From 4c1c744cdd0fcf0d21082e470a30399259375f62 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 3 Nov 2017 13:17:33 +0100 Subject: [PATCH] * Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301 - Merge pull request #37 from milosmalik/rawhide - Allow mozilla_plugin_t domain to dbus chat with devicekit - Dontaudit leaked logwatch pipes - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. - Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) - Allow chronyd daemon to execute chronyc. BZ(1507478) - Allow pdns to read network system state BZ(1507244) - Allow gssproxy to read network system state Resolves: rhbz#1507191 - Allow nfsd_t domain to read configfs_t files/dirs - Allow tgtd_t domain to read generic certs - Allow ptp4l to send msgs via dgram socket to unprivileged user domains - Allow dirsrv_snmp_t to use inherited user ptys and read system state - Allow glusterd_t domain to create own tmpfs dirs/files - Allow keepalived stream connect to snmp --- container-selinux.tgz | Bin 7160 -> 7160 bytes policy-rawhide-base.patch | 9 +- policy-rawhide-contrib.patch | 259 ++++++++++++++++++++++------------- selinux-policy.spec | 18 ++- 4 files changed, 184 insertions(+), 102 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 2eaaf4405a9552a67a03bbb31fe5f6ac587246a3..8b0d16775766da6a4cbeb7eb107b1ee1450e3a2c 100644 GIT binary patch delta 7141 zcmb8x1v}jj!vJ6t$261Ern|eld*e2J5b$30TD2wrrx)@OA|a5-n>1jF#26qp|&gsoU< z9dY_vp3DVlw09yCu(xwv9lxLX3Q<~i_7v49H0KHB0W{GyW_94Gk$jBVFJBQ}Cj?4ka&H zCSPU97WAwdlV8!Ih{X3D;Hk654;VDp^Pvw8uRYw#U)Z!mb1k6@v%lz zej=k)h$8!E{N_%(^bKw&&8MxG!W!^b$d`sP9NFSD`rb(z9>C(2&APO_LVlOmV&3Ee zA8+>5CyC}8#Ial-!;BG4Q&S!kNgFMv7EGrL!Hl>^_<4Ojy0+7FcYHC4H=CBW3wL=o zvm$!Z0iicL`x*985qY0l*&~SWL;wil6)_hI{j=} z%WN6%PRGRBxcgI8{Vd?+z|4aVwXquLBN&NQKVQz+Xe4AF``%l;_n%VIMI(RZ{6FZu zz1D2ba^|WI`q6O3KtmP{s?`<5EYIowjNeCGF|@+&3q<|<5T zh89a1ujYuuhv%U>0G+R3PHzH}$y?Q!%RYPlkdqD2Yez9-u$oKt$mGElx}5!(_`uDO z8c%uIN319;srA;|;-tcJnV0inC<3UiD4ZbqzE-R^^D{<}*W)@&H>5^&jz>Ma{wpRJy#{5~fyP2b^6AKxG`h)3BlIF@J-dwHs$h9VC ziU+zKaD|Y$M6PY?T`nqHvtze5w?Yoy&|-ZI6QN9zGY+U2e~CZMr&w_8YvypCV*dve zcHf5HY`KsPa5ao$w@DtolM`&KnJ9F}ai(fd=h!>$!iL5i;mz&;h#Uhff;PQ1<#(M1 zal`7(Q2A45%zoIBv%q$3XSv?*ICG3hI>1F$}tk57613% zkXxzoW_n*@?ciUlgQM7F&#$O|)>+Ssg;ST~OX3xa@Yga{2h`iL2-`Gxyj-vMO)z;s zPph%Wrj6}V+O-wZ@@HVd#gyR1fHbXdzE-q=$s|1@v$S^Y>9L8>(3alU6Fz@yZ@i4w!P2AQ_6#BEAqUf0D~Ru6Stm?CoCAt-Sy5u=}>z&mkXY04S> zC_s2Bt&C(vqcj>d^o;7nlD)mB;-lem6P_vEgamdH4*Iwt?ye4K)~Mi~Mg4X2d*g-A zJKwqy-2kwjSo%_L3oZI!+tW;GmCa)b@r?WgMoew`iV*du*iRv~Osrp~2qM|~=^jh( zu~lT}F8G(J!9iI%f`m(%>AZ1-OAdiOYoE0GD$F!GMWQ{K9qwFVR$ULTubV0bv(gV6 zlzSwOsEWpezEi?tS$VHQ!W)~wYa6rl4evuY)AdD=LbT84e~&AcOXe%CRe6<#xwV=6D+D=z zHVZ;!yorqdM9-(nH)EbDhkDeCNtD4Gi*prBWu-_B)pq8J(X;-#z?G+)OrgvW!V-ZQ)ognL2d|ykB_~K~uXUq14%k8r;b}CH1^$zfq z&GG={EjTM6jV@mOpsx%zy|M{Bv;!p}m1foE&d2MZ%v)yuSYh#Hx7w~?HgY*Mu5d03 zh>0WH@er(A(1;p{arCFSz*G@Qbv%<+EAXwj6XC(QEO2B9ZG(BLca=#GY$Prp<{-Eb8r`D@95SntR^WNe1u zx#+U+_spSkeY8>Yu=f6T9Pke7kH0iF!P*h;^!1N=hY5aaXso*73J*Isybn+7z1v^q zPpe`7wj$HN=9l5YS~^QtiEQ*qeKjp0Edt4L=!Au3oXIr>$^_t>y~T*-)2hc^5)md-Ln`!wH5F1`Eba)V?= zsoXAAmu`o^cs-#~7aoGnrutFm17vAv&qc21XB3pAhdE@2>vu4b(cH6hpM$CZ_OEsY ztOTt4w?m;9$%t^&2@K7C(ixGmKQ|_H=Gzc{Bifa z5ykp;3+Ns z#;@4yPZ6fms@Txzk1ht9?