Fix docker policy

2013-12-16 12:25:11 +01:00 · 2013-12-16 12:25:11 +01:00 · 1fe4113ea7
commit 1fe4113ea7
parent c9394c3ea7
1 changed files with 169 additions and 110 deletions
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2011,7 +2011,7 @@ index 7f4dfbc..e5c9f45 100644
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 diff --git a/amanda.te b/amanda.te
-index 519051c..52f2c41 100644
+index 519051c..f5784a5 100644
 --- a/amanda.te
 +++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@ -2049,7 +2049,7 @@ index 519051c..52f2c41 100644
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
 corecmd_exec_shell(amanda_t)
 corecmd_exec_bin(amanda_t)
@ -2061,11 +2061,12 @@ index 519051c..52f2c41 100644
 corenet_tcp_bind_generic_node(amanda_t)
 +corenet_tcp_bind_amanda_port(amanda_t)
 +corenet_udp_bind_amanda_port(amanda_t)
 +
 corenet_sendrecv_all_server_packets(amanda_t)
 corenet_tcp_bind_all_rpc_ports(amanda_t)
 corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
 dev_getattr_all_blk_files(amanda_t)
 dev_getattr_all_chr_files(amanda_t)
@ -2073,7 +2074,7 @@ index 519051c..52f2c41 100644
 files_read_etc_runtime_files(amanda_t)
 files_list_all(amanda_t)
-@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
@ -2081,7 +2082,7 @@ index 519051c..52f2c41 100644
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
 auth_use_nsswitch(amanda_recover_t)
@ -9709,10 +9710,10 @@ index 0000000..23a4f86
 +')
 diff --git a/bumblebee.te b/bumblebee.te
 new file mode 100644
-index 0000000..8d91220
+index 0000000..8c82398
 --- /dev/null
 +++ b/bumblebee.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,44 @@
 +policy_module(bumblebee, 1.0.0)
 +
 +########################################
@ -9751,15 +9752,12 @@ index 0000000..8d91220
 +
 +dev_read_sysfs(bumblebee_t)
 +
-+domain_use_interactive_fds(bumblebee_t)
+auth_read_passwd(bumblebee_t)
 +
 +files_read_etc_files(bumblebee_t)
 +
 +logging_send_syslog_msg(bumblebee_t)
 +
 +modutils_domtrans_insmod(bumblebee_t)
 +
 +miscfiles_read_localization(bumblebee_t)
 diff --git a/cachefilesd.fc b/cachefilesd.fc
 index 648c790..aa03fc8 100644
 --- a/cachefilesd.fc
@ -22511,7 +22509,7 @@ index 0000000..d856375
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..85e2ddb
+index 0000000..c5b0dcd
 --- /dev/null
 +++ b/docker.te
@@ -0,0 +1,145 @@
@ -22615,7 +22613,7 @@ index 0000000..85e2ddb
 +allow docker_t self:netlink_route_socket nlmsg_write;
 +allow docker_t self:netlink_audit_socket create_netlink_perms;
 +allow docker_t self:unix_dgram_socket create_socket_perms;
-+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }
+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +allow docker_t docker_var_lib_t:dir mounton;
 +allow docker_t docker_var_lib_t:chr_file mounton;
@ -89790,7 +89788,7 @@ index 3dd87da..0d13384 100644
 -/var/lib/tftpboot(/.*)?	gen_context(system_u:object_r:tftpdir_rw_t,s0)
 +/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_rw_t,s0)
 diff --git a/tftp.if b/tftp.if
-index 9957e30..cf0b925 100644
+index 9957e30..cd21321 100644
 --- a/tftp.if
 +++ b/tftp.if
@@ -1,8 +1,8 @@
@ -89852,16 +89850,16 @@ index 9957e30..cf0b925 100644
 ########################################
 ## <summary>
 -##	Read tftpd configuration files.
-+##	Manage tftp /var/lib files.
+##	Allow read tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',`
+@@ -53,19 +54,18 @@ interface(`tftp_manage_rw_content',`
 ##	</summary>
 ## </param>
 #
 -interface(`tftp_read_config_files',`
-+interface(`tftp_manage_rw_content',`
+interface(`tftp_read_rw_content',`
 	gen_require(`
 -		type tftpd_conf_t;
 +		type tftpdir_rw_t;
@ -89870,52 +89868,84 @@ index 9957e30..cf0b925 100644
 -	files_search_etc($1)
 -	allow $1 tftpd_conf_t:file read_file_perms;
 +	files_search_var_lib($1)
-+	manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+	read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 +	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 ')
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	tftpd configuration files.
