rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211

Browse Source 
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow systemd-machined to communicate to lxc container using dbus
- Dontaudit accountsd domain creating dirs in /root
- Add new policy for Disk Manager called udisks2
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- label /var/lib/kubelet as svirt_sandbox_file_t
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
This commit is contained in:
Lukas Vrabec 2016-08-25 14:28:42 +02:00
parent 0c6f87bc1e
commit 0c7ae4b314
4 changed files with 673 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

304
policy-rawhide-base.patch
View File

@ -17860,10 +17860,10 @@ index 1a03abd..3221f80 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index d7c11a0..6b3331d 100644
index d7c11a0..efcd377 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,23 +1,26 @@
@@ -1,23 +1,29 @@
-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-/cgroup/.* <<none>>
+# ecryptfs does not support xattr
@ -17882,6 +17882,9 @@ index d7c11a0..6b3331d 100644
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
+/dev/shm/.* <<none>>
+/dev/oracleasm -d gen_context(system_u:object_r:oracleasmfs_t,s0)
+/dev/oracleasm/.* <<none>>
+
+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.* <<none>>
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
@ -17901,7 +17904,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..20099cd 100644
index 8416beb..f7a29fe 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -18997,7 +19000,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2253,38 +2606,611 @@ interface(`fs_remount_iso9660_fs',`
@@ -2253,38 +2606,686 @@ interface(`fs_remount_iso9660_fs',`
## </summary>
## </param>
#
@ -19123,6 +19126,81 @@ index 8416beb..20099cd 100644
+
+########################################
+## <summary>
+## List oracleasmfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_oracleasmfs',`
+ gen_require(`
+ type oracleasmfs_t;
+ ')
+
+ allow $1 oracleasmfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of an oracleasmfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_oracleasmfs',`
+ gen_require(`
+ type oracleasmfs_t;
+ ')
+
+ allow $1 oracleasmfs_t:file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of an oracleasmfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_oracleasmfs',`
+ gen_require(`
+ type oracleasmfs_t;
+ ')
+
+ allow $1 oracleasmfs_t:file setattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of an oracleasmfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_oracleasmfs_dirs',`
+ gen_require(`
+ type oracleasmfs_t;
+ ')
+
+ allow $1 oracleasmfs_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
@ -19621,7 +19699,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2292,19 +3218,21 @@ interface(`fs_getattr_iso9660_fs',`
@@ -2292,19 +3293,21 @@ interface(`fs_getattr_iso9660_fs',`
## </summary>
## </param>
#
@ -19649,7 +19727,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2312,16 +3240,15 @@ interface(`fs_getattr_iso9660_files',`
@@ -2312,16 +3315,15 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
@ -19670,7 +19748,7 @@ index 8416beb..20099cd 100644
########################################
## <summary>
## Mount a NFS filesystem.
@@ -2398,6 +3325,24 @@ interface(`fs_getattr_nfs',`
@@ -2398,6 +3400,24 @@ interface(`fs_getattr_nfs',`
########################################
## <summary>
@ -19695,7 +19773,7 @@ index 8416beb..20099cd 100644
## Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',`
@@ -2485,6 +3505,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@ -19703,7 +19781,7 @@ index 8416beb..20099cd 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',`
@@ -2523,6 +3544,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@ -19711,7 +19789,7 @@ index 8416beb..20099cd 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',`
@@ -2549,6 +3571,44 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@ -19756,7 +19834,7 @@ index 8416beb..20099cd 100644
