink_socket in iotop. - Allow iotop netlink socket. - cloudinit and rhsmcertd need to communicate with dbus - Allow apcupsd to use USBttys. BZ(1210960) - Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574) - Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user. - Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
2015-04-20 14:45:47 +02:00 · 2015-04-20 14:45:47 +02:00 · 0bfe8f4452
parent 28cc160db1
commit 0bfe8f4452
3 changed files with 151 additions and 83 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -35422,7 +35422,7 @@ index 4e94884..7ab6191 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..9d8e11d 100644
+index 59b04c1..aaf4124 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -35646,7 +35646,7 @@ index 59b04c1..9d8e11d 100644
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +412,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -35658,7 +35658,12 @@ index 59b04c1..9d8e11d 100644
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +434,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+# now is /dev/log lnk_file
 +allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
 # create/append log files.
@@ -389,30 +436,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -35709,7 +35714,7 @@ index 59b04c1..9d8e11d 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +486,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -35718,7 +35723,7 @@ index 59b04c1..9d8e11d 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +498,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -35746,7 +35751,7 @@ index 59b04c1..9d8e11d 100644
 domain_use_interactive_fds(syslogd_t)
 files_read_etc_files(syslogd_t)
-@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +531,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@ -35764,7 +35769,7 @@ index 59b04c1..9d8e11d 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +551,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +553,12 @@ init_use_fds(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -35780,7 +35785,7 @@ index 59b04c1..9d8e11d 100644
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +583,7 @@ optional_policy(`
+@@ -497,6 +585,7 @@ optional_policy(`
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -35788,7 +35793,7 @@ index 59b04c1..9d8e11d 100644
 ')
 optional_policy(`
-@@ -507,15 +594,40 @@ optional_policy(`
+@@ -507,15 +596,40 @@ optional_policy(`
 ')
 optional_policy(`
@ -35829,7 +35834,7 @@ index 59b04c1..9d8e11d 100644
 ')
 optional_policy(`
-@@ -526,3 +638,26 @@ optional_policy(`
+@@ -526,3 +640,26 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -7617,7 +7617,7 @@ index f3c0aba..f6e25ed 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
 diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..de60b99 100644
+index 080bc4d..12d701e 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7655,7 +7655,7 @@ index 080bc4d..de60b99 100644
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,26 +73,35 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,26 +73,36 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
 corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7678,6 +7678,7 @@ index 080bc4d..de60b99 100644
 -term_use_unallocated_ttys(apcupsd_t)
 +term_use_all_terms(apcupsd_t)
 +term_use_usb_ttys(apcupsd_t)
 -logging_send_syslog_msg(apcupsd_t)
 +#apcupsd runs shutdown, probably need a shutdown domain
@ -7696,7 +7697,7 @@ index 080bc4d..de60b99 100644
 optional_policy(`
 	hostname_exec(apcupsd_t)
-@@ -101,6 +116,11 @@ optional_policy(`
+@@ -101,6 +117,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
@ -7708,7 +7709,7 @@ index 080bc4d..de60b99 100644
 ########################################
 #
 # CGI local policy
-@@ -108,20 +128,20 @@ optional_policy(`
+@@ -108,20 +129,20 @@ optional_policy(`
 optional_policy(`
 	apache_content_template(apcupsd_cgi)
@ -11578,7 +11579,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..7f683e5 100644
+index 550b287..fc5b086 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -11667,7 +11668,7 @@ index 550b287..7f683e5 100644
 ')
 optional_policy(`
-@@ -92,11 +109,56 @@ optional_policy(`
+@@ -92,11 +109,57 @@ optional_policy(`
 ')
 optional_policy(`
@ -11680,6 +11681,7 @@ index 550b287..7f683e5 100644
 +
 +optional_policy(`
 +    ipa_manage_lib(certmonger_t)
 +    ipa_manage_pid_files(certmonger_t)
 +')
 +
 +optional_policy(`
@ -13531,10 +13533,10 @@ index 0000000..a06f04b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..8c06c5d
+index 0000000..ec3a39a
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,240 @@
+@@ -0,0 +1,244 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@ -13654,6 +13656,10 @@ index 0000000..8c06c5d
 +')
 +
 +optional_policy(`
