rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215

Browse Source 
- Make tor_var_run_t as mountpoint. BZ(1368621)
- Fix typo in ftpd SELinux module.
- Allow cockpit-session to reset expired passwords BZ(1374262)
- Allow ftp daemon to manage apache_user_content
- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
- Allow oracleasm to rw inherited fixed disk device
- Allow collectd to connect on unix_stream_socket
- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
- Add interface files_dontaudit_mounton_isid()
This commit is contained in:
Lukas Vrabec 2016-09-23 10:24:25 +02:00
parent c49229e77f
commit 4efe5ab99f
4 changed files with 349 additions and 277 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

315
policy-rawhide-base.patch
View File

@ -10993,7 +10993,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76..0a685ac 100644
index f962f76..e06a46c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12840,20 +12840,39 @@ index f962f76..0a685ac 100644
')
########################################
@@ -3503,10 +4341,10 @@ interface(`files_manage_isid_type_blk_files',`
@@ -3503,10 +4341,29 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit Moundon directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_mounton_isid',`
+ gen_require(`
+ type unlabeled_t;
')
- allow $1 file_t:chr_file manage_chr_file_perms;
+ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+ dontaudit $1 unlabeled_t:dir mounton;
')
########################################
@@ -3552,6 +4390,27 @@ interface(`files_dontaudit_getattr_home_dir',`
@@ -3552,6 +4409,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
## <summary>
@ -12881,7 +12900,7 @@ index f962f76..0a685ac 100644
## Search home directories root (/home).
## </summary>
## <param name="domain">
@@ -3814,20 +4673,38 @@ interface(`files_list_mnt',`
@@ -3814,20 +4692,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@ -12925,7 +12944,7 @@ index f962f76..0a685ac 100644
')
########################################
@@ -4012,6 +4889,12 @@ interface(`files_read_kernel_modules',`
@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@ -12938,7 +12957,7 @@ index f962f76..0a685ac 100644
')
########################################
@@ -4217,174 +5100,218 @@ interface(`files_read_world_readable_sockets',`
@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@ -13243,7 +13262,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4392,53 +5319,56 @@ interface(`files_read_generic_tmp_files',`
@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
## </summary>
## </param>
#
@ -13312,7 +13331,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4446,35 +5376,37 @@ interface(`files_read_generic_tmp_symlinks',`
@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
## </summary>
## </param>
#
@ -13358,7 +13377,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4482,59 +5414,55 @@ interface(`files_setattr_all_tmp_dirs',`
@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@ -13439,7 +13458,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4542,110 +5470,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@ -13578,7 +13597,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4653,22 +5569,17 @@ interface(`files_tmp_filetrans',`
@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
## </summary>
## </param>
#
@ -13605,7 +13624,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4676,17 +5587,17 @@ interface(`files_purge_tmp',`
@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
@ -13627,7 +13646,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4694,18 +5605,17 @@ interface(`files_setattr_usr_dirs',`
@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
@ -13650,7 +13669,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4713,35 +5623,35 @@ interface(`files_search_usr',`
@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
## </summary>
## </param>
#
@ -13695,7 +13714,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4749,36 +5659,35 @@ interface(`files_dontaudit_write_usr_dirs',`
@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
## </summary>
## </param>
#
@ -13741,7 +13760,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4786,17 +5695,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
## </summary>
## </param>
#
@ -13763,7 +13782,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4804,73 +5713,59 @@ interface(`files_delete_usr_dirs',`
@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
## </summary>
## </param>
#
@ -13856,7 +13875,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4878,55 +5773,58 @@ interface(`files_read_usr_files',`
@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
## </summary>
## </param>
#
@ -13931,7 +13950,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4934,67 +5832,70 @@ interface(`files_manage_usr_files',`
@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
## </summary>
## </param>
#
@ -14020,7 +14039,7 @@ index f962f76..0a685ac 100644
## </summary>
## </param>
## <param name="name" optional="true">
@@ -5003,35 +5904,50 @@ interface(`files_read_usr_symlinks',`
@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
## </summary>
## </param>
#
@ -14080,7 +14099,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5039,20 +5955,17 @@ interface(`files_dontaudit_search_src',`
@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
## </summary>
## </param>
#
@ -14105,7 +14124,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5060,20 +5973,18 @@ interface(`files_getattr_usr_src_files',`
@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
## </summary>
## </param>
#
@ -14130,7 +14149,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5081,38 +5992,35 @@ interface(`files_read_usr_src_files',`
@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