## Append files
## on a NFS filesystem.
## </summary>
@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',`
@@ -2569,7 +3629,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@ -19765,7 +19843,7 @@ index 8416beb..20099cd 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',`
@@ -2589,6 +3649,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@ -19808,7 +19886,7 @@ index 8416beb..20099cd 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
@@ -2603,7 +3699,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@ -19817,7 +19895,7 @@ index 8416beb..20099cd 100644
')
########################################
@@ -2627,7 +3648,7 @@ interface(`fs_read_nfs_symlinks',`
@@ -2627,7 +3723,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@ -19826,7 +19904,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2719,6 +3740,65 @@ interface(`fs_search_rpc',`
@@ -2719,6 +3815,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@ -19892,7 +19970,7 @@ index 8416beb..20099cd 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
@@ -2741,7 +3821,7 @@ interface(`fs_search_removable',`
@@ -2741,7 +3896,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@ -19901,7 +19979,7 @@ index 8416beb..20099cd 100644
## </summary>
## </param>
#
@@ -2777,7 +3857,7 @@ interface(`fs_read_removable_files',`
@@ -2777,7 +3932,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@ -19910,7 +19988,7 @@ index 8416beb..20099cd 100644
## </summary>
## </param>
#
@@ -2970,6 +4050,7 @@ interface(`fs_manage_nfs_dirs',`
@@ -2970,6 +4125,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@ -19918,7 +19996,7 @@ index 8416beb..20099cd 100644
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -3010,6 +4091,7 @@ interface(`fs_manage_nfs_files',`
@@ -3010,6 +4166,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@ -19926,7 +20004,7 @@ index 8416beb..20099cd 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -3050,6 +4132,7 @@ interface(`fs_manage_nfs_symlinks',`
@@ -3050,6 +4207,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@ -19934,7 +20012,7 @@ index 8416beb..20099cd 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3137,6 +4220,24 @@ interface(`fs_nfs_domtrans',`
@@ -3137,6 +4295,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@ -19959,7 +20037,7 @@ index 8416beb..20099cd 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
@@ -3182,18 +4283,108 @@ interface(`fs_remount_nfsd_fs',`
@@ -3182,18 +4358,108 @@ interface(`fs_remount_nfsd_fs',`
## </summary>
## </param>
#
@ -20076,7 +20154,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3201,17 +4392,17 @@ interface(`fs_unmount_nfsd_fs',`
@@ -3201,17 +4467,17 @@ interface(`fs_unmount_nfsd_fs',`
## </summary>
## </param>
#
@ -20097,7 +20175,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3219,35 +4410,35 @@ interface(`fs_getattr_nfsd_fs',`
@@ -3219,35 +4485,35 @@ interface(`fs_getattr_nfsd_fs',`
## </summary>
## </param>
#
@ -20147,7 +20225,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3255,17 +4446,17 @@ interface(`fs_list_nfsd_fs',`
@@ -3255,17 +4521,17 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@ -20169,7 +20247,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3273,12 +4464,12 @@ interface(`fs_getattr_nfsd_files',`
@@ -3273,12 +4539,12 @@ interface(`fs_getattr_nfsd_files',`
## </summary>
## </param>
#
@ -20184,7 +20262,7 @@ index 8416beb..20099cd 100644
')
########################################
@@ -3392,7 +4583,7 @@ interface(`fs_search_ramfs',`
@@ -3392,7 +4658,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@ -20193,7 +20271,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3429,7 +4620,7 @@ interface(`fs_manage_ramfs_dirs',`
@@ -3429,7 +4695,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@ -20202,7 +20280,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3447,7 +4638,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
@@ -3447,7 +4713,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@ -20211,7 +20289,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3779,6 +4970,24 @@ interface(`fs_mount_tmpfs',`
@@ -3779,6 +5045,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@ -20236,7 +20314,7 @@ index 8416beb..20099cd 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
@@ -3815,6 +5024,24 @@ interface(`fs_unmount_tmpfs',`
@@ -3815,6 +5099,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@ -20261,7 +20339,7 @@ index 8416beb..20099cd 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
@@ -3908,7 +5135,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3908,7 +5210,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@ -20270,7 +20348,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3916,17 +5143,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3916,17 +5218,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -20291,7 +20369,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3934,17 +5161,17 @@ interface(`fs_mounton_tmpfs',`