(Sp-hIa#{bOIW6%iLI))S43b>}Ri%+zZ);Tb|9c_4 z&Bc@~QCwk_*a>ctI}}EJzdN?7#LFG{7!e!4whw(DS3fzWL8uZ$c(ox_SyFpL35&$! zbuWWtmDK!<({M6(*CnCvH{yzo`-C5+`NPs&bV<#Zn|U!()ceLte&`4WoDK)2G0QM} z5V8!W-;>R5q@j%5N;+@%h%T$dNr>3p<; zJJe`mvT@0mJe!YS-oyLD!B~KYddZnz>MB3?`0-nM)C}zkdT|pAtK%XJP0Gf_2x`Lc z0W#{;OP(lvE2#&EqtB}b^k;);HztDJQTO(owa$x)v7qqH*sBuUn zpqunqffL=!NPFi-!l}-w>e!aNSyi0$C3EOH>tSOFNrGh1^AURqrbb8Bt-Wzd#^*nK zS%M|)5T0@DZ5`d9dz@1xUCCheYpKP~kqdOJgKzVZyxum;u(5~re}C|Lhe?or|FaU3 z@?sC?Kr8xiO5m6UjNxw5H>+RzYR2Ks9_@~gR&SR1-N|bcq`|H;D&Q$%A-#Ed+p|-a zhu*L>0jszQZ!hR==g7UHJIPww-8t>AS35o0Rq0gGd>sm!Uum8e*X+SBG)oblUUVIb z8gP=@R>(ZK2#bI-{9dH85dCH<7|UiYZ7lYrTf~BMlJp&zF!cs`pzx)kzzO*OX^l;N zh1-s$m$v?jW0k5#Q;14b#g>U0B$iD~g2omhhYls@G=IFe4_+X=3BQp!JB}Lqi%vI5 z(f#NjU9o7NFKJ+vLT%u_$2C7)brKE4Y`vcT8D~(>i2RuiOZHY-I4arOZcwpRDa>F# zosE5Am`DL$zKIH?3#owDzjj#~dszI7p6KK^Pj2gro;YVAPfrq#Kt7o9N|NtDn=J_w zypkCoX(1fVXDNuvV2>9^fp{kUW8AJu8{(H0_sV2R{trn#?E{DeEP83vp5=pMovM8@ z2+uO{`7tLwiC$EFZ5a1A{e^qcEUwozi$M4(H|{+EKc&8AnYokmNa!tz1Yt4TT-!Je z6V!>kMa)?o7YVfX;3jn36z=OFaaPdg|K(AFxjh>jQ8&`q?aO}nIp9C^R}#^#+o9jB zlZfJI#~o@!r!!C5*wh;+y@8;haa<%4p`)L3CH%BJQ5mh-eI&QFEjC~ zb5^N9{>L3(nfotDb-dGJk*{1svrlzd@@Q=*)u77ZNzs^Sw1e2-+03vsbBZFQP zmZ`_x+^gyP)7n^E3p?fbmkaNLeb16pt73TOp8SRk4_I$ez304t3q^JaR`UyQy^akV z7Gzv$>xi2L6p1#*nithafSgPZj-s{@hWnsiI+q&1hUFUaRx{D6R8^k$)GjNjODyPs z{DeN=j|Imqq11~n9(uJl|B3J=wy~)iER>$-i6g0QVjVT5^R*E8xKjU-t+dH}X^g$M z5+cWvxfH97h#mDs zywf%cWoY1bx=`cHrzFDtH!;lBDb6?rRl<-7rtX&BmWOHVw#w>%7d8x7TIn0zK^OWCqF|w)Gln% z7|{f{i2qQ@x@X7+)DCSqH7V}`5@*uLoEv`roSqu(AZW(?~Yn6VqgD4m(3 z=3fdv>v`w=M}$;ZDeN;saNgAWFEez|LE;y?VnI#iL0vIr5sqP$6wn8hO8I?)n3{>g|~ zd=@Tz+s9+@a^dGN!rZ8TM5Bg3jY@N&er?4IW)n*TkzUFanTQr|cSj=^{&U#e$NL7s zxj)}aHXQKs&WXKjHmhd`9IV>%F{v-@R#iTbDX&-Wo9wJwspWXNNt{#5c(|mk5U6_V z_FLC5+3Ib=Iv1&0fkLYYtgHwy8M0j~8+Alwj7py!gel&?T{~ZqK{|y~iz8#ohi_QA zUctQA2sKs-GRNA%yP;YH`>P3xozj$yP4q?-tm-9>@XZlOQU;rnfUQU14`}l7{VIjB zxzsJ)O0U@s;hp;YaDRM>*K*SQRHl1_z0XsIJKDOWXlQN;G@}MZ5PdPV-v$hxj9RNH z&)N!dm$WOT*ZU*t@1a`=ZZ9vl>n^t~uUgy98dClbmkcTJQ-)E4UC6 zTxhb@$ja0!rLnM)azdF>nmjnn0*_h#;&Q0PyZC8E3EE{SoFk)z!&jIF`N-E>i|$;6 z7jyt7WPEluDQ?!Bzj)-hZWas0X86P8<9Sq`!D$9_VUc(%OEF$pOa`01jP4A%K33h; znn}BwrXtSfG)x3|Pd`upR0l?d)C>^Gk5ZC+-t%SZ+3A?TAr;N)qxX!+SlCsPCUw2Z zeHcx6&<;Tpzx_5(MeJK$EC^$XsfNE#$#MghQxIqi+g0bOuGKaZ(nplBvDKnS3^sY) zjFJmQA*E-WFLK~X=tAt;ILqr(^nvOs9vdOtm8^)v2>+N}e%3S1F|6{k4*eU>d*xkh zFrh8s>m&|+&i6U&tCb-%ymyW;cZI?JjEBer$JNvC1SsF`CWmVmNtb&AcIQpzn3Q*`;}|J4?BzNJ>-iChcyy>x zF15qFhfTJGTHDb@6*p^h0Bw1($$$qWTtMT|)~EDkphr^%lPmb?$xG?l7CH$)PBNW*~L3=8<8qKMd#qn^Q zQF6NNVA6-vyU)Oc=Ly}vScluSi(Yi76C^Y=d?_CYlrxXTWTvWKPA5RmN$LJxD^YX6 zJ2>V_cDt(q;(w(|S)f3dR;rxrLLdjz}sk$KvOcOKQJCVYfj<$aE!@>DW14+AvY_uX5Dx^>~mAdYY1|MCbw6(kA z;TCGX(mZI_k`6%Zez?(pH!!FIWTqifG}DkiBW`V5`J*h|C;fMYyy65=ZjLJ#&4dV? zo)U{6?(;c&=%V5xS24AJhr+3i*<4{-6UY6_YN4^Z)}lCKIa0$RRzUCi4c1wS)TO`g zM{kkutL8Kia)@!pR|`LH+L#Jvu!2)RC8kgWbF#b_wt8V+t2?pB>%adDrx5~fKf}x& zP>Z*tTrF8t#7k42AnLfQ4sa0Wv>~eB11NdaM^Bh1Y@g*erN@o>+QA}0Hz75%{fO2P zn)Jw6hamA1kVyjU3b>eQ^9v4&zfy}-6$|Gzee=EI`g5aKeP6M0(<}__cBQsTTzM4L za8d!