* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301

- Merge pull request #37 from milosmalik/rawhide - Allow mozilla_plugin_t domain to dbus chat with devicekit - Dontaudit leaked logwatch pipes - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. - Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) - Allow chronyd daemon to execute chronyc. BZ(1507478) - Allow pdns to read network system state BZ(1507244) - Allow gssproxy to read network system state Resolves: rhbz#1507191 - Allow nfsd_t domain to read configfs_t files/dirs - Allow tgtd_t domain to read generic certs - Allow ptp4l to send msgs via dgram socket to unprivileged user domains - Allow dirsrv_snmp_t to use inherited user ptys and read system state - Allow glusterd_t domain to create own tmpfs dirs/files - Allow keepalived stream connect to snmp
2017-11-03 13:17:33 +01:00 · 2017-11-03 13:17:33 +01:00 · 4c1c744cdd
parent ba9b7318d9
commit 4c1c744cdd
4 changed files with 184 additions and 102 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -50199,10 +50199,10 @@ index 000000000..5871e072d
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..5033e0eb6
+index 000000000..bb880db4a
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1039 @@
+@@ -0,0 +1,1040 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -50272,6 +50272,7 @@ index 000000000..5033e0eb6
 +
 +type systemd_resolved_var_run_t;
 +files_pid_file(systemd_resolved_var_run_t)
+files_mountpoint(systemd_resolved_var_run_t)
 +
 +type systemd_resolved_unit_file_t;
 +systemd_unit_file(systemd_resolved_unit_file_t)
@ -58380,7 +58381,7 @@ index e79d54501..101086d66 100644
 ')
 
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e9131723..dc1c884fe 100644
+index 6e9131723..528c5d2d1 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -58389,7 +58390,7 @@ index 6e9131723..dc1c884fe 100644
 #
 -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 -
-+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket dccp_socket }')
 
 #
 # Datagram socket classes.
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5626,7 +5626,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
 ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..cb95398ea 100644
+index 6649962b6..3db9df9f9 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6345,7 +6345,7 @@ index 6649962b6..cb95398ea 100644
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +571,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
@ -6412,6 +6412,7 @@ index 6649962b6..cb95398ea 100644
 -fs_search_auto_mountpoints(httpd_t)
 +fs_rw_anon_inodefs_files(httpd_t)
 +fs_rw_hugetlbfs_files(httpd_t)
+fs_exec_hugetlbfs_files(httpd_t)
 +fs_list_inotifyfs(httpd_t)
 +
 +auth_use_nsswitch(httpd_t)
@ -6588,7 +6589,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +754,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
 
@ -6648,7 +6649,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +806,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
@ -6751,7 +6752,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +865,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6832,7 +6833,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 optional_policy(`
-@@ -749,24 +917,32 @@ optional_policy(`
+@@ -749,24 +918,32 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6871,7 +6872,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 optional_policy(`
-@@ -775,6 +951,10 @@ optional_policy(`
+@@ -775,6 +952,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6882,7 +6883,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 optional_policy(`
-@@ -786,35 +966,62 @@ optional_policy(`
+@@ -786,35 +967,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6958,7 +6959,7 @@ index 6649962b6..cb95398ea 100644
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1029,31 @@ optional_policy(`
+@@ -822,8 +1030,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6990,7 +6991,7 @@ index 6649962b6..cb95398ea 100644
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1062,8 @@ optional_policy(`
+@@ -832,6 +1063,8 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6999,7 +7000,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 optional_policy(`
-@@ -842,20 +1074,48 @@ optional_policy(`
+@@ -842,20 +1075,48 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7054,7 +7055,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 optional_policy(`
-@@ -863,16 +1123,31 @@ optional_policy(`
+@@ -863,16 +1124,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7088,7 +7089,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 optional_policy(`
-@@ -883,65 +1158,189 @@ optional_policy(`
+@@ -883,65 +1159,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
@ -7300,7 +7301,7 @@ index 6649962b6..cb95398ea 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
-@@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1350,75 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
@ -7454,7 +7455,7 @@ index 6649962b6..cb95398ea 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1434,107 @@ optional_policy(`
+@@ -1083,172 +1435,107 @@ optional_policy(`
 	')
 ')
 