@@ -3934,17 +5236,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@ -20312,7 +20390,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3952,17 +5179,36 @@ interface(`fs_setattr_tmpfs_dirs',`
@@ -3952,17 +5254,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -20352,7 +20430,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3970,31 +5216,48 @@ interface(`fs_search_tmpfs',`
@@ -3970,31 +5291,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@ -20408,7 +20486,7 @@ index 8416beb..20099cd 100644
')
########################################
@@ -4066,33 +5329,161 @@ interface(`fs_tmpfs_filetrans',`
@@ -4066,33 +5404,161 @@ interface(`fs_tmpfs_filetrans',`
type tmpfs_t;
')
@ -20579,7 +20657,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4100,72 +5491,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
@@ -4100,72 +5566,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@ -20669,7 +20747,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4173,17 +5564,18 @@ interface(`fs_rw_tmpfs_files',`
@@ -4173,17 +5639,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@ -20691,7 +20769,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4191,37 +5583,37 @@ interface(`fs_read_tmpfs_symlinks',`
@@ -4191,37 +5658,37 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@ -20737,7 +20815,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4229,18 +5621,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -4229,18 +5696,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@ -20759,7 +20837,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4248,18 +5640,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
@@ -4248,18 +5715,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@ -20783,7 +20861,7 @@ index 8416beb..20099cd 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4267,32 +5660,31 @@ interface(`fs_rw_tmpfs_blk_files',`
@@ -4267,32 +5735,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@ -20822,7 +20900,7 @@ index 8416beb..20099cd 100644
')
########################################
@@ -4407,6 +5799,25 @@ interface(`fs_search_xenfs',`
@@ -4407,6 +5874,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@ -20848,7 +20926,7 @@ index 8416beb..20099cd 100644
########################################
## <summary>
## Create, read, write, and delete directories
@@ -4503,6 +5914,8 @@ interface(`fs_mount_all_fs',`
@@ -4503,6 +5989,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@ -20857,7 +20935,7 @@ index 8416beb..20099cd 100644
')
########################################
@@ -4549,7 +5962,7 @@ interface(`fs_unmount_all_fs',`
@@ -4549,7 +6037,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@ -20866,7 +20944,7 @@ index 8416beb..20099cd 100644
## Example attributes:
## </p>
## <ul>
@@ -4596,6 +6009,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
@@ -4596,6 +6084,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@ -20893,7 +20971,7 @@ index 8416beb..20099cd 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
@@ -4671,6 +6104,25 @@ interface(`fs_getattr_all_dirs',`
@@ -4671,6 +6179,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@ -20919,7 +20997,7 @@ index 8416beb..20099cd 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -4912,3 +6364,173 @@ interface(`fs_unconfined',`
@@ -4912,3 +6439,173 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -29732,7 +29810,7 @@ index cc877c7..b8e6e98 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..5f31270 100644
index 8274418..a47fd0b4 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,39 @@
@ -29798,7 +29876,7 @@ index 8274418..5f31270 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@@ -46,26 +80,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -46,26 +80,37 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@ -29837,10 +29915,12 @@ index 8274418..5f31270 100644
+
+/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/usr/libexec/gsd-backlight-helper -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -91,19 +134,34 @@ ifndef(`distro_debian',`
@@ -91,19 +136,34 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@ -29879,7 +29959,7 @@ index 8274418..5f31270 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -111,7 +169,18 @@ ifndef(`distro_debian',`
@@ -111,7 +171,18 @@ ifndef(`distro_debian',`
/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -37342,7 +37422,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..01ef803 100644
index 17eda24..97e35aa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37467,7 +37547,7 @@ index 17eda24..01ef803 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -108,14 +161,45 @@ allow init_t self:capability ~sys_module;
@@ -108,14 +161,47 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@ -37506,7 +37586,9 @@ index 17eda24..01ef803 100644
+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
+manage_blk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_chr_files_pattern(init_t, init_var_run_t, init_var_run_t)