 +	rhsmcertd_dbus_chat(cloud_init_t)
 +')
 +
 +optional_policy(`
 +    networkmanager_dbus_chat(cloud_init_t)
 +')
 +
@ -35693,16 +35699,17 @@ index 0000000..7fc3464
 +')
 diff --git a/iotop.te b/iotop.te
 new file mode 100644
-index 0000000..51d7e34
+index 0000000..61f2003
 --- /dev/null
 +++ b/iotop.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,39 @@
 +policy_module(iotop, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +attribute_role iotop_roles;
 +roleattribute system_r iotop_roles;
 +
@ -35719,6 +35726,7 @@ index 0000000..51d7e34
 +
 +allow iotop_t self:capability net_admin;
 +allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
 +allow iotop_t self:netlink_socket create_socket_perms;
 +
 +kernel_read_system_state(iotop_t)
 +
@ -35736,22 +35744,24 @@ index 0000000..51d7e34
 +userdom_use_user_terminals(iotop_t)
 diff --git a/ipa.fc b/ipa.fc
 new file mode 100644
-index 0000000..48d7322
+index 0000000..877a747
 --- /dev/null
 +++ b/ipa.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
 +/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
 +
 +/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
 +
 +/var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
 +
 +/var/run/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_run_t,s0)
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..123e906
+index 0000000..789b3e8
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,112 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@ -35846,12 +35856,30 @@ index 0000000..123e906
 +    list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Allow domain to manage ipa run files/dirs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`ipa_manage_pid_files',`
 +	gen_require(`
 +		type ipa_var_run_t;
 +	')
 +    manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t)
 +    manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
 +')
 +
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..b60bc5f
+index 0000000..a7f09d25
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,50 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@ -35871,6 +35899,9 @@ index 0000000..b60bc5f
 +type ipa_var_lib_t;
 +files_type(ipa_var_lib_t)
 +
 +type ipa_var_run_t;
 +files_pid_file(ipa_var_run_t)
 +
 +########################################
 +#
 +# ipa_otpd local policy
@ -35881,6 +35912,10 @@ index 0000000..b60bc5f
 +allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
 +allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
 +manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
 +files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
 +
 +corenet_tcp_connect_radius_port(ipa_otpd_t)
 +
 +dev_read_urand(ipa_otpd_t)
@ -63782,7 +63817,7 @@ index bf59ef7..0e33327 100644
 +')
 +
 diff --git a/passenger.te b/passenger.te
-index 08ec33b..231f2e2 100644
+index 08ec33b..56fba2e 100644
 --- a/passenger.te
 +++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@ -63809,7 +63844,7 @@ index 08ec33b..231f2e2 100644
 +allow passenger_t self:process { setpgid setsched getsession signal_perms };
 allow passenger_t self:fifo_file rw_fifo_file_perms;
 -allow passenger_t self:unix_stream_socket { accept connectto listen };
-+allow passenger_t self:tcp_socket listen;
+allow passenger_t self:tcp_socket { accept listen };
 +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +can_exec(passenger_t, passenger_exec_t)
@ -80283,7 +80318,7 @@ index 16c8ecb..4e021ec 100644
 +	')
 ')
 diff --git a/redis.te b/redis.te
-index 25cd417..178198b 100644
+index 25cd417..e331b5d 100644
 --- a/redis.te
 +++ b/redis.te
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
@ -80296,7 +80331,15 @@ index 25cd417..178198b 100644
 ########################################
 #
 # Local policy
-@@ -60,6 +63,4 @@ dev_read_urand(redis_t)
+@@ -42,6 +45,7 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 +manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 kernel_read_system_state(redis_t)
@@ -60,6 +64,4 @@ dev_read_urand(redis_t)
 logging_send_syslog_msg(redis_t)
@ -81906,7 +81949,7 @@ index c8bdea2..bf60580 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..bfaf5c6 100644
+index 6cf79c4..a70327a 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -82270,7 +82313,7 @@ index 6cf79c4..bfaf5c6 100644
 -allow fenced_t self:capability { sys_rawio sys_resource };
 -allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
-+allow fenced_t self:capability { net_admin sys_rawio sys_resource };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
 +allow fenced_t self:process { getsched setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
@ -93053,7 +93096,7 @@ index 3a9a70b..903109c 100644
 	logging_list_logs($1)
 	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..88fea69 100644