## </summary>
## </param>
#
@ -14178,7 +14197,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5120,37 +6028,36 @@ interface(`files_create_kernel_symbol_table',`
@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
## </summary>
## </param>
#
@ -14226,7 +14245,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5158,35 +6065,35 @@ interface(`files_delete_kernel_symbol_table',`
@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
## </summary>
## </param>
#
@ -14271,7 +14290,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5194,36 +6101,55 @@ interface(`files_dontaudit_write_var_dirs',`
@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
## </summary>
## </param>
#
@ -14337,7 +14356,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5231,36 +6157,37 @@ interface(`files_dontaudit_search_var',`
@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
## </summary>
## </param>
#
@ -14385,7 +14404,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5268,17 +6195,17 @@ interface(`files_manage_var_dirs',`
@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
## </summary>
## </param>
#
@ -14407,7 +14426,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5286,17 +6213,17 @@ interface(`files_read_var_files',`
@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
## </summary>
## </param>
#
@ -14429,7 +14448,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5304,73 +6231,86 @@ interface(`files_append_var_files',`
@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
## </summary>
## </param>
#
@ -14536,7 +14555,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5378,50 +6318,41 @@ interface(`files_read_var_symlinks',`
@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
## </summary>
## </param>
#
@ -14601,7 +14620,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5429,69 +6360,56 @@ interface(`files_var_filetrans',`
@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
## </summary>
## </param>
#
@ -14686,7 +14705,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5499,17 +6417,18 @@ interface(`files_dontaudit_search_var_lib',`
@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
## </summary>
## </param>
#
@ -14710,7 +14729,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5517,70 +6436,54 @@ interface(`files_list_var_lib',`
@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
## </summary>
## </param>
#
@ -14794,7 +14813,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5588,41 +6491,36 @@ interface(`files_read_var_lib_files',`
@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
## </summary>
## </param>
#
@ -14846,7 +14865,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5630,36 +6528,36 @@ interface(`files_manage_urandom_seed',`
@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
## </summary>
## </param>
#
@ -14893,7 +14912,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5667,38 +6565,35 @@ interface(`files_setattr_lock_dirs',`
@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
## </summary>
## </param>
#
@ -14941,7 +14960,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5706,19 +6601,17 @@ interface(`files_dontaudit_search_locks',`
@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@ -14965,7 +14984,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5726,60 +6619,54 @@ interface(`files_list_locks',`
@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
## </summary>
## </param>
#
@ -15041,7 +15060,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5787,20 +6674,18 @@ interface(`files_relabel_all_lock_dirs',`
@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@ -15067,7 +15086,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5808,63 +6693,68 @@ interface(`files_getattr_generic_locks',`
@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
## </summary>
## </param>
#
@ -15159,7 +15178,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5872,101 +6762,87 @@ interface(`files_delete_all_locks',`
@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
## </summary>
## </param>
#
@ -15296,7 +15315,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5974,19 +6850,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
## </summary>
## </param>
#
@ -15320,7 +15339,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5994,39 +6868,52 @@ interface(`files_setattr_pid_dirs',`
@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
## </summary>
## </param>
#
@ -15386,44 +15405,35 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6034,18 +6921,18 @@ interface(`files_dontaudit_search_pids',`
@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
## </summary>
## </param>
#
-interface(`files_list_pids',`
+interface(`files_read_var_lib_files',`
gen_require(`
- type var_t, var_run_t;
+ type var_t, var_lib_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+ allow $1 var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
########################################
## <summary>
-## Read generic process ID files.
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/lib
## </summary>
## <param name="domain">
## <summary>
@@ -6053,19 +6940,1283 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
-interface(`files_read_generic_pids',`
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
gen_require(`
- type var_t, var_run_t;
+ gen_require(`
+ type var_t, var_lib_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
+ ')
+
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
@ -16522,9 +16532,11 @@ index f962f76..0a685ac 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
+ ')
+
type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@ -16694,18 +16706,43 @@ index f962f76..0a685ac 100644
########################################
## <summary>
-## Write named generic process ID pipes
-## Read generic process ID files.
