From 4c61782def6faea26855d418cfaffb1d5e981d66 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 8 Apr 2016 14:11:58 +0200 Subject: [PATCH] * Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 - rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content() - By default container domains should not be allowed to create devices - Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used - Allow systemd gpt generator to read removable devices. BZ(1323458) - Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454) --- docker-selinux.tgz | Bin 4316 -> 4315 bytes policy-rawhide-base.patch | 20 ++++++++++--- policy-rawhide-contrib.patch | 53 +++++++++++++++++++++++++---------- selinux-policy.spec | 11 +++++++- 4 files changed, 64 insertions(+), 20 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 9c9c4d47815a65f8713442c5e82940cddf6951a0..6e99a9d1aa7d013af55db34e473f7e63be682ff0 100644 GIT binary patch delta 3644 zcmV-C4#V->A=@E;ABzY8O`Zo=00Zq@>yO(u63ozmne$VW9?10cUFk6*-@4v;*>ksd)%ul%9ynFlh?X&AQAK)hZcm3|!)%BYMZ$G?yv4u7Pe;b%yAd%r~ zSdluXz_m^@LRFWNnv4FJn);-~%hl)02-l^(n(06h|BFP4DPO*jUstj<42jQ;k7d4m zy}G#I$fDU{W;M{G3Yl)BnmidX^U+Kcw4j|J<}9TQ71$|diDLgAU7ZoWthjvu@AOse zt?A$RQ;a(&tw@}%QH%VQ2>PE<5pBp5 zvr#!8)Z;rXEc&rNG(5bE}N9o@=ZpcMReRp_1W>Ds&G>UT3B zX3j8O)a?d}ohP9jB1(Ru=#4$u)vTj5Z0M+bR&Kc3y8z_|qXO*4KR1p-F@2EY_=%1&xXX@Ksm)6E4b?v8`EEh(eNgW_K9QP65a%k1s~=X)TaSOnbJ zB@mdt8Vo=fC3#v1UB^VMb1}t}pg=D4QXUr2l|>~C=O5d{Px@rnrHUu74bq}Xg^#JLB5rfv zC4_-;Q!A!TE%%m#-=KKZcm!P_hsDZS8@@9Et3u(rfl&o=emtV!4{!<{!~V|`8ijhE zz&@sRS>&@kfk#*F=gUm9hwwO_XW86Z>$f{fl&Ab`sl~cCk z+z~!w%|~KQ6*%Hk+>07jGAgXfERFYEEmeFg16qhS3#L;3=SKTT{QL5#35qak*j66p zce50{sl?L%%%^N>ms1EzcLu(L47njBhI@)#CZO@5m2A6{8vupcA8 zf?`xQmNK62U*q;_cq3okuj>(c6frQXlo>)}!tb$)H+Qcar>n51U#CDQ2*B- ze-5g$X8Js%lBPyLqv2pp5v}y-^#%tP@>Q^oGD=`3mU(vB7k<*0L?kbZP?$o6Xcu*# zFGYJuo7Ep-nuPH-DmDaLa~?ryMoo#@(LPOBwyQn9Z_VAO`K=iq=|x+kFr3R zOt>G(V@K)OQIf51z~hNlX_m5m@F|G5<*o>BQ!ry|_y!1TN?4i%`E5}qK|z>E2l8(a zTIvb|exr_dfXUVXiP)1gAI!`dT3{a%;T-RmZ8d5ZW(`3ju>+Y|qG8|%^AVVj6*Q4-AP;z=C zICU%M)&tZ-tbh2IUI~( z(GI?YFkQi?z)Vo`DKJNXn6Ti3Fz!X~ystT9*?k3KLt{F~EDu(RPnYr-e}pc{I}m5$ zYI$K?#eYKxF4^k2a4EajzhB2{E&5JBNo`bxp_YC7vy5bAFk%F>?RbsQ7Je2alSgeL z1H@0<3|nB5K)SyZe)zwqG0UifVuu+1c9<27w5Pc0Nx%BBn? z1vfnNU!dt#_7`?f{;(ha%>g(x%X5`~8&tr#Ax%wfSlA9N=)$)6kJ z$KT5rL3SUD8csYe8qKCAQ5<41N1Y}Fx7JOX;75h|QTS}|f9Iacj4FOxl_ld}VE1LwNXg@-YzGEWh7LN4oQoic~x--E5{4 z#-E2xHg%hZ{p3oC2Kdwo=XGK>_tQX9wypei3CQJKxAEf`aX;ep$5`eulXO^GMl*C`Y)uj!KZ`>hb|8`cE zm7mFtC^u;})|5hwfZ}lP(fAMir9dh?b#co5@`^kMMsY*!V zZ7kp)C2>=yMu_4<=nmZSe8dLa^G~3qDg13U@wE+(UkgdPTJ{>+?M_!r$8_O6SDgOX zS_$CB=5Zy5y4Y0jQpxY~!-`n?1!!fIXye({hLS`L6K!`0DAC-Hub$($y@~ztjuX2BJER@_G}R zKzPXBDglF3N0xY_A6K?yLS!wZJq;(N%Dhh^v=r3kQ*EktZQ(n<4KV75C98(2Yyo~1 zuR5BJqbLO7ZQH2dA{IuJy<^2cuA({4!FL5Te=Hulq@7K`MU+SJHZ3}vuc)7N^|4NC zvV*lt+=GAV6-lG_pNf{#8#@K8h;YDgk1h)8*%sWBMahcyQv7uQiqA&yfP9pbjaw8dZW)s{7Ada-4*QH!Qt zt9RvKTnp~ zi!41)UZ2)TUv-?rNUcjATPgT!i*5Mle+}>)FEI3cXD7A{i5y1;5Ez+xWO-yTeMYua zL=gjq%2~93?lwgOM%Z{4!?