-+##	Read tftp config files.
+##	Allow write tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',`
+@@ -73,55 +73,83 @@ interface(`tftp_read_config_files',`
 ##	</summary>
 ## </param>
 #
 -interface(`tftp_manage_config_files',`
-+interface(`tftp_read_config',`
+interface(`tftp_write_rw_content',`
 	gen_require(`
 -		type tftpd_conf_t;
-+		type tftpd_etc_t;
+		type tftpdir_rw_t;
 	')
 -	files_search_etc($1)
 -	allow $1 tftpd_conf_t:file manage_file_perms;
-+	read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
+	files_search_var_lib($1)
 +	write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 ')
 ########################################
 ## <summary>
 -##	Create objects in etc directories
 -##	with tftp conf type.
-+##	Manage tftp config files.
+##	Manage tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed to transition.
-##	</summary>
+##	Domain allowed access.
-## </param>
+ ##	</summary>
 ## </param>
 -## <param name="object_class">
-##	<summary>
+#
 +interface(`tftp_manage_rw_content',`
 +	gen_require(`
 +		type tftpdir_rw_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 +	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read tftp config files.
 +## </summary>
 +## <param name="domain">
 ##	<summary>
 -##	Class of the object being created.
-##	</summary>
+##	Domain allowed access.
-## </param>
+ ##	</summary>
 ## </param>
 -## <param name="name" optional="true">
-##	<summary>
+#
 +interface(`tftp_read_config',`
 +	gen_require(`
 +		type tftpd_etc_t;
 +	')
 +
 +	read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage tftp config files.
 +## </summary>
 +## <param name="domain">
 ##	<summary>
 -##	The name of the object being created.
 +##	Domain allowed access.
 ##	</summary>
@ -89949,7 +89979,7 @@ index 9957e30..cf0b925 100644
 ##	<summary>
 ##	Private file type.
 ##	</summary>
-@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',`
+@@ -131,25 +159,38 @@ interface(`tftp_etc_filetrans_config',`
 ##	Class of the object being created.
 ##	</summary>
 ## </param>
@ -89996,7 +90026,7 @@ index 9957e30..cf0b925 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',`
+@@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',`
 interface(`tftp_admin',`
 	gen_require(`
 		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
@ -95177,10 +95207,10 @@ index facdee8..43128c6 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..d58e3de 100644
+index f03dcf5..6771aec 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,150 +1,176 @@
+@@ -1,150 +1,190 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
@ -95318,11 +95348,6 @@ index f03dcf5..d58e3de 100644
 -attribute virt_image_type;
 -attribute virt_tmp_type;
 -attribute virt_tmpfs_type;
 -
 -attribute svirt_lxc_domain;
 -
 -attribute_role virt_domain_roles;
 -roleattribute system_r virt_domain_roles;
 +## <desc>
 +## <p>
 +## Allow confined virtual guests to use usb devices
@ -95330,6 +95355,23 @@ index f03dcf5..d58e3de 100644
 +## </desc>
 +gen_tunable(virt_use_usb, true)
 -attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use netlink system calls
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_netlink, false)
 -attribute_role virt_domain_roles;
 -roleattribute system_r virt_domain_roles;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to send audit messages
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_audit, false)
 -attribute_role virt_bridgehelper_roles;
 -roleattribute system_r virt_bridgehelper_roles;
 +virt_domain_template(svirt)
@ -95430,7 +95472,7 @@ index f03dcf5..d58e3de 100644
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
 ')
-@@ -153,299 +179,144 @@ ifdef(`enable_mls',`
+@@ -153,299 +193,144 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
 ')
@ -95731,13 +95773,13 @@ index f03dcf5..d58e3de 100644
 -corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_tcp_bind_generic_node(svirt_t)
 -corenet_udp_bind_generic_node(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
+-
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
 -corenet_sendrecv_all_server_packets(svirt_t)
 -corenet_udp_bind_all_ports(svirt_t)
 -corenet_tcp_bind_all_ports(svirt_t)
-
+allow svirt_tcg_t self:process { execmem execstack };
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
 -corenet_sendrecv_all_client_packets(svirt_t)
 -corenet_tcp_connect_all_ports(svirt_t)
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@ -95816,7 +95858,7 @@ index f03dcf5..d58e3de 100644
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +326,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +340,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -95863,29 +95905,29 @@ index f03dcf5..d58e3de 100644