@ -7692,7 +7693,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1543,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -7790,7 +7791,7 @@ index 6649962b6..cb95398ea 100644
 
 ########################################
 #
-@@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1618,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -7807,7 +7808,7 @@ index 6649962b6..cb95398ea 100644
 ')
 
 ########################################
-@@ -1330,49 +1633,43 @@ optional_policy(`
+@@ -1330,49 +1634,43 @@ optional_policy(`
 # User content local policy
 #
 
@ -7876,7 +7877,7 @@ index 6649962b6..cb95398ea 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1680,109 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -13908,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644
 +    roleattribute $2 chronyc_roles;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c29..89ecee1f7 100644
+index e5b621c29..47b5fe7e4 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
@ -13967,17 +13968,19 @@ index e5b621c29..89ecee1f7 100644
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
 manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
 fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
-@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
 +kernel_request_load_module(chronyd_t)
 +
+can_exec(chronyd_t,chronyc_exec_t)
+
 +clock_read_adjtime(chronyd_t)
 
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)
-@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
@ -22724,7 +22727,7 @@ index 83bfda6ed..92d9fb2e7 100644
 	domain_system_change_exemption($1)
 	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 4283f2de2..fe348758e 100644
+index 4283f2de2..c29c47501 100644
 --- a/cyrus.te
 +++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@ -22736,9 +22739,11 @@ index 4283f2de2..fe348758e 100644
 dontaudit cyrus_t self:capability sys_tty_config;
 allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow cyrus_t self:process setrlimit;
-@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -62,13 +62,14 @@ files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+ kernel_read_kernel_sysctls(cyrus_t)
 kernel_read_system_state(cyrus_t)
 kernel_read_all_sysctls(cyrus_t)
+kernel_read_network_state(cyrus_t)
 
 -corenet_all_recvfrom_unlabeled(cyrus_t)
 corenet_all_recvfrom_netlabel(cyrus_t)
@ -22750,7 +22755,7 @@ index 4283f2de2..fe348758e 100644
 
 corenet_sendrecv_mail_server_packets(cyrus_t)
 corenet_tcp_bind_mail_port(cyrus_t)
-@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -76,6 +77,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
 corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
 
@ -22760,7 +22765,7 @@ index 4283f2de2..fe348758e 100644
 corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
 
-@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -95,8 +99,6 @@ domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
@ -22769,7 +22774,7 @@ index 4283f2de2..fe348758e 100644
 
 fs_getattr_all_fs(cyrus_t)
 fs_search_auto_mountpoints(cyrus_t)
-@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -107,7 +109,6 @@ libs_exec_lib_files(cyrus_t)
 
 logging_send_syslog_msg(cyrus_t)
 