+files_pid_filetrans(init_t, init_var_run_t, { dir file blk_file chr_file fifo_file})
+allow init_t init_var_run_t:dir mounton;
+allow init_t init_var_run_t:sock_file relabelto;
+allow init_t init_var_run_t:blk_file getattr;
@ -37519,7 +37601,7 @@ index 17eda24..01ef803 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
@@ -125,13 +209,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
@@ -125,13 +211,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@ -37544,7 +37626,7 @@ index 17eda24..01ef803 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -139,14 +233,24 @@ domain_signal_all_domains(init_t)
@@ -139,14 +235,24 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@ -37570,7 +37652,7 @@ index 17eda24..01ef803 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
@@ -155,29 +259,70 @@ fs_list_inotifyfs(init_t)
@@ -155,29 +261,70 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@ -37646,7 +37728,7 @@ index 17eda24..01ef803 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
@@ -186,29 +331,264 @@ ifdef(`distro_gentoo',`
@@ -186,29 +333,264 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@ -37920,7 +38002,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -216,7 +596,30 @@ optional_policy(`
@@ -216,7 +598,30 @@ optional_policy(`
')
optional_policy(`
@ -37952,7 +38034,7 @@ index 17eda24..01ef803 100644
')
########################################
@@ -225,9 +628,9 @@ optional_policy(`
@@ -225,9 +630,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -37964,7 +38046,7 @@ index 17eda24..01ef803 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -258,12 +661,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -37981,7 +38063,7 @@ index 17eda24..01ef803 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +686,36 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -38024,7 +38106,7 @@ index 17eda24..01ef803 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +723,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@ -38036,7 +38118,7 @@ index 17eda24..01ef803 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -313,8 +735,10 @@ dev_write_framebuffer(initrc_t)
@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@ -38047,7 +38129,7 @@ index 17eda24..01ef803 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -322,8 +746,7 @@ dev_manage_generic_files(initrc_t)
@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -38057,7 +38139,7 @@ index 17eda24..01ef803 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -332,7 +755,6 @@ domain_sigstop_all_domains(initrc_t)
@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@ -38065,7 +38147,7 @@ index 17eda24..01ef803 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -340,6 +762,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38073,7 +38155,7 @@ index 17eda24..01ef803 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -347,14 +770,15 @@ files_getattr_all_symlinks(initrc_t)
@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -38091,7 +38173,7 @@ index 17eda24..01ef803 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
@@ -364,8 +788,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -38105,7 +38187,7 @@ index 17eda24..01ef803 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -375,10 +803,11 @@ fs_mount_all_fs(initrc_t)
@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -38119,7 +38201,7 @@ index 17eda24..01ef803 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
@@ -387,8 +816,10 @@ mls_process_read_up(initrc_t)
@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -38130,7 +38212,7 @@ index 17eda24..01ef803 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +829,7 @@ term_use_all_terms(initrc_t)
@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@ -38138,7 +38220,7 @@ index 17eda24..01ef803 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -416,20 +848,18 @@ logging_read_all_logs(initrc_t)
@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@ -38162,7 +38244,7 @@ index 17eda24..01ef803 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +881,6 @@ ifdef(`distro_gentoo',`
@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@ -38170,7 +38252,7 @@ index 17eda24..01ef803 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
@@ -486,6 +915,10 @@ ifdef(`distro_gentoo',`
@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@ -38181,7 +38263,7 @@ index 17eda24..01ef803 100644
alsa_read_lib(initrc_t)
')
@@ -506,7 +939,7 @@ ifdef(`distro_redhat',`
@@ -506,7 +941,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -38190,7 +38272,7 @@ index 17eda24..01ef803 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -521,6 +954,7 @@ ifdef(`distro_redhat',`
@@ -521,6 +956,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@ -38198,7 +38280,7 @@ index 17eda24..01ef803 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -541,6 +975,7 @@ ifdef(`distro_redhat',`