&?;hIV%uVdh4M&2&*HVmIB9gONfW;z(!XnXSX zaO8o*s8P`IgQ@Xz6ur>5-6J78U!du{31CfOIwV#DzJA6IYRynWyM`~UAxfB*lBT$h*`zx+*>Z1VT81KyO(u63` zeEE8Halw&Av%}14php!l-9|NeGGgYVnJ8#MJ3-7@N*OA!Q_2#>{yn-nBYatL`vBhQ ztJ+)BzwxIScTQT7I9;bCk(+-f?s}waxp;?(SaoDRaL;`#b9R6>xNOt|#Ox6CKcgbr zkSAuNaz3cXu~HKIVRlM!4?Yi%XX*Nj^<*||W697qJ;I9lOy1*(`$w>SU}ehHA0T6j zu6(3q4_$QRzeoCA%CvNR6(j9VWaY!}i+hEc2P^bR{g$}catf)=tIMTnzt z;A6zfr&6xDWfc-ZOB{0%&FM<;hH(~A>gkHN_4`^8*UTnq(z<%^;N&l!dnh@>0xl<<_MDufS655?mXB zV@H3+Fh1Z%pjTeUe?yav18sl$5O3>HsQNC1&W|HlyhKdaMqy%CR077#H7VE}@#59* zW4HP?1LODc~{6x_kd$OxpM`_s5QTeRgaJ6><$_>f|xGi&HFSOjIG+Y43^YfVq6z+sw7`!zb2i#(f@H);?kh;VG!EC^#;sSqiqHxJ6gzP@< z^sUyz+rJ6~jQ$OPDc+Qw)R58u-C3ub3sT%22X9+aMvn)@z1*Xq)r6MW-389~KtQnw zxU)+jFnu)`fG|q(v=F+EiCE`iiYGyVTUjeDnAT;H&+-HwVWId4=SMB>T#{P4fdI$a{9zY$+}-qVifw;o$U~O#Meqq+*czr7 z&~#Honegg@&mSiQAppxQuA^1;Kb(Q{vKyH;uTl>(%b?m~Mgfj-3n3$`aw#46li8WQ=h);1ZYE;Rnuqv}O-gC87@vRJKA=)gMO8K7~?IZE;%cCYJ!l+?e zd6eJHQt+0iRL+0EM>@HFgj2T={IyGK{}h+Zr7`k|eT>w9zrS(Rf8Tt2s{j5HmvHpMyi6dLJ`>vTD!9J5y11HU zqn0m%pGbe4!Q+oUGB_qnZUhoSV|ijx$+HTAsekZZg58#Yi&N_~eZ=jP$`kNt9zy+J zfBZS9%9`o(j7pjs0gZ-(HAS@2qt_c8SjbnwI?5=4nONr8WncJ7UlNhLEJ9%l6{20# zeZCa!A#GNFglQ7S+o;$OY|VKDr5QCPTEii-rRjevNglj)COsqMmq(3Z%{MWssF!^g z;bZ^a_$>XQhdDgM+vsN9&pNG^$c^I)!Nuq1h}B(Z4k|l~pW>!GFFETFTHI{{L-Z(r z^P%>046ZDR;LFs>!&#@f$HTj_4-wAHW?K#O%8&>AFd2AbpJ7cqEb!A}LIQ{E-7Dru zcbI>SegD$UZ_`;YoqUwa7U-L2eJYE;J!KS!hHQUkwO9=L@T;$Cx-@Z~X_F=jRzAuC zVKU)!oJY~E` zDi2USz3LJ5AqW;%4`pqV9_uJiyN)-(ia+tRp%p0-u($pQ z&NS%Ga?aj{qEC~$mdsUIIFq+u2|5*E^fb&5WSxmkn};&Pj@<7wAr1ftPQv1$;TwPa z-Q(G5;};u3FaJAj>>g%o@9_*=F@M5=^W)Iqvp$@jI{1zKYx>artP`})$?iUd_wgF@ zRviYP&+P}=9^VX1}`I{y~zFBvFO_kvg>jW7(*}EQvM}m^m zBf-h@Mt{TpJ!9^J?9=8yG6K0f9e{tK%9aj*SY;2NiCdXvGkp#`AB1r)dgp!38O!b~5E~lPL1uZdN_@JM#~^=nN#21t z6IaU%<0}3eLU74e&xK3bz5e|=R%_9B`blb|Dh##k+n;45D}xaupl!!%gtqXrAelUB z6B!_W;%3+alLSJ?U0L4_((uFoJ&jpL9TYpn@VCRPXuKuK05(ROrm2z%Evzu+M*&gH z(mPPX#Dteb37&2?39q`BaH4;O_NKH{r?WgwwK5WR=iMf{C0S-O;v_MumHyl^RtxS(wA<~H7G=xQI{w@9BIYyU}X*q{`sIgp-KMS z7(f1Az6i4WSk!RhanWctHHqR7i#h5vA-J_}(gZ&$%#XrngFk=wRAyB1+o~)X{{s83 z`YKBm(HkF4lS*LufkNi}$$t4B*sFPTqQdgy6CJ|Cual2~*k<|tPCC+^k5r`MVd-Ww zoiP49Y_h4_H0&o=N;JTyPB^axJlCo{(uS-BK=ems_$B6q8r$5FrkC~*y(i%6v zQ?n7i&|O-=<6D2MOPAa8?}kto@^=I~C#eRJ9AKD(dVy7T_*II+;XpYkyzW_3aF-Np zJ+Fu8oFeu}dJncP#ae;~YHlv3qh_?gFffrot!8eh8bD554cQ&H3al<|SbXCS5&O5Z zvaI|}ZbZ3BtFfjOVgwY2doP#a$XqJ7578rY?dony9gcsGlj@MWM=Ew3s@_lTLrGOa z5^rMx|0s!@IyFKR7eaU7mggfj;GTa1EluHXtBJ2|aQs?G($%up&~A6SVmhV^@44di z$JSDCpKYcu$Nx~ywgJ7&R$ZTs$A##Q>1crMO#x9=sIHt>X6cL3}mg`1W;#Lsty&&O9!pX_#=s+O*1q5h>_ur?6YX_VKS z&;-Im_ErfPq&l+18~wPlB@-fRA?;~6DOKiu5}~D_E}v>swQCFC@oj)nKP*`_RAmeB zt9aGXbR0z?2yfd){T8t>qU;?j{&5w}aSpyKpkaUU&?W6`0xqIFinnRe*?dL)q^pm0 zT9X~DUE&`6ORq>8z5jGPXdiXKJ@rCtl2IqOU^ccTp5vHzY0W%wglMyUety%d_^#%V z!k)V-@14-9v8SDaMCJ7ciIf6&sQ8MSq%VSXS)+e1x!Tt!LMldW4fB;QZqlQX7Rl_$ z=;D8cpn``Y!capJVL?R73r&r|*gmW|0J*r1N(ynDvgi=E6{aozg0Hr$LDP#Zn~hpD z^;*3v2jfatn6%v_Nfh(WGJwFy%p=PqgXuG} zr6P(LFjUT>{d2b|8Zg4fyBNNWg)_9f%Lq%)l!9Z)qplIYVauW3V%272wqi@U@wY^V zO1ng1|f+4%xZ=S=`>3M0p=>ZtlK6Oyr-b|hu0=)QJo{Qt!z