+nd;k#;BWQnRJ!CO*nKDWxlLAiWef0*3}1j#Z^N$AwG`NoHnl)sDIM+zvacvE zJ$O||^K^gT?13=Ky0`h)JCU^aygwd1uRl0}HUU33|L3<|;7~!gwASbqGTeP6QzEuR zn;4M_^f~)`OmeOh5 zH=y&B){<>#1uje9qHd@5M-vW46R@tiem7V$<9TskWea9_#+ZBfk#}%TxjR5P?WNv? z9A(3)$yHkfOwr5(Zx8c;|ImbEDj84%o6FNH-p2p>hE!K%8hu?ohUtC%qn#mn(j78| zfzqZnS~MtlsuSHWrpoy{KiM*QPiL&vY{-<}2Lubh`IYGJ@Q>Ai&>igS3mSx{z4%<>5B#{(7ag}zsaUeOgzmm4Ccx&T~_ z9_SLkN2=B0|N7?8xA(>cyZL$mhWmy$i=xwj>tCROv@+g*Jn0(xX;S`aCVWL(sObNX Qmi3igS;*!q91ITbfAW_G^#A|> delta 7141 zcmb7|g;Ep@qd-BV>!VvbMY_8?1(xncc427{SVBTcX(X2JW|8jhSV~g5Swgz*{|a~J zyuz6|bMA%jg(0*t7)Vf-D`O;-GxL*#HKC;GrK4`SIut*aI!6gxw|9OGUyYcs*Mdao zmd*c4nVpNdsIFJjbTX75fFtkRx+}Kji4{MmnAkqKYtlI<=-)6J2a?1Le%2=iW{|1| zWrDi>Oa770-EDRcZ=TS;UI1Pq{+&lP3nRK)gMDB6pCEU_2++pM#pLRVukaG08*@X- zFm&F_X{8P?%&p-`Y>nw>D(Lj(Z59^rz;|CSy6bNw{c?nOVq&W-@`I;DiK&IvRWt}- zt-?6NRJ>B?*nKX(KJ27gnIcD99`B(+vS0RizvBT5@=6tF&KJbT~_+suL2`mjsXPUi~&+i;F&a8(QcaGI0dR{do^aHxB*u@LZSajc zz_r^-qpIdthc70d!rLYYQJyWg>fhrRvN`|a)mQk@ckBXt>OmCc!kfDMm{+ozq#SV0 zEJ~?d!`$2^$T2RdZArfUTfoylz0gzmG+gKjQ?!;%nbP&y4SD=RIK;GB!Bu~aTK75h z9x{IB9{oumOhT+xaam_xki-p8TVu6o<4v8}8BcPwSw=zfV1L9Cou8p=y68Noao91< zsIoDgXCxKYf&Yc+?7iv(`ldyela!1kN<99XnW1Wqa8HY7V-W#`r_1p!b}gD^R+)2b zu$HXpKF(C5jI8`-ks+&fJaLn=~C=fpB}bacO~sOdG>beynZXALEhbW-g%srva` zraWJ~afda?Jw*MXwS?XD0u-4R8rGSd>#xTaB@_k%&Vhdg@%~E}1W>%++~|QI{&wGu zpDPAGG()?Sywe13IpRu>RBrO?G(?aVG?t$U5-+#5S>jpB5oDr$Mk7-|NIkElATUW8 zD6{}5?G`6?R^LWY{;(bn)T8IKsZM3^&#_|$X~=$N|Hm3YbitJ2-w0Aiv*;bT`p;IC zJihm~AY~Wj^?ie*%E>qe8MjUk8P99!-`7|cHOe7t0(5+DmlchDRlJW&>9q6sbcKOw zO-nO`NoXtd_~gG6U*0<(L;7&uY5sb#Hg3|^OTUomZ~nob;b#VR%4=-W7LeRFI>a`J z{ZA7H_ONU!y4zMKCVr*d{fHs0@U`TyAU2eM1mtMRCRXj7U*Y z1udN9fsIe|8IX?s;sL;g8=Cz?vyRGF%q}>(3gDc&YRtqbe>vU10CI=i#df7=NKI^# zro`k=(~*ea3PlVKx@Nb;p6`bX^mKkm!GKQ5q8L~X`V-l+3m^iS0L`dseCk3tg|Yjp zfRD2Mym?P&GL|JEC;5CXj{h2l%hEd!UuziL?Uz1(%M?M8)llLQIM9d{rqJ+>TWOTI zfrQVtoxH4i`DPN|LDUP*$4h`|Xhkn8VHw_YDSuv=)vO4N7C+;%z011dH7tZ}b z>WkG~$&!Z@ypaohDq|9@=2m?gym16j&I{MgH+GK1QklgZKr-x!*11Qk;$Zf)yXe)a zKF1%gBXxG3>8eg;5%=zqwq$^4} z!>=SJ755|-Attth9WkWdS-z3&q%-hIZl9q8jhssX6pZxdggVt)SxVXD^B+96C_?vM z;*)eJnX|`sEX1guP}i3KQg*OUGRSuhNLAx#i%*ezC{bD?gt#AkElxWg(HOTxn&-5K zsy+LrBH?{KBP=+tClwQOhu;HQc(6P^T46BekxZeHLB^g43b!hY<2p|+X3kp+4|=xM zxx4wIj5rX)&E7VLlcZ{?30}&EiD(H4*R#CB^Yt}j(*m{F?0&+-x*MZdef0-bX!cp7 z4<`%$Ww-E!^DVZr1{96@jj_aZ!YbRxt}H1loa%B~{hy&=y$?TH@{z+!%f~0|Pi2hy zXtx$OAtc~Mif<)6R^D+8VFH zoUhe=#gDvVKG92i119q9r2K6+K`r7umqu;%_@Z&=^=e?)5*}0GTM>X%nyFCSI;yBU zO$Eeuv}dc(*BsA)YfevG4Yp!l2%_M$K|H;KILW1R(-a>=tyWV2{IvlyC3QcBYs{j) zL`~-I$nm;$nt#3CakE{nC6opI7~NK{oi*}>wky~Pk+(`J2*lhc3&Ly!z2YZgF;)pv zvo)8CbRozjS2w0ym12KN643l#<+$0XT$}JFxwH@ONpfY&w(SDHT#m6#pD*T3mDZ#} zc#Q8z@KqVEkP1AR+7c6H_+sIfTJ3G#REzCJBm(}6Rn{BJU|ZNNpGzI0&>D>|X3*BG zpe1>vZ66p`8*f%ANE@1XL#<He>j)Qna)_mQ$nPJN^y&S_ z)m2_~)5G+xcWMwZV$*DFe(l zHd%03RM5K4v`u=@&wM`*k(isvp|5I5Z#OAAYzOE*gMPC#~CW z#gaWS^&zxhbk+(bxsKKg+`^JITC%@-sD!7L``ym9dS#`y*;J_EEKzBWp_MKwPR8;C z5i~l619antgwdVYU;+|h;b23wL3=4w-nO!vt#7Np z-0A4Ne|}(~J$;$>exM20m00QQ%LYFHiiGDd>m#JOgb{4Cc2YJIB`4Cl72X zD?rp|;rN}?hP>Za;p*_YSzu;6=*dgUjv@@4kRz4$ z4gak0Ga71%Gq}#K!t|!ZouIWQw31<_Ap@vxaZ|p;uP5*`BX*e>0z4|()^XvtEa?1_Dw>HW+T*N9MqSP` z5f%}R%i-rU5p7EXn*5ES!x|y2$aXtQ8fFfx!uheGfV!Mp2S5$c*Q@=>`1si^$Wk&2 zw_!Bkn9C@Z_e{K`lba~z$hSA*?beQ8^xb9ELR793Q2$eiM>IN{-g0|r0FkSTvJ;+W zDsg>`9#npzB5&|JTD_sPL$V%He^KmbwvOTGf-xH19Y!N-4z+YA{*1*2Sc_>tH%9)T zH!wK={W48A>Q|NXS#*131*ZiO2(B+>ik~?4oB>CxmaSWXJ(5p>YL3zuBj(t)wFtXj zU7nw)l%5>e-k#)C-h}J?)3R&h3F)qQ_#~6b7Fe$DI$<0w#()(mE%8U*>x)5~13w&5SGsERY`@1u3AR9v60Ji^-gM%*FT{ zI5;3Bd+ui+ugnU_e={^kT~V(3XpV|0HHvM1&C$*;kzs1Uy11Kf-_O74dyS&^p4E*w z@G9#FV=J7zk23|W%CrRx;nNO;E=zSH6h%L46eb9Bw+EMAO-lc2X!