@ -22777,7 +22782,7 @@ index 4283f2de2..fe348758e 100644
 miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
-@@ -121,6 +121,14 @@ optional_policy(`
+@@ -121,6 +122,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -22792,7 +22797,7 @@ index 4283f2de2..fe348758e 100644
 	kerberos_read_keytab(cyrus_t)
 	kerberos_use(cyrus_t)
 ')
-@@ -134,8 +142,8 @@ optional_policy(`
+@@ -134,8 +143,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26230,10 +26235,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..f068532e7
+index 000000000..58a8bf4fd
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,210 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@ -26418,6 +26423,8 @@ index 000000000..f068532e7
 +manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
 +filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
 +
+kernel_read_system_state(dirsrv_snmp_t)
+
 +corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
 +
 +dev_read_rand(dirsrv_snmp_t)
@ -26430,10 +26437,11 @@ index 000000000..f068532e7
 +fs_getattr_tmpfs(dirsrv_snmp_t)
 +fs_search_tmpfs(dirsrv_snmp_t)
 +
-+
 +sysnet_read_config(dirsrv_snmp_t)
 +sysnet_dns_name_resolve(dirsrv_snmp_t)
 +
+userdom_use_inherited_user_ptys(dirsrv_snmp_t)
+
 +optional_policy(`
 +	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
 +	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
@ -32102,10 +32110,10 @@ index 000000000..d9ba5fa27
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 000000000..3cf186efc
+index 000000000..0fdeecfd6
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,110 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@ -32182,6 +32190,7 @@ index 000000000..3cf186efc
 +
 +dev_rw_infiniband_dev(ganesha_t)
 +dev_read_gpfs(ganesha_t)
+dev_read_rand(ganesha_t)
 +
 +logging_send_syslog_msg(ganesha_t)
 +
@ -33861,10 +33870,10 @@ index 000000000..450146018
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 000000000..5d279ca35
+index 000000000..7eeb7b0c0
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,331 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -33916,6 +33925,9 @@ index 000000000..5d279ca35
 +type glusterd_tmp_t;
 +files_tmp_file(glusterd_tmp_t)
 +
+type glusterd_tmpfs_t;
+files_tmpfs_file(glusterd_tmpfs_t)
+
 +type glusterd_log_t;
 +logging_log_file(glusterd_log_t)
 +
@ -33954,6 +33966,10 @@ index 000000000..5d279ca35
 +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
 +allow glusterd_t glusterd_tmp_t:dir mounton;
 +
+manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
+
 +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
 +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
 +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
@ -38150,10 +38166,10 @@ index 000000000..8a2013af9
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 000000000..86a4d31a1
+index 000000000..800eb43a1
 --- /dev/null
 +++ b/gssproxy.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,75 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
@ -38196,6 +38212,7 @@ index 000000000..86a4d31a1
 +files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
 +
 +kernel_rw_rpc_sysctls(gssproxy_t)
+kernel_read_network_state(gssproxy_t)
 +
 +domain_use_interactive_fds(gssproxy_t)
 +
@ -43845,10 +43862,10 @@ index 000000000..bd7e7fa17
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 000000000..f84877209
+index 000000000..d7cf7c7c3
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -43926,6 +43943,7 @@ index 000000000..f84877209
 +    snmp_manage_var_lib_files(keepalived_t)
 +    snmp_manage_var_lib_sock_files(keepalived_t)
 +    snmp_manage_var_lib_dirs(keepalived_t)
+    snmp_stream_connect(keepalived_t)
 +')
 +
 +########################################
@ -47497,10 +47515,10 @@ index 000000000..7ba50607c
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 000000000..7acdb2d40
+index 000000000..37414ae0d
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,184 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@ -47670,10 +47688,14 @@ index 000000000..7acdb2d40
 +corenet_udp_bind_generic_node(ptp4l_t)
 +corenet_udp_bind_reserved_port(ptp4l_t)
 +
+kernel_read_network_state(ptp4l_t)
+
 +dev_rw_realtime_clock(ptp4l_t)
 +
 +logging_send_syslog_msg(ptp4l_t)
 +
+userdom_dgram_send(ptp4l_t)
+
 +optional_policy(`
 +	chronyd_rw_shm(ptp4l_t)
 +')
@ -48443,6 +48465,32 @@ index be0ab84b3..af94fb163 100644
 +role system_r types logrotate_mail_t;
 logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+diff --git a/logwatch.if b/logwatch.if
+index 06c3d36ca..2bb771f02 100644
+--- a/logwatch.if
+++ b/logwatch.if
+@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',`
+ 	files_search_var($1)
+ 	allow $1 logwatch_cache_t:dir search_dir_perms;
+ ')
+
+#######################################
+## <summary>
+##  Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`logwatch_dontaudit_leaks',`
+    gen_require(`
+        type logwatch_t;
+    ')
+
+	dontaudit $1 logwatch_t:fifo_file { read write };
+')
 diff --git a/logwatch.te b/logwatch.te
 index ab650340c..433d37810 100644
 --- a/logwatch.te
@ -54207,7 +54255,7 @@ index 6194b806b..e27c53d6e 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..28c1c5f16 100644
+index 11ac8e4fc..bb6533dae 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -54488,11 +54536,11 @@ index 11ac8e4fc..28c1c5f16 100644
 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
 