@@ -541,6 +977,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@ -38206,7 +38288,7 @@ index 17eda24..01ef803 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -550,8 +985,44 @@ ifdef(`distro_redhat',`
@@ -550,8 +987,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -38251,7 +38333,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -559,14 +1030,31 @@ ifdef(`distro_redhat',`
@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -38283,7 +38365,7 @@ index 17eda24..01ef803 100644
')
')
@@ -577,6 +1065,39 @@ ifdef(`distro_suse',`
@@ -577,6 +1067,39 @@ ifdef(`distro_suse',`
')
')
@ -38323,7 +38405,7 @@ index 17eda24..01ef803 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1110,8 @@ optional_policy(`
@@ -589,6 +1112,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -38332,7 +38414,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -610,6 +1133,7 @@ optional_policy(`
@@ -610,6 +1135,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -38340,7 +38422,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -626,6 +1150,17 @@ optional_policy(`
@@ -626,6 +1152,17 @@ optional_policy(`
')
optional_policy(`
@ -38358,7 +38440,7 @@ index 17eda24..01ef803 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -642,9 +1177,13 @@ optional_policy(`
@@ -642,9 +1179,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -38372,7 +38454,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -657,15 +1196,11 @@ optional_policy(`
@@ -657,15 +1198,11 @@ optional_policy(`
')
optional_policy(`
@ -38390,7 +38472,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -686,6 +1221,15 @@ optional_policy(`
@@ -686,6 +1223,15 @@ optional_policy(`
')
optional_policy(`
@ -38406,7 +38488,7 @@ index 17eda24..01ef803 100644
inn_exec_config(initrc_t)
')
@@ -726,6 +1270,7 @@ optional_policy(`
@@ -726,6 +1272,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@ -38414,7 +38496,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -743,7 +1288,13 @@ optional_policy(`
@@ -743,7 +1290,13 @@ optional_policy(`
')
optional_policy(`
@ -38429,7 +38511,7 @@ index 17eda24..01ef803 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -766,6 +1317,10 @@ optional_policy(`
@@ -766,6 +1319,10 @@ optional_policy(`
')
optional_policy(`
@ -38440,7 +38522,7 @@ index 17eda24..01ef803 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -775,10 +1330,20 @@ optional_policy(`
@@ -775,10 +1332,20 @@ optional_policy(`
')
optional_policy(`
@ -38461,7 +38543,7 @@ index 17eda24..01ef803 100644
quota_manage_flags(initrc_t)
')
@@ -787,6 +1352,10 @@ optional_policy(`
@@ -787,6 +1354,10 @@ optional_policy(`
')
optional_policy(`
@ -38472,7 +38554,7 @@ index 17eda24..01ef803 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -808,8 +1377,6 @@ optional_policy(`
@@ -808,8 +1379,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -38481,7 +38563,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -818,6 +1385,10 @@ optional_policy(`
@@ -818,6 +1387,10 @@ optional_policy(`
')
optional_policy(`
@ -38492,7 +38574,7 @@ index 17eda24..01ef803 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
@@ -827,10 +1398,12 @@ optional_policy(`
@@ -827,10 +1400,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@ -38505,7 +38587,7 @@ index 17eda24..01ef803 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1430,62 @@ optional_policy(`
@@ -857,21 +1432,62 @@ optional_policy(`
')
optional_policy(`
@ -38569,7 +38651,7 @@ index 17eda24..01ef803 100644
')
optional_policy(`
@@ -887,6 +1501,10 @@ optional_policy(`
@@ -887,6 +1503,10 @@ optional_policy(`
')
optional_policy(`
@ -38580,7 +38662,7 @@ index 17eda24..01ef803 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1515,218 @@ optional_policy(`
@@ -897,3 +1517,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -51334,7 +51416,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..beadc1e 100644
index 9dc60c6..af8711d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -54636,7 +54718,7 @@ index 9dc60c6..beadc1e 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4628,1799 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4628,1817 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@ -54846,6 +54928,24 @@ index 9dc60c6..beadc1e 100644
+
+########################################
+## <summary>
+## dontaudit manage dirs /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## RW unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">

497
policy-rawhide-contrib.patch
View File

@ -1275,7 +1275,7 @@ index bd5ec9a..554177c 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
index 3593510..b6a0f70 100644
index 3593510..9617b13 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
@ -1314,7 +1314,7 @@ index 3593510..b6a0f70 100644
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
@ -1323,7 +1323,15 @@ index 3593510..b6a0f70 100644
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
@@ -66,9 +73,16 @@ optional_policy(`
logging_set_loginuid(accountsd_t)