+index ce67935..130eca9 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
@ -93086,8 +93129,9 @@ index ce67935..88fea69 100644
 +# setroubleshootd local policy
 #
- allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
+-allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
 -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
 +allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config };
 +dontaudit setroubleshootd_t self:capability net_admin;
 +
 +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
@ -93326,10 +93370,10 @@ index 0000000..c9d2d9c
 +
 diff --git a/sge.te b/sge.te
 new file mode 100644
-index 0000000..af30acf
+index 0000000..b2096dd
 --- /dev/null
 +++ b/sge.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,196 @@
 +policy_module(sge, 1.0.0)
 +
 +########################################
@ -93489,6 +93533,7 @@ index 0000000..af30acf
 +manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
 +
 +manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
 +manage_lnk_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
 +manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
 +files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
 +
@ -99729,7 +99774,7 @@ index 42946bc..9f70e4c 100644
 +	can_exec($1, telepathy_executable)
 ')
 diff --git a/telepathy.te b/telepathy.te
-index 9afcbc9..b19622d 100644
+index 9afcbc9..7b8ddb4 100644
 --- a/telepathy.te
 +++ b/telepathy.te
@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
@ -99841,14 +99886,14 @@ index 9afcbc9..b19622d 100644
 -	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
 	corenet_tcp_connect_generic_port(telepathy_gabble_t)
 -	corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
 -')
 -
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(telepathy_gabble_t)
 -	fs_manage_nfs_files(telepathy_gabble_t)
 +	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
 ')
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(telepathy_gabble_t)
 -	fs_manage_nfs_files(telepathy_gabble_t)
 -')
 -
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(telepathy_gabble_t)
 -	fs_manage_cifs_files(telepathy_gabble_t)
@ -99961,11 +100006,11 @@ index 9afcbc9..b19622d 100644
 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
 -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
 +userdom_search_user_home_dirs(telepathy_mission_control_t)
 +
 +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
 +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 +
 +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
 -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
@ -100008,7 +100053,7 @@ index 9afcbc9..b19622d 100644
 optional_policy(`
 	dbus_system_bus_client(telepathy_mission_control_t)
-@@ -248,59 +225,47 @@ optional_policy(`
+@@ -248,59 +225,48 @@ optional_policy(`
 		devicekit_dbus_chat_power(telepathy_mission_control_t)
 	')
 	optional_policy(`
@ -100046,8 +100091,8 @@ index 9afcbc9..b19622d 100644
 files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 -
 userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 -
 +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
 can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
 corenet_all_recvfrom_netlabel(telepathy_msn_t)
@ -100082,7 +100127,7 @@ index 9afcbc9..b19622d 100644
 init_read_state(telepathy_msn_t)
-@@ -310,18 +275,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -310,18 +276,19 @@ logging_send_syslog_msg(telepathy_msn_t)
 miscfiles_read_all_certs(telepathy_msn_t)
@ -100107,7 +100152,7 @@ index 9afcbc9..b19622d 100644
 ')
 optional_policy(`
-@@ -332,43 +298,33 @@ optional_policy(`
+@@ -332,43 +299,33 @@ optional_policy(`
 	')
 ')
@ -100156,7 +100201,7 @@ index 9afcbc9..b19622d 100644
 ')
 optional_policy(`
-@@ -381,73 +337,51 @@ optional_policy(`
+@@ -381,73 +338,51 @@ optional_policy(`
 #######################################
 #
@ -100240,7 +100285,7 @@ index 9afcbc9..b19622d 100644
 optional_policy(`
 	xserver_read_xdm_pid(telepathy_sunshine_t)
 	xserver_stream_connect(telepathy_sunshine_t)
-@@ -455,31 +389,51 @@ optional_policy(`
+@@ -455,31 +390,51 @@ optional_policy(`
 #######################################
 #
@ -100275,6 +100320,7 @@ index 9afcbc9..b19622d 100644
 -miscfiles_read_localization(telepathy_domain)
 +userdom_search_user_tmp_dirs(telepathy_domain)
 +userdom_search_user_home_dirs(telepathy_domain)
 +userdom_use_inherited_user_ttys(telepathy_domain)
 optional_policy(`
 	automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
@ -100298,7 +100344,6 @@ index 9afcbc9..b19622d 100644
 +optional_policy(`
 	xserver_rw_xdm_pipes(telepathy_domain)
 ')
 +
 diff --git a/telnet.te b/telnet.te
 index d7c8633..a91c027 100644