 -userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
-
+userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@ -54626,34 +54674,34 @@ index 11ac8e4fc..28c1c5f16 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	java_domtrans(mozilla_t)
+	lpd_domtrans_lpr(mozilla_t)
 ')
 
 optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	lpd_domtrans_lpr(mozilla_t)
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
 ')
 
 optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
+	nscd_socket_use(mozilla_t)
 ')
 
 optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
-+	nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@ -54661,7 +54709,7 @@ index 11ac8e4fc..28c1c5f16 100644
 ')
 
 optional_policy(`
-@@ -300,259 +340,261 @@ optional_policy(`
+@@ -300,259 +340,265 @@ optional_policy(`
 
 ########################################
 #
@ -55026,13 +55074,6 @@ index 11ac8e4fc..28c1c5f16 100644
 +	dbus_session_bus_client(mozilla_plugin_t)
 +	dbus_connect_session_bus(mozilla_plugin_t)
 +	dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+	gnome_manage_config(mozilla_plugin_t)
-+	gnome_read_usr_config(mozilla_plugin_t)
-+	gnome_filetrans_home_content(mozilla_plugin_t)
-+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
 ')
 
 optional_policy(`
@ -55040,6 +55081,17 @@ index 11ac8e4fc..28c1c5f16 100644
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+    devicekit_dbus_chat_disk(mozilla_plugin_t)
+')
+
+optional_policy(`
+	gnome_manage_config(mozilla_plugin_t)
+	gnome_read_usr_config(mozilla_plugin_t)
+	gnome_filetrans_home_content(mozilla_plugin_t)
+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
 +	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
 ')
 
@ -55069,7 +55121,7 @@ index 11ac8e4fc..28c1c5f16 100644
 ')
 
 optional_policy(`
-@@ -560,7 +602,11 @@ optional_policy(`
+@@ -560,7 +606,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -55082,7 +55134,7 @@ index 11ac8e4fc..28c1c5f16 100644
 ')
 
 optional_policy(`
-@@ -568,108 +614,144 @@ optional_policy(`
+@@ -568,108 +618,144 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -71802,10 +71854,10 @@ index 000000000..02df03ad6
 +')
 diff --git a/pdns.te b/pdns.te
 new file mode 100644
-index 000000000..63ddc577c
+index 000000000..4df7ada2a
 --- /dev/null
 +++ b/pdns.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,85 @@
 +policy_module(pdns, 1.0.2)
 +
 +########################################
@ -71849,6 +71901,8 @@ index 000000000..63ddc577c
 +allow pdns_t self:unix_dgram_socket create_socket_perms;
 +pdns_read_config(pdns_t)
 +
+kernel_read_network_state(pdns_t)
+
 +corenet_tcp_bind_dns_port(pdns_t)
 +corenet_udp_bind_dns_port(pdns_t)
 +
@ -72037,7 +72091,7 @@ index d2fc677c1..86dce34a2 100644
 ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454d8..8f0f5fd9c 100644
+index 608f454d8..64782ff03 100644
 --- a/pegasus.te
 +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -72056,7 +72110,7 @@ index 608f454d8..8f0f5fd9c 100644
 type pegasus_cache_t;
 files_type(pegasus_cache_t)
 
-@@ -30,20 +29,335 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
 type pegasus_var_run_t;
 files_pid_file(pegasus_var_run_t)
 