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
## </summary>
## <param name="domain">
## <summary>
@@ -6073,43 +8224,170 @@ interface(`files_read_generic_pids',`
@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
-interface(`files_read_generic_pids',`
+interface(`files_manage_generic_spool_dirs',`
gen_require(`
- type var_t, var_run_t;
+ type var_t, var_spool_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
')
########################################
## <summary>
-## Write named generic process ID pipes
+## Read generic spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
## </summary>
## </param>
#
-interface(`files_write_generic_pid_pipes',`
+interface(`files_manage_generic_spool_dirs',`
+interface(`files_read_generic_spool',`
gen_require(`
- type var_run_t;
+ type var_t, var_spool_t;
@ -16713,32 +16750,13 @@ index f962f76..0a685ac 100644
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:fifo_file write;
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
## <summary>
-## Create an object in the process ID directory, with a private type.
+## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool files.
+## </summary>
@ -16898,7 +16916,7 @@ index f962f76..0a685ac 100644
## </p>
## </desc>
## <param name="domain">
@@ -6117,80 +8395,157 @@ interface(`files_write_generic_pid_pipes',`
@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
## </summary>
## </param>
@ -17085,7 +17103,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6198,19 +8553,17 @@ interface(`files_rw_generic_pids',`
@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
## </summary>
## </param>
#
@ -17109,7 +17127,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6218,18 +8571,17 @@ interface(`files_dontaudit_getattr_all_pids',`
@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
## </summary>
## </param>
#
@ -17132,7 +17150,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6237,129 +8589,119 @@ interface(`files_dontaudit_write_all_pids',`
@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
## </summary>
## </param>
#
@ -17302,7 +17320,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6367,18 +8709,19 @@ interface(`files_mounton_all_poly_members',`
@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@ -17327,7 +17345,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6386,132 +8729,227 @@ interface(`files_search_spool',`
@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
## </summary>
## </param>
#
@ -17601,7 +17619,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6519,53 +8957,17 @@ interface(`files_spool_filetrans',`
@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@ -17659,7 +17677,7 @@ index f962f76..0a685ac 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6573,10 +8975,10 @@ interface(`files_polyinstantiate_all',`
@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@ -37454,7 +37472,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..b37411d 100644
index 17eda24..6e568f7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37763,7 +37781,7 @@ index 17eda24..b37411d 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
@@ -186,29 +336,266 @@ ifdef(`distro_gentoo',`
@@ -186,29 +336,267 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@ -37907,6 +37925,7 @@ index 17eda24..b37411d 100644
+files_relabel_var_dirs(init_t)
+files_relabel_var_lib_dirs(init_t)
+files_read_kernel_modules(init_t)
+files_dontaudit_mounton_isid(init_t)
+fs_getattr_all_fs(init_t)
+fs_manage_cgroup_dirs(init_t)
+fs_manage_cgroup_files(init_t)
@ -38039,7 +38058,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -216,7 +603,30 @@ optional_policy(`
@@ -216,7 +604,30 @@ optional_policy(`
')
optional_policy(`
@ -38071,7 +38090,7 @@ index 17eda24..b37411d 100644
')
########################################
@@ -225,9 +635,9 @@ optional_policy(`
@@ -225,9 +636,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38083,7 +38102,7 @@ index 17eda24..b37411d 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -258,12 +668,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -258,12 +669,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38100,7 +38119,7 @@ index 17eda24..b37411d 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +693,36 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -279,23 +694,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -38143,7 +38162,7 @@ index 17eda24..b37411d 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +730,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
@@ -303,9 +731,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@ -38155,7 +38174,7 @@ index 17eda24..b37411d 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -313,8 +742,10 @@ dev_write_framebuffer(initrc_t)
@@ -313,8 +743,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@ -38166,7 +38185,7 @@ index 17eda24..b37411d 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -322,8 +753,7 @@ dev_manage_generic_files(initrc_t)
@@ -322,8 +754,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -38176,7 +38195,7 @@ index 17eda24..b37411d 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -332,7 +762,6 @@ domain_sigstop_all_domains(initrc_t)
@@ -332,7 +763,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@ -38184,7 +38203,7 @@ index 17eda24..b37411d 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -340,6 +769,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
@@ -340,6 +770,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38192,7 +38211,7 @@ index 17eda24..b37411d 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -347,14 +777,15 @@ files_getattr_all_symlinks(initrc_t)