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,16 +361,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,16 +375,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 -
 -can_exec(virtd_t, virt_tmp_t)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 -
 -can_exec(virtd_t, virt_tmp_t)
 -
 -kernel_read_crypto_sysctls(virtd_t)
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
-@@ -520,6 +374,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -520,6 +388,7 @@ kernel_read_kernel_sysctls(virtd_t)
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
 kernel_setsched(virtd_t)
@ -95893,7 +95935,7 @@ index f03dcf5..d58e3de 100644
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -527,24 +382,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +396,16 @@ corecmd_exec_shell(virtd_t)
 corenet_all_recvfrom_netlabel(virtd_t)
 corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
@ -95921,7 +95963,7 @@ index f03dcf5..d58e3de 100644
 dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
-@@ -555,22 +402,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +416,27 @@ dev_rw_vhost(virtd_t)
 dev_setattr_generic_usb_dev(virtd_t)
 dev_relabel_generic_usb_dev(virtd_t)
@ -95954,7 +95996,7 @@ index f03dcf5..d58e3de 100644
 fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
 fs_manage_cgroup_dirs(virtd_t)
-@@ -601,15 +453,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +467,18 @@ term_use_ptmx(virtd_t)
 auth_use_nsswitch(virtd_t)
@ -95974,7 +96016,7 @@ index f03dcf5..d58e3de 100644
 selinux_validate_context(virtd_t)
-@@ -620,18 +475,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +489,26 @@ seutil_read_file_contexts(virtd_t)
 sysnet_signull_ifconfig(virtd_t)
 sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
@ -96011,7 +96053,7 @@ index f03dcf5..d58e3de 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +503,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +517,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 tunable_policy(`virt_use_samba',`
@ -96020,7 +96062,7 @@ index f03dcf5..d58e3de 100644
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
-@@ -665,20 +528,12 @@ optional_policy(`
+@@ -665,20 +542,12 @@ optional_policy(`
 	')
 	optional_policy(`
@ -96041,7 +96083,7 @@ index f03dcf5..d58e3de 100644
 ')
 optional_policy(`
-@@ -691,20 +546,26 @@ optional_policy(`
+@@ -691,20 +560,26 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
@ -96072,7 +96114,7 @@ index f03dcf5..d58e3de 100644
 ')
 optional_policy(`
-@@ -712,11 +573,13 @@ optional_policy(`
+@@ -712,11 +587,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -96086,7 +96128,7 @@ index f03dcf5..d58e3de 100644
 	policykit_domtrans_auth(virtd_t)
 	policykit_domtrans_resolve(virtd_t)
 	policykit_read_lib(virtd_t)
-@@ -727,10 +590,18 @@ optional_policy(`
+@@ -727,10 +604,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -96105,7 +96147,7 @@ index f03dcf5..d58e3de 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +617,264 @@ optional_policy(`
+@@ -746,44 +631,264 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -96205,7 +96247,7 @@ index f03dcf5..d58e3de 100644
 -can_exec(virsh_t, virsh_exec_t)
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+ 
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@ -96217,7 +96259,7 @@ index f03dcf5..d58e3de 100644
 +corenet_tcp_bind_virt_migration_port(virt_domain)
 +corenet_tcp_connect_virt_migration_port(virt_domain)
 +corenet_rw_inherited_tun_tap_dev(virt_domain)
- 
+
 +dev_list_sysfs(virt_domain)
 +dev_getattr_fs(virt_domain)
 +dev_dontaudit_getattr_all(virt_domain)
@ -96392,7 +96434,7 @@ index f03dcf5..d58e3de 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +885,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +899,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -96419,7 +96461,7 @@ index f03dcf5..d58e3de 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +905,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -96452,7 +96494,7 @@ index f03dcf5..d58e3de 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +940,20 @@ optional_policy(`
+@@ -856,14 +954,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -96474,7 +96516,7 @@ index f03dcf5..d58e3de 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +978,65 @@ optional_policy(`
+@@ -888,49 +992,65 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -96558,7 +96600,7 @@ index f03dcf5..d58e3de 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1048,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1062,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -96578,7 +96620,7 @@ index f03dcf5..d58e3de 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1069,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -96602,7 +96644,7 @@ index f03dcf5..d58e3de 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1094,246 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1108,256 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -96729,11 +96771,6 @@ index f03dcf5..d58e3de 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