@ -72189,6 +72243,8 @@ index 608f454d8..8f0f5fd9c 100644
 +
 +kernel_read_network_state(pegasus_openlmi_services_t)
 +
+miscfiles_read_certs(pegasus_openlmi_services_t)
+
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_openlmi_services_t)
 +')
@ -72398,7 +72454,7 @@ index 608f454d8..8f0f5fd9c 100644
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
 manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -72433,7 +72489,7 @@ index 608f454d8..8f0f5fd9c 100644
 kernel_read_fs_sysctls(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
-@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t)
 kernel_read_xen_state(pegasus_t)
 kernel_write_xen_state(pegasus_t)
 
@ -72466,7 +72522,7 @@ index 608f454d8..8f0f5fd9c 100644
 
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
-@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
@ -72478,7 +72534,7 @@ index 608f454d8..8f0f5fd9c 100644
 
 files_list_var_lib(pegasus_t)
 files_read_var_lib_files(pegasus_t)
-@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t)
 logging_send_audit_msgs(pegasus_t)
 logging_send_syslog_msg(pegasus_t)
 
@ -72500,21 +72556,21 @@ index 608f454d8..8f0f5fd9c 100644
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
- 
-	optional_policy(`
-		networkmanager_dbus_chat(pegasus_t)
-	')
+
 +    optional_policy(`
 +	networkmanager_dbus_chat(pegasus_t)
 +    ')
 +')
-+
+ 
+-	optional_policy(`
+-		networkmanager_dbus_chat(pegasus_t)
+-	')
 +optional_policy(`
 +	rhcs_stream_connect_cluster(pegasus_t)
 ')
 
 optional_policy(`
-@@ -151,16 +473,24 @@ optional_policy(`
+@@ -151,16 +475,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -72543,7 +72599,7 @@ index 608f454d8..8f0f5fd9c 100644
 ')
 
 optional_policy(`
-@@ -168,7 +498,7 @@ optional_policy(`
+@@ -168,7 +500,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -72552,7 +72608,7 @@ index 608f454d8..8f0f5fd9c 100644
 ')
 
 optional_policy(`
-@@ -180,12 +510,17 @@ optional_policy(`
+@@ -180,12 +512,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -77332,7 +77388,7 @@ index ded95ec3a..210018ce4 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83eca..67f813d34 100644
+index 5cfb83eca..5de033f81 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -78040,7 +78096,7 @@ index 5cfb83eca..67f813d34 100644
 
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +595,80 @@ optional_policy(`
+@@ -655,69 +595,84 @@ optional_policy(`
 
 ########################################
 #
@ -78104,6 +78160,10 @@ index 5cfb83eca..67f813d34 100644
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
+optional_policy(`
+    logwatch_dontaudit_leaks(postfix_showq_t)
+')
+
 ########################################
 #
 -# Smtp delivery local policy
@ -78138,7 +78198,7 @@ index 5cfb83eca..67f813d34 100644
 ')
 
 optional_policy(`
-@@ -730,28 +681,32 @@ optional_policy(`
+@@ -730,28 +685,32 @@ optional_policy(`
 
 ########################################
 #
@ -78179,7 +78239,7 @@ index 5cfb83eca..67f813d34 100644
 
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +719,7 @@ optional_policy(`
+@@ -764,6 +723,7 @@ optional_policy(`
 
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
@ -78187,7 +78247,7 @@ index 5cfb83eca..67f813d34 100644
 ')
 
 optional_policy(`
-@@ -774,31 +730,102 @@ optional_policy(`
+@@ -774,31 +734,102 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
 
@ -93683,7 +93743,7 @@ index 0bf13c220..79a2a9c48 100644
 +    allow $1 gssd_t:process { noatsecure rlimitinh };
 +')
 diff --git a/rpc.te b/rpc.te
-index 2da9fca2f..9099c9800 100644
+index 2da9fca2f..c8afd1e50 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -93888,7 +93948,7 @@ index 2da9fca2f..9099c9800 100644
 ')
 