(}TZANnM1jEL| z#f3(4iF1cb5A%AOP4>4J9T@!9E@=OoU-iFgIJF$-`17IR6tnt~F0`YAH5o!6!PG0& zG0gu*GwdD4FFx_SO!Ai3a3VTwvpLa+-va?MJ6#SSef&N882|lyh%eqaf0=q+s|Hff z5y}t{c8ZSSCP^Vy_=Bg>i-F#t$H{wEALHNA{IZd|sDRD#zi5j7W=A4eSB7vltBtmy z1d9WY|Lesd!qlwOfe3enuaf#t0b_c3JjlTE+4eoc5*?)EKc%5?`t4xCwn0gn86Rq| zX3H>XW()6ZPZLQpU32^DhoZOyd$6j7DXl5OREF^fF3r>7D&^?09QD;l= zw0~>CJyEV!#Cp*I+DDeC%xZOi+923i50U@X7Fs3ljR6Ho#2S>`tfPxgU&uQgZXO;L zOTP{TvD_Q0YhHIzr|F`(Qwe(#CL;#Ef>xTr=hpKjcRc@Wuu)1AF4yTx z?tgYjoNDeQLEW`9d}pOjz@kT`q#&iAJ{`mHq^iE%XA+bVv^yUU>TL8IgNWaY-(?-f z>N%aRWUSkBJ?c+Njq>4(Ni!}Hux4~ND)y#<9C;v<6YAIT4Rw=}4r|T8z03%!?_(0R z4ZC2?Adl>3-?`(DvW&@_{@15^>lDK)wxuvv`=b1*1Mz)6w|v8q!l|cu)wM}*=O1K* zqt-sL8{Sw4{ZW2&TpA2z?T;d@#Y(v5-2fT%DHpkkB07n{8 zW_}1k9Px%cxn?&rb*og>c$lL6e*Mo0Z|9W;B_RF_yVGN^LhT@|wQ(ky3Yp7B5iU^# zgbBkh{pbSjLM2_zq>S?XF&x3Na1BL;`&X-S0#>$p5z2st z!J%Gc?WU=$oQO7M95vkB0^}wjG*{>+9|UJ4o&N+LgFD z3d5<{ohdP!j7tXkjhHwj`NO^|>{+c(qrJ@kB_#6HoBoB`1jC`!(x}jB^WLT`fG`P8 zcD46{b_47ksw&r9&^xVaGo6I+u*5@{mp9W=60wU;&ed>{eCZ6TW-`2o8{)}qhBda1 zTZa2bPY8|`kp95qAzTs-QfW>JLARk5i@w}HxyH~7`R9$ZjOKSJb95&A&{FMvuu~|( z_wYVQf=*OySF3R>EZC2Yrcy(A_o+mJLXi z&^_iBLQ@YiV|8W5+6vLDS0amIvBOC(0~&5qs%KsB1wYw=k2pa}?Jfd;ZLRgea*)}S6x>y7lc+-182d=y#hp53tJ`<+V-f))oQo-hGb>-O$Dmo($ zRz*NsDp`tUnvsYOyGtnqQ)Yw{IF}*Ouhe`PSn2V;{}3;zXR8sNmS=RQUDfQ$9W=4g z<2S_r*OTn?(+tT4?Zdxf2b6BiW=l)cub#Q}K^-oc?!Y@Dd_GG|ffsk=8m{8x_zXF# zF;Gi#d?lAhVNVB{Dc&fdqex)rrrN|&lT1@5JF7hacKLfE(h^`zj7al4{qOMAum2{Ro zE{@Ofx)Q-kO=#5ZnV9*SL)ynV*%uQXv0br+xe9{=bCa9!jHpU2492vdhc>D6+nIPeEJlOsL7bsj>!^C zF#@D(r88xA%IgiLJL~#b+SK+l7&IjFY?;c5aLOuh%fWa4)^8-gL%mBlt+W_SdWS3E z?AQ82Q5SJSa1_S{Rhsyu_qUi~TNMD;%HzQ84 z`f|mOotb=7hExzWpRFe_IX?TcQ?kL67F zm<90nrfeYOYQl_^2xK&Si6)qM{U1OF3qgG+<}?a4^sc~pUUjjmtAq1RONKiQmg3JC zkBx6jVGi~v4hY1bFJlXmj5q8*SA;=HZ3?DkVb0e4(E9&UO0sQddi(b8W?f8>e>>+$ z^d!av(Q#IX-G&$sqoX^s)#XGllgD68dtphmH7P-UwHkHmW41pzBsUb)3j|0Ej!-*F zyQ&0~<*=ynrVU@E*={s75H(#C|0^aFvrPyMsE;^dj#&Ml{dhA$uD0u0xf4o`1nlR1 zeUf8)P0=cVqolzIMhCs(hTnKfI6OHKe(#2kc;mIzcpX0xmA}yS>R1VK>L65ZtCZK) z-Mt`pmHiI5)gI@ZXh}mV4zIuFl^;tk4u3|f(w=z4wDJ6uqsk&c$l9NXi$vg|>Q7HB z3A%VlaKxg6Vig9%7-+#X%OpDBizf0NCki{p@IdW7!@wocu)-+4``vRMcz~I6v^?m; zzhKd;U>EnTsErCS1>5Nb0rcF6S%aRgBu@xeyGPzP{pNBpg^eR|LOp-XcYV&f{wM7Y zH8DxBVZ2mHhfRzVe|X!^_RL~w$ZUsmR^Q$`x~}L_&4);T%@jQ-6HV@oWLhuBHngcr z_k!W9;7xRUfGC!d!Q#m;bepy$5pUE_87biONuE*npI_M`Md+&j)OYK#-5SX7 zyVCoZ5uKoB7c06-QWmKRYxtq zYN^#uoM0O;eiLZ-o`mH9MZ#u zj-d==P*^ba*x%pMMRSk7{fUGpo`{f$cmr6noT^BH?M?2i%%npkYJ888^Mh zDB|(MT)$IZWZ9e?VIeD#)8{iO&8h=weGt=2b&Sbsfcx?yzDa zIT;%d3`}XQnNOq*MZ9z@zAXYyXmw#Z|Ea=q+?OWwR|v!o47wJjKbJY%P2*?;n(6Oa z4Io`>u8PfDcv3`q&UdKf`{rCCr$v>Xn zKi2c3z5T7d)8)N}Oo5P&b}ufd)nD5VJ)7hNYt4)|i%z_Yz_iMjio1@psgl~Y=*%La zVElP1B7kegBBeH}pF7EyY{y;7jHnNi%zE81mKFv1f<1a%3MU2>S`RMd6yZWHS0K98 z3ib;BH+Ub-`rBQtxf+2v2zs^}d5(~_*z9=gzxn%=;I^65^#-{Yog?9JHSD%%;1-)L z$M^ZZTfYb8F{72b_|yJ66UX|&yvrXOsk)_ z3e1!jP83`Y*QjP%*ZU}3v%T5sZj&7Pw8^0QwYR?7tEoaF>5LR$@QJZ>59R~GR-qJu>L z0n4F#jZ#FTNtvOxCJEq#f4~E@d>+pf1~7GD%PXF`-$T5-C8%$o3UvU6cl1QmZOVL1 zmU&ai@ndl0!EvM;yDkh;8T0z%w;!_kow5;?d6=I+3q}V&tk>R)62C24(E=#YNx>yA zKVPsl=}Xd)m1z6QY33q^<-cj4zW)#{tSsY`kwcw+RHD}Y?SKDNFRG}18;cDerMbxH z>~J{Rs1LH!