@@ -347,14 +778,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -38210,7 +38229,7 @@ index 17eda24..b37411d 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
@@ -364,8 +795,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -364,8 +796,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -38224,7 +38243,7 @@ index 17eda24..b37411d 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -375,10 +810,11 @@ fs_mount_all_fs(initrc_t)
@@ -375,10 +811,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -38238,7 +38257,7 @@ index 17eda24..b37411d 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
@@ -387,8 +823,10 @@ mls_process_read_up(initrc_t)
@@ -387,8 +824,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -38249,7 +38268,7 @@ index 17eda24..b37411d 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +836,7 @@ term_use_all_terms(initrc_t)
@@ -398,6 +837,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@ -38257,7 +38276,7 @@ index 17eda24..b37411d 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -416,20 +855,18 @@ logging_read_all_logs(initrc_t)
@@ -416,20 +856,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@ -38281,7 +38300,7 @@ index 17eda24..b37411d 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +888,6 @@ ifdef(`distro_gentoo',`
@@ -451,7 +889,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@ -38289,7 +38308,7 @@ index 17eda24..b37411d 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
@@ -486,6 +922,10 @@ ifdef(`distro_gentoo',`
@@ -486,6 +923,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@ -38300,7 +38319,7 @@ index 17eda24..b37411d 100644
alsa_read_lib(initrc_t)
')
@@ -506,7 +946,7 @@ ifdef(`distro_redhat',`
@@ -506,7 +947,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -38309,7 +38328,7 @@ index 17eda24..b37411d 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -521,6 +961,7 @@ ifdef(`distro_redhat',`
@@ -521,6 +962,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@ -38317,7 +38336,7 @@ index 17eda24..b37411d 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -541,6 +982,7 @@ ifdef(`distro_redhat',`
@@ -541,6 +983,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@ -38325,7 +38344,7 @@ index 17eda24..b37411d 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -550,8 +992,44 @@ ifdef(`distro_redhat',`
@@ -550,8 +993,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -38370,7 +38389,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -559,14 +1037,31 @@ ifdef(`distro_redhat',`
@@ -559,14 +1038,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -38402,7 +38421,7 @@ index 17eda24..b37411d 100644
')
')
@@ -577,6 +1072,39 @@ ifdef(`distro_suse',`
@@ -577,6 +1073,39 @@ ifdef(`distro_suse',`
')
')
@ -38442,7 +38461,7 @@ index 17eda24..b37411d 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1117,8 @@ optional_policy(`
@@ -589,6 +1118,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -38451,7 +38470,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -610,6 +1140,7 @@ optional_policy(`
@@ -610,6 +1141,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -38459,7 +38478,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -626,6 +1157,17 @@ optional_policy(`
@@ -626,6 +1158,17 @@ optional_policy(`
')
optional_policy(`
@ -38477,7 +38496,7 @@ index 17eda24..b37411d 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -642,9 +1184,13 @@ optional_policy(`
@@ -642,9 +1185,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -38491,7 +38510,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -657,15 +1203,11 @@ optional_policy(`
@@ -657,15 +1204,11 @@ optional_policy(`
')
optional_policy(`
@ -38509,7 +38528,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -686,6 +1228,15 @@ optional_policy(`
@@ -686,6 +1229,15 @@ optional_policy(`
')
optional_policy(`
@ -38525,7 +38544,7 @@ index 17eda24..b37411d 100644
inn_exec_config(initrc_t)
')
@@ -726,6 +1277,7 @@ optional_policy(`
@@ -726,6 +1278,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@ -38533,7 +38552,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -743,7 +1295,13 @@ optional_policy(`
@@ -743,7 +1296,13 @@ optional_policy(`
')
optional_policy(`
@ -38548,7 +38567,7 @@ index 17eda24..b37411d 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -766,6 +1324,10 @@ optional_policy(`
@@ -766,6 +1325,10 @@ optional_policy(`
')
optional_policy(`
@ -38559,7 +38578,7 @@ index 17eda24..b37411d 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -775,10 +1337,20 @@ optional_policy(`
@@ -775,10 +1338,20 @@ optional_policy(`
')
optional_policy(`
@ -38580,7 +38599,7 @@ index 17eda24..b37411d 100644
quota_manage_flags(initrc_t)
')
@@ -787,6 +1359,10 @@ optional_policy(`
@@ -787,6 +1360,10 @@ optional_policy(`
')
optional_policy(`
@ -38591,7 +38610,7 @@ index 17eda24..b37411d 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -808,8 +1384,6 @@ optional_policy(`
@@ -808,8 +1385,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -38600,7 +38619,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -818,6 +1392,10 @@ optional_policy(`
@@ -818,6 +1393,10 @@ optional_policy(`
')
optional_policy(`
@ -38611,7 +38630,7 @@ index 17eda24..b37411d 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
@@ -827,10 +1405,12 @@ optional_policy(`
@@ -827,10 +1406,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@ -38624,7 +38643,7 @@ index 17eda24..b37411d 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1437,62 @@ optional_policy(`
@@ -857,21 +1438,62 @@ optional_policy(`
')
optional_policy(`
@ -38688,7 +38707,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
@@ -887,6 +1508,10 @@ optional_policy(`