+userdom_dontaudit_create_admin_dir(accountsd_t)
+userdom_dontaudit_manage_admin_dir(accountsd_t)
+
userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
@@ -66,9 +76,16 @@ optional_policy(`
')
optional_policy(`
@ -12278,7 +12286,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 550b287..b824421 100644
index 550b287..1401e7b 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
@ -12345,7 +12353,7 @@ index 550b287..b824421 100644
fs_search_cgroup_dirs(certmonger_t)
@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t)
@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t)
@ -12358,6 +12366,7 @@ index 550b287..b824421 100644
+miscfiles_manage_all_certs(certmonger_t)
+
+systemd_exec_systemctl(certmonger_t)
+systemd_manage_all_unit_files(certmonger_t)
userdom_search_user_home_content(certmonger_t)
@ -12370,7 +12379,7 @@ index 550b287..b824421 100644
')
optional_policy(`
@@ -92,11 +110,60 @@ optional_policy(`
@@ -92,11 +111,60 @@ optional_policy(`
')
optional_policy(`
@ -28930,7 +28939,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3..e42654a 100644
index 98072a3..a30b953 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -28974,7 +28983,7 @@ index 98072a3..e42654a 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
@@ -63,20 +77,25 @@ dev_search_sysfs(firewalld_t)
@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@ -29004,10 +29013,11 @@ index 98072a3..e42654a 100644
+sysnet_relabelto_net_conf(firewalld_t)
+
+userdom_dontaudit_create_admin_dir(firewalld_t)
+userdom_dontaudit_manage_admin_dir(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -95,6 +114,10 @@ optional_policy(`
@@ -95,6 +115,10 @@ optional_policy(`
')
optional_policy(`
@ -38438,16 +38448,20 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..1131ca0
index 0000000..419d280
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,21 @@
@@ -0,0 +1,25 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
+
+/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+
@ -38706,10 +38720,10 @@ index 0000000..1a30961
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..81f38fe
index 0000000..e4c5d89
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,202 @@
@@ -0,0 +1,260 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@ -38730,12 +38744,19 @@ index 0000000..81f38fe
+type ipa_dnskey_exec_t;
+init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
+
+type ipa_ods_exporter_t, ipa_domain;
+type ipa_ods_exporter_exec_t;
+init_daemon_domain(ipa_ods_exporter_t, ipa_ods_exporter_exec_t)
+
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
+type ipa_dnskey_unit_file_t;
+systemd_unit_file(ipa_dnskey_unit_file_t)
+
+type ipa_ods_exporter_unit_file_t;
+systemd_unit_file(ipa_ods_exporter_unit_file_t)
+
+type ipa_log_t;
+logging_log_file(ipa_log_t)
+
@ -38825,6 +38846,10 @@ index 0000000..81f38fe
+logging_send_syslog_msg(ipa_helper_t)
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(ipa_helper_t)
+')
+
@ -38912,6 +38937,53 @@ index 0000000..81f38fe
+ opendnssec_manage_var_files(ipa_dnskey_t)
+ opendnssec_filetrans_etc_content(ipa_dnskey_t)
+')
+
+########################################
+#
+# ipa-ods-exporter local policy
+#
+allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read };
+allow ipa_ods_exporter_t self:udp_socket { connect create getattr };
+allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt };
+
+manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
+list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
+
+manage_files_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t)
+manage_dirs_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t)
+files_tmp_filetrans(ipa_ods_exporter_t, ipa_tmp_t, { dir file })
+
+kernel_dgram_send(ipa_ods_exporter_t)
+
+auth_use_nsswitch(ipa_ods_exporter_t)
+
+corecmd_exec_bin(ipa_ods_exporter_t)
+corecmd_exec_shell(ipa_ods_exporter_t)
+
+libs_exec_ldconfig(ipa_ods_exporter_t)
+
+logging_send_syslog_msg(ipa_ods_exporter_t)
+
+miscfiles_read_certs(ipa_ods_exporter_t)
+
+sysnet_read_config(ipa_ods_exporter_t)
+
+optional_policy(`
+ bind_search_cache(ipa_ods_exporter_t)
+')
+
+optional_policy(`
+ dirsrv_stream_connect(ipa_ods_exporter_t)
+')
+
+optional_policy(`
+ opendnssec_manage_var_files(ipa_ods_exporter_t)
+ opendnssec_stream_connect(ipa_ods_exporter_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(ipa_ods_exporter_t)
+')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
index 0000000..0f598ca
@ -64126,10 +64198,10 @@ index 0000000..08d0e79
+/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0)
diff --git a/opendnssec.if b/opendnssec.if
new file mode 100644
index 0000000..eac3932
index 0000000..7c08157
--- /dev/null
+++ b/opendnssec.if
@@ -0,0 +1,208 @@
@@ -0,0 +1,228 @@
+
+## <summary>policy for opendnssec</summary>
+
@ -64338,6 +64410,26 @@ index 0000000..eac3932
+
+ files_etc_filetrans($1, opendnssec_conf_t, file)
+')
+