 +
 +optional_policy(`
 +	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
 +')
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -96818,17 +96855,22 @@ index f03dcf5..d58e3de 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
 +')
 optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	ssh_use_ptys(svirt_sandbox_domain)
+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 ')
 optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
@ -96853,15 +96895,14 @@ index f03dcf5..d58e3de 100644
 -allow svirt_lxc_net_t self:packet_socket create_socket_perms;
 -allow svirt_lxc_net_t self:socket create_socket_perms;
 -allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:process { execstack execmem };
+-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+-
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
-
+allow svirt_lxc_net_t self:process { execstack execmem };
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
 -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@ -96872,13 +96913,18 @@ index f03dcf5..d58e3de 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+tunable_policy(`virt_sandbox_use_netlink',`
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +')
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
 -corenet_udp_bind_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
@ -96896,22 +96942,25 @@ index f03dcf5..d58e3de 100644
 fs_manage_cgroup_dirs(svirt_lxc_net_t)
 -fs_rw_cgroup_files(svirt_lxc_net_t)
 +fs_manage_cgroup_files(svirt_lxc_net_t)
-+
+ 
 -auth_use_nsswitch(svirt_lxc_net_t)
 +term_pty(svirt_sandbox_file_t)
- auth_use_nsswitch(svirt_lxc_net_t)
+-logging_send_audit_msgs(svirt_lxc_net_t)
 +auth_use_nsswitch(svirt_lxc_net_t)
 -userdom_use_user_ptys(svirt_lxc_net_t)
 +rpm_read_db(svirt_lxc_net_t)
 +
 logging_send_audit_msgs(svirt_lxc_net_t)
 userdom_use_user_ptys(svirt_lxc_net_t)
 -optional_policy(`
 -	rpm_read_db(svirt_lxc_net_t)
-')
+tunable_policy(`virt_sandbox_use_audit',`
-
+	logging_send_audit_msgs(svirt_lxc_net_t)
 ')
 -#######################################
 +userdom_use_user_ptys(svirt_lxc_net_t)
 +
 +########################################
 #
 -# Prot exec local policy
@ -96923,9 +96972,12 @@ index f03dcf5..d58e3de 100644
 +allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +dontaudit svirt_qemu_net_t self:capability2 block_suspend;
 +allow svirt_qemu_net_t self:process { execstack execmem };
 +
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +')
 +
 +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@ -96947,13 +96999,13 @@ index f03dcf5..d58e3de 100644
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 +
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
- 
+
 -allow svirt_prot_exec_t self:process { execmem execstack };
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
-+
+ 
 -allow svirt_prot_exec_t self:process { execmem execstack };
 +files_read_kernel_modules(svirt_qemu_net_t)
 +
 +fs_noxattr_type(svirt_sandbox_file_t)
@ -96967,7 +97019,9 @@ index f03dcf5..d58e3de 100644
 +
 +rpm_read_db(svirt_qemu_net_t)
 +
 +tunable_policy(`virt_sandbox_use_audit',`
 +	logging_send_audit_msgs(svirt_qemu_net_t)
 +')
 +
 +userdom_use_user_ptys(svirt_qemu_net_t)
@ -96985,7 +97039,7 @@ index f03dcf5..d58e3de 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1346,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1370,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -97000,7 +97054,7 @@ index f03dcf5..d58e3de 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,9 +1364,8 @@ optional_policy(`
+@@ -1192,9 +1388,8 @@ optional_policy(`
 ########################################
 #
@ -97011,7 +97065,7 @@ index f03dcf5..d58e3de 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1378,193 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1402,198 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -97148,9 +97202,12 @@ index f03dcf5..d58e3de 100644
 +
 +allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +dontaudit svirt_kvm_net_t self:capability2 block_suspend;
 +
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +')
 +
 +term_use_generic_ptys(svirt_kvm_net_t)
 +term_use_ptmx(svirt_kvm_net_t)
@ -97185,7 +97242,9 @@ index f03dcf5..d58e3de 100644
 +
 +rpm_read_db(svirt_kvm_net_t)
 +
 +tunable_policy(`virt_sandbox_use_audit',`
 +	logging_send_audit_msgs(svirt_kvm_net_t)
 +')
 +
 +userdom_use_user_ptys(svirt_kvm_net_t)
 +