 --- a/telnet.te
@ -106115,7 +106160,7 @@ index facdee8..c930866 100644
 +	typeattribute $1 sandbox_caps_domain;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..e8341d7 100644
+index f03dcf5..6fb7d3f 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,241 @@
@ -107205,7 +107250,7 @@ index f03dcf5..e8341d7 100644
 -can_exec(virsh_t, virsh_exec_t)
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+ 
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@ -107279,7 +107324,7 @@ index f03dcf5..e8341d7 100644
 +optional_policy(`
 +	pulseaudio_dontaudit_exec(virt_domain)
 +')
- 
+
 +optional_policy(`
 +	sssd_dontaudit_stream_connect(virt_domain)
 +	sssd_dontaudit_read_lib(virt_domain)
@ -107615,7 +107660,7 @@ index f03dcf5..e8341d7 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1171,310 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1171,314 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -107631,21 +107676,21 @@ index f03dcf5..e8341d7 100644
 +optional_policy(`
 +	dbus_system_bus_client(virtd_lxc_t)
 +	init_dbus_chat(virtd_lxc_t)
-+
+ 
 -miscfiles_read_localization(virtd_lxc_t)
 +	optional_policy(`
 +		hal_dbus_chat(virtd_lxc_t)
 +	')
 +')
 -miscfiles_read_localization(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
 -seutil_domtrans_setfiles(virtd_lxc_t)
 -seutil_read_config(virtd_lxc_t)
 -seutil_read_default_contexts(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
 +
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
@ -107671,10 +107716,6 @@ index f03dcf5..e8341d7 100644
 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 +allow svirt_sandbox_domain self:passwd rootok;
 +allow svirt_sandbox_domain self:filesystem associate;
 +
 +tunable_policy(`deny_ptrace',`',`
 +	allow svirt_sandbox_domain self:process ptrace;
 +')
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -107758,6 +107799,14 @@ index f03dcf5..e8341d7 100644
 -miscfiles_read_fonts(svirt_lxc_domain)
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
 +
 +fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
 +
 +tunable_policy(`deny_ptrace',`',`
 +	allow svirt_sandbox_domain self:process ptrace;
 +')
 +
 +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
 +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@ -107836,28 +107885,28 @@ index f03dcf5..e8341d7 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
- 
+
- optional_policy(`
+optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
 +	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
 +	gear_read_pid_files(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
 +	ssh_use_ptys(svirt_sandbox_domain)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
@ -108067,7 +108116,7 @@ index f03dcf5..e8341d7 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1487,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1491,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -108082,7 +108131,7 @@ index f03dcf5..e8341d7 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,9 +1505,8 @@ optional_policy(`
+@@ -1192,9 +1509,8 @@ optional_policy(`
 ########################################
 #
@ -108093,7 +108142,7 @@ index f03dcf5..e8341d7 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1519,238 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1523,240 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -108315,6 +108364,7 @@ index f03dcf5..e8341d7 100644
 +allow sandbox_net_domain self:packet_socket create_socket_perms;
 +allow sandbox_net_domain self:socket create_socket_perms;
 +allow sandbox_net_domain self:rawip_socket create_socket_perms;
 +allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 +
 +corenet_tcp_bind_generic_node(sandbox_net_domain)
 +corenet_udp_bind_generic_node(sandbox_net_domain)
@ -108334,6 +108384,7 @@ index f03dcf5..e8341d7 100644
 +')
 +
 +allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
 +
 diff --git a/vlock.te b/vlock.te
 index 6b72968..de409cc 100644
 --- a/vlock.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 124%{?dist}
+Release: 125%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,18 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
 - Define ipa_var_run_t type
 - Allow certmonger to manage renewal.lock. BZ(1213256)
 - Add ipa_manage_pid_files interface.
 - Add rules for netlink_socket in iotop.
 - Allow iotop netlink socket.
 - cloudinit and rhsmcertd need to communicate with dbus
 - Allow apcupsd to use USBttys. BZ(1210960)
 - Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
 - Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
 - Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
 * Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
 - Add more restriction on entrypoint for unconfined domains.