+########################################
+## <summary>
+## Connect to opendnssec over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`opendnssec_stream_connect',`
+ gen_require(`
+ type opendnssec_t, opendnssec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t)
+')
diff --git a/opendnssec.te b/opendnssec.te
new file mode 100644
index 0000000..e246d45
@ -67604,10 +67696,10 @@ index 0000000..6ae382c
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
index 0000000..0493b99
index 0000000..14d642b
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,34 @@
@@ -0,0 +1,57 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
@ -67622,19 +67714,42 @@ index 0000000..0493b99
+type oracleasm_initrc_exec_t;
+init_script_file(oracleasm_initrc_exec_t)
+
+type oracleasm_tmp_t;
+files_tmp_file(oracleasm_tmp_t)
+
+########################################
+#
+# oracleasm local policy
+#
+
+allow oracleasm_t self:capability { fsetid fowner chown };
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir })
+
+kernel_read_system_state(oracleasm_t)
+
+auth_read_passwd(oracleasm_t)
+
+dev_rw_sysfs(oracleasm_t)
+
+domain_use_interactive_fds(oracleasm_t)
+
+corecmd_exec_shell(oracleasm_t)
+corecmd_exec_bin(oracleasm_t)
+
+fs_getattr_xattr_fs(oracleasm_t)
+fs_list_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs(oracleasm_t)
+fs_setattr_oracleasmfs(oracleasm_t)
+fs_setattr_oracleasmfs_dirs(oracleasm_t)
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
+')
@ -71162,11 +71277,12 @@ index 0000000..a2cb118
+
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000..e6592ea
index 0000000..b2b20f0
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,56 @@
@@ -0,0 +1,57 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/etc/pki/pki-tomcat/ca/(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
@ -109710,6 +109826,295 @@ index 7745b72..329c3d8 100644
files_search_var(ucspitcp_t)
sysnet_read_config(ucspitcp_t)
diff --git a/udisks2.fc b/udisks2.fc
new file mode 100644
index 0000000..c8aa54d
--- /dev/null
+++ b/udisks2.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/udisks2.* -- gen_context(system_u:object_r:udisks2_unit_file_t,s0)
+
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:udisks2_exec_t,s0)
+/usr/bin/udisksctl -- gen_context(system_u:object_r:udisks2_exec_t,s0)
+
+/var/lib/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_lib_t,s0)
+
+/var/run/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_run_t,s0)
diff --git a/udisks2.if b/udisks2.if
new file mode 100644
index 0000000..45304ea
--- /dev/null
+++ b/udisks2.if
@@ -0,0 +1,206 @@
+## <summary>udisks - Disk Manager</summary>
+
+########################################
+## <summary>
+## Execute udisks2_exec_t in the udisks2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udisks2_domtrans',`
+ gen_require(`
+ type udisks2_t, udisks2_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, udisks2_exec_t, udisks2_t)
+')
+
+######################################
+## <summary>
+## Execute udisks2 in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_exec',`
+ gen_require(`
+ type udisks2_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, udisks2_exec_t)
+')
+
+########################################
+## <summary>
+## Search udisks2 lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_search_lib',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ allow $1 udisks2_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read udisks2 lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_read_lib_files',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage udisks2 lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_manage_lib_files',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage udisks2 lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_manage_lib_dirs',`
+ gen_require(`
+ type udisks2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read udisks2 PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udisks2_read_pid_files',`
+ gen_require(`
+ type udisks2_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, udisks2_var_run_t, udisks2_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute udisks2 server in the udisks2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udisks2_systemctl',`
+ gen_require(`
+ type udisks2_t;
+ type udisks2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 udisks2_unit_file_t:file read_file_perms;
+ allow $1 udisks2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, udisks2_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an udisks2 environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udisks2_admin',`
+ gen_require(`
+ type udisks2_t;
+ type udisks2_var_lib_t;
+ type udisks2_var_run_t;
+ type udisks2_unit_file_t;
+ ')
+
+ allow $1 udisks2_t:process { signal_perms };
+ ps_process_pattern($1, udisks2_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 udisks2_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, udisks2_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, udisks2_var_run_t)