zWPY)J%oiJm-~YIJbMxk1@BNRf)8GI9BG)Bm#xH-9C7b*`EO`WSCU@56gZ#sY^#`-d P4+sGWfHHL!0C)fZo|zp3 diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5e5ccccc..9a9cb7ec 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -26525,10 +26525,10 @@ index 0000000..03faeac + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..31076d7 +index 0000000..bca9f3c --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,345 @@ +@@ -0,0 +1,349 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -26766,6 +26766,10 @@ index 0000000..31076d7 + gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + ++ optional_policy(` ++ gnome_filetrans_cert_home_content(unconfined_t) ++ ') ++ + optional_policy(` + ipsec_mgmt_dbus_chat(unconfined_t) + ') @@ -48023,10 +48027,10 @@ index 0000000..3380372 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..d8fdd7b +index 0000000..6c16f21 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,920 @@ +@@ -0,0 +1,928 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48870,11 +48874,14 @@ index 0000000..d8fdd7b +# systemd_gpt_generator domain +# + ++allow systemd_gpt_generator_t self:capability sys_rawio; ++ +dev_read_sysfs(systemd_gpt_generator_t) +dev_write_kmsg(systemd_gpt_generator_t) +dev_read_nvme(systemd_gpt_generator_t) + +storage_raw_read_fixed_disk(systemd_gpt_generator_t) ++storage_raw_read_removable_device(systemd_gpt_generator_t) + +allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms; +systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file) @@ -48889,6 +48896,7 @@ index 0000000..d8fdd7b +allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; +allow systemd_resolved_t self:process setcap; +allow systemd_resolved_t self:tcp_socket { accept listen }; ++allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) @@ -48899,9 +48907,13 @@ index 0000000..d8fdd7b + +kernel_dgram_send(systemd_resolved_t) + ++auth_read_passwd(systemd_resolved_t) ++ +corenet_tcp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_llmnr_port(systemd_resolved_t) + ++dev_write_kmsg(systemd_resolved_t) ++ +sysnet_manage_config(systemd_resolved_t) + +optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 31b767e3..f8463ffc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -31776,11 +31776,11 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..b974353 +index 0000000..74ec2fd --- /dev/null +++ b/glusterd.te @@ -0,0 +1,295 @@ -+policy_module(glusterfs, 1.1.2) ++policy_module(glusterd, 1.1.3) + +## +##

@@ -32360,7 +32360,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..0734f6b 100644 +index ab09d61..980f1f6 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -33409,7 +33409,7 @@ index ab09d61..0734f6b 100644 ## ## ##