*Ba|eaP-48J*oW69`su1;CY}i$P2aZBOKZHKRI+B$LT&iwV$@hRMq&) zEs>77JXk7#dw-va3v1q*5GuFikCHS7yvxq7Fv{C!xBcyb872ykZF29n060siBB(?A ziST;9r1gI7ul @@ -33916,6 +33925,9 @@ index 000000000..5d279ca35 +type glusterd_tmp_t; +files_tmp_file(glusterd_tmp_t) + ++type glusterd_tmpfs_t; ++files_tmpfs_file(glusterd_tmpfs_t) ++ +type glusterd_log_t; +logging_log_file(glusterd_log_t) + @@ -33954,6 +33966,10 @@ index 000000000..5d279ca35 +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) +allow glusterd_t glusterd_tmp_t:dir mounton; + ++manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t) ++manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t) ++fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file }) ++ +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) @@ -38150,10 +38166,10 @@ index 000000000..8a2013af9 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 000000000..86a4d31a1 +index 000000000..800eb43a1 --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,75 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -38196,6 +38212,7 @@ index 000000000..86a4d31a1 +files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) ++kernel_read_network_state(gssproxy_t) + +domain_use_interactive_fds(gssproxy_t) + @@ -43845,10 +43862,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..f84877209 +index 000000000..d7cf7c7c3 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,101 @@ +@@ -0,0 +1,102 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43926,6 +43943,7 @@ index 000000000..f84877209 + snmp_manage_var_lib_files(keepalived_t) + snmp_manage_var_lib_sock_files(keepalived_t) + snmp_manage_var_lib_dirs(keepalived_t) ++ snmp_stream_connect(keepalived_t) +') + +######################################## @@ -47497,10 +47515,10 @@ index 000000000..7ba50607c + diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 -index 000000000..7acdb2d40 +index 000000000..37414ae0d --- /dev/null +++ b/linuxptp.te -@@ -0,0 +1,180 @@ +@@ -0,0 +1,184 @@ +policy_module(linuxptp, 1.0.0) + + @@ -47670,10 +47688,14 @@ index 000000000..7acdb2d40 +corenet_udp_bind_generic_node(ptp4l_t) +corenet_udp_bind_reserved_port(ptp4l_t) + ++kernel_read_network_state(ptp4l_t) ++ +dev_rw_realtime_clock(ptp4l_t) + +logging_send_syslog_msg(ptp4l_t) + ++userdom_dgram_send(ptp4l_t) ++ +optional_policy(` + chronyd_rw_shm(ptp4l_t) +') @@ -48443,6 +48465,32 @@ index be0ab84b3..af94fb163 100644 +role system_r types logrotate_mail_t; logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) +diff --git a/logwatch.if b/logwatch.if +index 06c3d36ca..2bb771f02 100644 +--- a/logwatch.if ++++ b/logwatch.if +@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',` + files_search_var($1) + allow $1 logwatch_cache_t:dir search_dir_perms; + ') ++ ++####################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`logwatch_dontaudit_leaks',` ++ gen_require(` ++ type logwatch_t; ++ ') ++ ++ dontaudit $1 logwatch_t:fifo_file { read write }; ++') diff --git a/logwatch.te b/logwatch.te index ab650340c..433d37810 100644 --- a/logwatch.te @@ -54207,7 +54255,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..28c1c5f16 100644 +index 11ac8e4fc..bb6533dae 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54488,11 +54536,11 @@ index 11ac8e4fc..28c1c5f16 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) @@ -54626,34 +54674,34 @@ index 11ac8e4fc..28c1c5f16 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ java_domtrans(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ lpd_domtrans_lpr(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ nscd_socket_use(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -+ nscd_socket_use(mozilla_t) -+') -+ -+optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -54661,7 +54709,7 @@ index 11ac8e4fc..28c1c5f16 100644 ') optional_policy(` -@@ -300,259 +340,261 @@ optional_policy(` +@@ -300,259 +340,265 @@ optional_policy(` ######################################## # @@ -55026,13 +55074,6 @@ index 11ac8e4fc..28c1c5f16 100644 + dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ gnome_manage_config(mozilla_plugin_t) -+ gnome_read_usr_config(mozilla_plugin_t) -+ gnome_filetrans_home_content(mozilla_plugin_t) -+ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` @@ -55040,6 +55081,17 @@ index 11ac8e4fc..28c1c5f16 100644 - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") ++ devicekit_dbus_chat_disk(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ gnome_manage_config(mozilla_plugin_t) ++ gnome_read_usr_config(mozilla_plugin_t) ++ gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') @@ -55069,7 +55121,7 @@ index 11ac8e4fc..28c1c5f16 100644 ') optional_policy(` -@@ -560,7 +602,11 @@ optional_policy(` +@@ -560,7 +606,11 @@ optional_policy(` ') optional_policy(` @@ -55082,7 +55134,7 @@ index 11ac8e4fc..28c1c5f16 100644 ') optional_policy(` -@@ -568,108 +614,144 @@ optional_policy(` +@@ -568,108 +618,144 @@ optional_policy(` ') optional_policy(` @@ -71802,10 +71854,10 @@ index 000000000..02df03ad6 +') diff --git a/pdns.te b/pdns.te new file mode 100644 -index 000000000..63ddc577c +index 000000000..4df7ada2a --- /dev/null +++ b/pdns.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +policy_module(pdns, 1.0.2) + +######################################## @@ -71849,6 +71901,8 @@ index 000000000..63ddc577c +allow pdns_t self:unix_dgram_socket create_socket_perms; +pdns_read_config(pdns_t) + ++kernel_read_network_state(pdns_t) ++ +corenet_tcp_bind_dns_port(pdns_t) +corenet_udp_bind_dns_port(pdns_t) + @@ -72037,7 +72091,7 @@ index d2fc677c1..86dce34a2 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454d8..8f0f5fd9c 100644 +index 608f454d8..64782ff03 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -72056,7 +72110,7 @@ index 608f454d8..8f0f5fd9c 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,335 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,337 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -72189,6 +72243,8 @@ index 608f454d8..8f0f5fd9c 100644 + +kernel_read_network_state(pegasus_openlmi_services_t) + ++miscfiles_read_certs(pegasus_openlmi_services_t) ++ +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_services_t) +') @@ -72398,7 +72454,7 @@ index 608f454d8..8f0f5fd9c 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -72433,7 +72489,7 @@ index 608f454d8..8f0f5fd9c 100644 kernel_read_fs_sysctls(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) -@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -72466,7 +72522,7 @@ index 608f454d8..8f0f5fd9c 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -72478,7 +72534,7 @@ index 608f454d8..8f0f5fd9c 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -72500,21 +72556,21 @@ index 608f454d8..8f0f5fd9c 100644 +optional_policy(` + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) - -- optional_policy(` -- networkmanager_dbus_chat(pegasus_t) -- ') ++ + optional_policy(` + networkmanager_dbus_chat(pegasus_t) + ') +') -+ + +- optional_policy(` +- networkmanager_dbus_chat(pegasus_t) +- ') +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` -@@ -151,16 +473,24 @@ optional_policy(` +@@ -151,16 +475,24 @@ optional_policy(` ') optional_policy(` @@ -72543,7 +72599,7 @@ index 608f454d8..8f0f5fd9c 100644 ') optional_policy(` -@@ -168,7 +498,7 @@ optional_policy(` +@@ -168,7 +500,7 @@ optional_policy(` ') optional_policy(` @@ -72552,7 +72608,7 @@ index 608f454d8..8f0f5fd9c 100644 ') optional_policy(` -@@ -180,12 +510,17 @@ optional_policy(` +@@ -180,12 +512,17 @@ optional_policy(` ') optional_policy(` @@ -77332,7 +77388,7 @@ index ded95ec3a..210018ce4 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83eca..67f813d34 100644 +index 5cfb83eca..5de033f81 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -78040,7 +78096,7 @@ index 5cfb83eca..67f813d34 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +595,80 @@ optional_policy(` +@@ -655,69 +595,84 @@ optional_policy(` ######################################## # @@ -78104,6 +78160,10 @@ index 5cfb83eca..67f813d34 100644 term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) ++optional_policy(` ++ logwatch_dontaudit_leaks(postfix_showq_t) ++') ++ ######################################## # -# Smtp delivery local policy @@ -78138,7 +78198,7 @@ index 5cfb83eca..67f813d34 100644 ') optional_policy(` -@@ -730,28 +681,32 @@ optional_policy(` +@@ -730,28 +685,32 @@ optional_policy(` ######################################## # @@ -78179,7 +78239,7 @@ index 5cfb83eca..67f813d34 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +719,7 @@ optional_policy(` +@@ -764,6 +723,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -78187,7 +78247,7 @@ index 5cfb83eca..67f813d34 100644 ') optional_policy(` -@@ -774,31 +730,102 @@ optional_policy(` +@@ -774,31 +734,102 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -93683,7 +93743,7 @@ index 0bf13c220..79a2a9c48 100644 + allow $1 gssd_t:process { noatsecure rlimitinh }; +') diff --git a/rpc.te b/rpc.te -index 2da9fca2f..9099c9800 100644 +index 2da9fca2f..c8afd1e50 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -93888,7 +93948,7 @@ index 2da9fca2f..9099c9800 100644 ') ######################################## -@@ -201,42 +231,64 @@ optional_policy(` +@@ -201,42 +231,66 @@ optional_policy(` # NFSD local policy # @@ -93935,6 +93995,8 @@ index 2da9fca2f..9099c9800 100644 files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) ++fs_read_configfs_files(nfsd_t) ++fs_read_configfs_dirs(nfsd_t) +fs_mounton_nfsd_fs(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) @@ -93964,7 +94026,7 @@ index 2da9fca2f..9099c9800 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -93972,7 +94034,7 @@ index 2da9fca2f..9099c9800 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -93987,7 +94049,7 @@ index 2da9fca2f..9099c9800 100644 ') ######################################## -@@ -270,7 +321,7 @@ optional_policy(` +@@ -270,7 +323,7 @@ optional_policy(` # GSSD local policy # @@ -93996,7 +94058,7 @@ index 2da9fca2f..9099c9800 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -94004,7 +94066,7 @@ index 2da9fca2f..9099c9800 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +340,31 @@ kernel_signal(gssd_t) +@@ -288,25 +342,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -94039,7 +94101,7 @@ index 2da9fca2f..9099c9800 100644 ') optional_policy(` -@@ -314,9 +372,12 @@ optional_policy(` +@@ -314,9 +374,12 @@ optional_policy(` ') optional_policy(` @@ -111403,7 +111465,7 @@ index 5406b6ee8..dc5b46e28 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index d01096386..ae473b2b2 100644 +index d01096386..c491b2f9c 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t) @@ -111435,7 +111497,7 @@ index d01096386..ae473b2b2 100644 corenet_tcp_sendrecv_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_client_packets(tgtd_t) -@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t) +@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t) dev_read_sysfs(tgtd_t) @@ -111444,6 +111506,8 @@ index d01096386..ae473b2b2 100644 fs_read_anon_inodefs_files(tgtd_t) ++miscfiles_read_generic_certs(tgtd_t) ++ storage_manage_fixed_disk(tgtd_t) +storage_read_scsi_generic(tgtd_t) +storage_write_scsi_generic(tgtd_t) @@ -120205,11 +120269,12 @@ index 6b72968ea..de409cc61 100644 +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmtools.fc b/vmtools.fc new file mode 100644 -index 000000000..c5deffb77 +index 000000000..13ee573e4 --- /dev/null +++ b/vmtools.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,6 @@ +/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0) ++/usr/bin/VGAuthService -- gen_context(system_u:object_r:vmtools_exec_t,s0) + +/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 6cc0ea75..6014ce95 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 300%{?dist} +Release: 301%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,22 @@ exit 0 %endif %changelog +* Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301 +- Merge pull request #37 from milosmalik/rawhide +- Allow mozilla_plugin_t domain to dbus chat with devicekit +- Dontaudit leaked logwatch pipes +- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. +- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) +- Allow chronyd daemon to execute chronyc. BZ(1507478) +- Allow pdns to read network system state BZ(1507244) +- Allow gssproxy to read network system state Resolves: rhbz#1507191 +- Allow nfsd_t domain to read configfs_t files/dirs +- Allow tgtd_t domain to read generic certs +- Allow ptp4l to send msgs via dgram socket to unprivileged user domains +- Allow dirsrv_snmp_t to use inherited user ptys and read system state +- Allow glusterd_t domain to create own tmpfs dirs/files +- Allow keepalived stream connect to snmp + * Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300 - Allow zabbix_t domain to change its resource limits - Add new boolean nagios_use_nfs