+
+ udisks2_systemctl($1)
+ admin_pattern($1, udisks2_unit_file_t)
+ allow $1 udisks2_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/udisks2.te b/udisks2.te
new file mode 100644
index 0000000..5312470
--- /dev/null
+++ b/udisks2.te
@@ -0,0 +1,57 @@
+policy_module(udisks2, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type udisks2_t;
+type udisks2_exec_t;
+init_daemon_domain(udisks2_t, udisks2_exec_t)
+
+type udisks2_var_lib_t;
+files_type(udisks2_var_lib_t)
+
+type udisks2_var_run_t;
+files_pid_file(udisks2_var_run_t)
+
+type udisks2_unit_file_t;
+systemd_unit_file(udisks2_unit_file_t)
+
+########################################
+#
+# udisks2 local policy
+#
+allow udisks2_t self:capability { sys_rawio };
+allow udisks2_t self:unix_stream_socket create_stream_socket_perms;
+allow udisks2_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
+
+manage_dirs_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t)
+manage_files_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t)
+manage_lnk_files_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t)
+files_var_lib_filetrans(udisks2_t, udisks2_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t)
+manage_files_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t)
+manage_lnk_files_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t)
+files_pid_filetrans(udisks2_t, udisks2_var_run_t, { dir file lnk_file })
+
+kernel_read_system_state(udisks2_t)
+
+auth_use_nsswitch(udisks2_t)
+
+dev_read_sysfs(udisks2_t)
+
+logging_send_syslog_msg(udisks2_t)
+
+storage_raw_read_fixed_disk(udisks2_t)
+
+udev_read_db(udisks2_t)
+
+optional_policy(`
+ dbus_system_bus_client(udisks2_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(udisks2_t)
+')
diff --git a/ulogd.if b/ulogd.if
index 9b95c3e..a892845 100644
--- a/ulogd.if
@ -111153,10 +111558,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
index a4f20bc..d8b1fd1 100644
index a4f20bc..f3d5b04 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,51 +1,109 @@
@@ -1,51 +1,111 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@ -111299,6 +111704,8 @@ index a4f20bc..d8b1fd1 100644
+
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
+
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
@ -113392,7 +113799,7 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..25d26d4 100644
index f03dcf5..a4e5bf6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,402 @@
@ -114974,7 +115381,7 @@ index f03dcf5..25d26d4 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1258,355 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -114984,22 +115391,24 @@ index f03dcf5..25d26d4 100644
+sysnet_exec_ifconfig(virtd_lxc_t)
-auth_use_nsswitch(virtd_lxc_t)
+userdom_read_admin_home_files(virtd_lxc_t)
+systemd_dbus_chat_machined(virtd_lxc_t)
-logging_send_syslog_msg(virtd_lxc_t)
+userdom_read_admin_home_files(virtd_lxc_t)
-miscfiles_read_localization(virtd_lxc_t)
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-miscfiles_read_localization(virtd_lxc_t)
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+
+optional_policy(`
+ docker_exec_lib(virtd_lxc_t)
+')
@ -115223,20 +115632,18 @@ index f03dcf5..25d26d4 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
@ -115270,9 +115677,11 @@ index f03dcf5..25d26d4 100644
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
+ fs_manage_fusefs_files(svirt_sandbox_domain)
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ docker_read_share_files(svirt_sandbox_domain)
+ docker_exec_share_files(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
@ -115471,7 +115880,7 @@ index f03dcf5..25d26d4 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1619,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -115486,7 +115895,7 @@ index f03dcf5..25d26d4 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,7 +1637,7 @@ optional_policy(`
@@ -1192,7 +1639,7 @@ optional_policy(`
########################################
#
@ -115495,7 +115904,7 @@ index f03dcf5..25d26d4 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1646,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;

19
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 210%{?dist}
Release: 211%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -648,6 +648,23 @@ exit 0
%endif
%changelog
* Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow systemd-machined to communicate to lxc container using dbus
- Dontaudit accountsd domain creating dirs in /root
- Add new policy for Disk Manager called udisks2
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- label /var/lib/kubelet as svirt_sandbox_file_t
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
* Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-210
- Add few interfaces to cloudform.if file
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module