@@ -887,6 +1509,10 @@ optional_policy(`
')
optional_policy(`
@ -38699,7 +38718,7 @@ index 17eda24..b37411d 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1522,218 @@ optional_policy(`
@@ -897,3 +1523,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')

297
policy-rawhide-contrib.patch
View File

@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f07..22e6c69 100644
index eb50f07..5f57515 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1047,7 +1047,7 @@ index eb50f07..22e6c69 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
@@ -365,38 +469,79 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@ -1070,6 +1070,7 @@ index eb50f07..22e6c69 100644
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
+allow abrt_dump_oops_t self:cap_userns { kill };
+allow abrt_dump_oops_t self:process setfscreate;
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
@ -1130,7 +1131,7 @@ index eb50f07..22e6c69 100644
#######################################
#
@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
@@ -404,25 +549,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1193,7 +1194,7 @@ index eb50f07..22e6c69 100644
')
#######################################
@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
@@ -430,10 +610,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@ -3838,7 +3839,7 @@ index 7caefc3..2029082 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb485..ce5dba7 100644
index f6eb485..757b864 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@ -4283,16 +4284,36 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -224,7 +351,7 @@ interface(`apache_read_user_content',`
@@ -224,7 +351,27 @@ interface(`apache_read_user_content',`
########################################
## <summary>
-## Execute httpd with a domain transition.
+## Manage user web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_user_content',`
+ gen_require(`
+ type httpd_user_content_t;
+ ')
+
+ allow $1 httpd_user_content_t:dir manage_dir_perms;
+ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+## <summary>
+## Transition to apache.
## </summary>
## <param name="domain">
## <summary>
@@ -241,27 +368,47 @@ interface(`apache_domtrans',`
@@ -241,27 +388,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@ -4347,7 +4368,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -279,7 +426,7 @@ interface(`apache_signal',`
@@ -279,7 +446,7 @@ interface(`apache_signal',`
########################################
## <summary>
@ -4356,7 +4377,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -297,7 +444,7 @@ interface(`apache_signull',`
@@ -297,7 +464,7 @@ interface(`apache_signull',`
########################################
## <summary>
@ -4365,7 +4386,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -315,8 +462,7 @@ interface(`apache_sigchld',`
@@ -315,8 +482,7 @@ interface(`apache_sigchld',`
########################################
## <summary>
@ -4375,7 +4396,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -334,8 +480,8 @@ interface(`apache_use_fds',`
@@ -334,8 +500,8 @@ interface(`apache_use_fds',`
########################################
## <summary>
@ -4386,7 +4407,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -348,13 +494,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
@@ -348,13 +514,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@ -4422,7 +4443,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -367,13 +532,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
@@ -367,13 +552,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
type httpd_t;
')
@ -4439,7 +4460,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -391,8 +556,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
@@ -391,8 +576,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@ -4449,7 +4470,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -417,7 +581,8 @@ interface(`apache_manage_all_content',`
@@ -417,7 +601,8 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
@ -4459,7 +4480,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -435,7 +600,8 @@ interface(`apache_setattr_cache_dirs',`
@@ -435,7 +620,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
## <summary>
@ -4469,7 +4490,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -453,7 +619,8 @@ interface(`apache_list_cache',`
@@ -453,7 +639,8 @@ interface(`apache_list_cache',`
########################################
## <summary>
@ -4479,7 +4500,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -471,7 +638,8 @@ interface(`apache_rw_cache_files',`
@@ -471,7 +658,8 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
@ -4489,7 +4510,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -489,7 +657,8 @@ interface(`apache_delete_cache_dirs',`
@@ -489,7 +677,8 @@ interface(`apache_delete_cache_dirs',`
########################################
## <summary>
@ -4499,7 +4520,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -507,49 +676,51 @@ interface(`apache_delete_cache_files',`
@@ -507,49 +696,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@ -4562,7 +4583,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -570,8 +741,8 @@ interface(`apache_manage_config',`
@@ -570,8 +761,8 @@ interface(`apache_manage_config',`
########################################
## <summary>
@ -4573,7 +4594,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -608,16 +779,38 @@ interface(`apache_domtrans_helper',`
@@ -608,16 +799,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@ -4584,11 +4605,10 @@ index f6eb485..ce5dba7 100644
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
')
########################################
## <summary>
-## Read httpd log files.