 ########################################
-@@ -201,42 +231,64 @@ optional_policy(`
+@@ -201,42 +231,66 @@ optional_policy(`
 # NFSD local policy
 #
 
@ -93935,6 +93995,8 @@ index 2da9fca2f..9099c9800 100644
 files_manage_mounttab(nfsd_t)
 +files_read_etc_runtime_files(nfsd_t)
 
+fs_read_configfs_files(nfsd_t)
+fs_read_configfs_dirs(nfsd_t)
 +fs_mounton_nfsd_fs(nfsd_t)
 fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
@ -93964,7 +94026,7 @@ index 2da9fca2f..9099c9800 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -93972,7 +94034,7 @@ index 2da9fca2f..9099c9800 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -93987,7 +94049,7 @@ index 2da9fca2f..9099c9800 100644
 ')
 
 ########################################
-@@ -270,7 +321,7 @@ optional_policy(`
+@@ -270,7 +323,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -93996,7 +94058,7 @@ index 2da9fca2f..9099c9800 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -94004,7 +94066,7 @@ index 2da9fca2f..9099c9800 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +340,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -94039,7 +94101,7 @@ index 2da9fca2f..9099c9800 100644
 ')
 
 optional_policy(`
-@@ -314,9 +372,12 @@ optional_policy(`
+@@ -314,9 +374,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -111403,7 +111465,7 @@ index 5406b6ee8..dc5b46e28 100644
 	admin_pattern($1, tgtd_tmpfs_t)
 ')
 diff --git a/tgtd.te b/tgtd.te
-index d01096386..ae473b2b2 100644
+index d01096386..c491b2f9c 100644
 --- a/tgtd.te
 +++ b/tgtd.te
@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
@ -111435,7 +111497,7 @@ index d01096386..ae473b2b2 100644
 corenet_tcp_sendrecv_iscsi_port(tgtd_t)
 
 corenet_sendrecv_iscsi_client_packets(tgtd_t)
-@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
+@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t)
 
 dev_read_sysfs(tgtd_t)
 
@ -111444,6 +111506,8 @@ index d01096386..ae473b2b2 100644
 
 fs_read_anon_inodefs_files(tgtd_t)
 
+miscfiles_read_generic_certs(tgtd_t)
+
 storage_manage_fixed_disk(tgtd_t)
 +storage_read_scsi_generic(tgtd_t)
 +storage_write_scsi_generic(tgtd_t)
@ -120205,11 +120269,12 @@ index 6b72968ea..de409cc61 100644
 +userdom_use_inherited_user_terminals(vlock_t)
 diff --git a/vmtools.fc b/vmtools.fc
 new file mode 100644
-index 000000000..c5deffb77
+index 000000000..13ee573e4
 --- /dev/null
 +++ b/vmtools.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,6 @@
 +/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
+/usr/bin/VGAuthService		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
 +
 +/usr/bin/vmware-user-suid-wrapper		--	gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 300%{?dist}
+Release: 301%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -717,6 +717,22 @@ exit 0
 %endif

 %changelog
+* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
+- Merge pull request #37 from milosmalik/rawhide
+- Allow mozilla_plugin_t domain to dbus chat with devicekit
+- Dontaudit leaked logwatch pipes
+- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
+- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
+- Allow chronyd daemon to execute chronyc. BZ(1507478)
+- Allow pdns to read network system state BZ(1507244)
+- Allow gssproxy to read network system state Resolves: rhbz#1507191
+- Allow nfsd_t domain to read configfs_t files/dirs
+- Allow tgtd_t domain to read generic certs
+- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
+- Allow dirsrv_snmp_t to use inherited user ptys and read system state
+- Allow glusterd_t domain to create own tmpfs dirs/files
+- Allow keepalived stream connect to snmp
+
 * Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
 - Allow zabbix_t domain to change its resource limits
 - Add new boolean nagios_use_nfs