-@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -34318,6 +34318,24 @@ index ab09d61..0734f6b 100644 + gnome_cache_filetrans($1, config_home_t, dir, "dconf") +') + ++###################################### ++## ++## File name transition for generic home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_cert_home_content',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ gnome_data_filetrans($1, home_cert_t, dir, "certificates") ++') ++ +######################################## +## +## Create gnome directory in the /root directory @@ -67157,9 +67175,15 @@ index bf59ef7..0e33327 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..3b92c4d 100644 +index 08ec33b..3ad995c 100644 --- a/passenger.te +++ b/passenger.te +@@ -1,4 +1,4 @@ +-policy_module(passanger, 1.1.1) ++policy_module(passenger, 1.1.2) + + ######################################## + # @@ -14,6 +14,9 @@ role system_r types passenger_t; type passenger_log_t; logging_log_file(passenger_log_t) @@ -87969,11 +87993,11 @@ index 0000000..0be4cee +') diff --git a/rkhunter.te b/rkhunter.te new file mode 100644 -index 0000000..aa2d09e +index 0000000..44de480 --- /dev/null +++ b/rkhunter.te @@ -0,0 +1,4 @@ -+policy_module(rhhunter, 1.0) ++policy_module(rkhunter, 1.1) + +type rkhunter_var_lib_t; +files_type(rkhunter_var_lib_t) @@ -103246,11 +103270,11 @@ index 0000000..80c6480 +') diff --git a/stapserver.te b/stapserver.te new file mode 100644 -index 0000000..bc92f68 +index 0000000..e847ea3 --- /dev/null +++ b/stapserver.te @@ -0,0 +1,114 @@ -+policy_module(systemtap, 1.1.0) ++policy_module(stapserver, 1.1.1) + +######################################## +# @@ -111647,7 +111671,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..2a1d3e5 100644 +index f03dcf5..5e41cd6 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,395 @@ @@ -113207,7 +113231,7 @@ index f03dcf5..2a1d3e5 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -113290,7 +113314,6 @@ index f03dcf5..2a1d3e5 100644 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto }; +allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto }; +virt_mounton_sandbox_file(svirt_sandbox_domain) @@ -113704,7 +113727,7 @@ index f03dcf5..2a1d3e5 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -113719,7 +113742,7 @@ index f03dcf5..2a1d3e5 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1616,7 @@ optional_policy(` +@@ -1192,7 +1615,7 @@ optional_policy(` ######################################## # @@ -113728,7 +113751,7 @@ index f03dcf5..2a1d3e5 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 833b2640..aa9e7a9e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 181%{?dist} +Release: 182%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,15 @@ exit 0 %endif %changelog +* Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 +- rename several contrib modules according to their filenames +- Add interface gnome_filetrans_cert_home_content() +- By default container domains should not be allowed to create devices +- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. +- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used +- Allow systemd gpt generator to read removable devices. BZ(1323458) +- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454) + * Fri Apr 01 2016 Lukas Vrabec 3.13.1-181 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)