+')
+
+########################################
+## <summary>
+## dontaudit attempts to read
+## apache log files.
+## </summary>
@ -4606,16 +4626,17 @@ index f6eb485..ce5dba7 100644
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Read httpd log files.
+## Allow the specified domain to read
+## apache log files.
## </summary>
## <param name="domain">
## <summary>
@@ -639,7 +832,8 @@ interface(`apache_read_log',`
@@ -639,7 +852,8 @@ interface(`apache_read_log',`
########################################
## <summary>
@ -4625,7 +4646,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -657,10 +851,29 @@ interface(`apache_append_log',`
@@ -657,10 +871,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@ -4657,7 +4678,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -678,8 +891,8 @@ interface(`apache_dontaudit_append_log',`
@@ -678,8 +911,8 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
@ -4668,7 +4689,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -687,20 +900,21 @@ interface(`apache_dontaudit_append_log',`
@@ -687,20 +920,21 @@ interface(`apache_dontaudit_append_log',`
## </summary>
## </param>
#
@ -4698,7 +4719,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -708,19 +922,21 @@ interface(`apache_manage_log',`
@@ -708,19 +942,21 @@ interface(`apache_manage_log',`
## </summary>
## </param>
#
@ -4724,7 +4745,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -738,7 +954,8 @@ interface(`apache_dontaudit_search_modules',`
@@ -738,7 +974,8 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@ -4734,7 +4755,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -746,17 +963,19 @@ interface(`apache_dontaudit_search_modules',`
@@ -746,17 +983,19 @@ interface(`apache_dontaudit_search_modules',`
## </summary>
## </param>
#
@ -4757,7 +4778,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -764,19 +983,19 @@ interface(`apache_list_modules',`
@@ -764,19 +1003,19 @@ interface(`apache_list_modules',`
## </summary>
## </param>
#
@ -4781,7 +4802,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -784,19 +1003,19 @@ interface(`apache_exec_modules',`
@@ -784,19 +1023,19 @@ interface(`apache_exec_modules',`
## </summary>
## </param>
#
@ -4806,7 +4827,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -809,13 +1028,50 @@ interface(`apache_domtrans_rotatelogs',`
@@ -809,13 +1048,50 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
@ -4859,7 +4880,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -829,13 +1085,14 @@ interface(`apache_list_sys_content',`
@@ -829,13 +1105,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@ -4876,7 +4897,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -844,6 +1101,7 @@ interface(`apache_list_sys_content',`
@@ -844,6 +1121,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
@ -4884,32 +4905,28 @@ index f6eb485..ce5dba7 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
@@ -855,32 +1113,98 @@ interface(`apache_manage_sys_content',`
@@ -855,32 +1133,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## <summary>
+## Allow the specified domain to read
+## apache system content rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
+#
+interface(`apache_read_sys_content_rw_files',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@ -4934,22 +4951,26 @@ index f6eb485..ce5dba7 100644
+')
+
+######################################
+## <summary>
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to manage
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
+#
#
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@ -4991,7 +5012,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -888,10 +1212,17 @@ interface(`apache_manage_sys_rw_content',`
@@ -888,10 +1232,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@ -5010,7 +5031,7 @@ index f6eb485..ce5dba7 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1232,8 @@ interface(`apache_domtrans_sys_script',`
@@ -901,9 +1252,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@ -5022,7 +5043,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -916,7 +1246,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
@@ -916,7 +1266,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
type httpd_sys_script_t;
')
@ -5031,7 +5052,7 @@ index f6eb485..ce5dba7 100644
')
########################################
@@ -941,7 +1271,7 @@ interface(`apache_domtrans_all_scripts',`
@@ -941,7 +1291,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@ -5040,7 +5061,7 @@ index f6eb485..ce5dba7 100644
## to the specified role.
## </summary>
## <param name="domain">
@@ -954,6 +1284,7 @@ interface(`apache_domtrans_all_scripts',`
@@ -954,6 +1304,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@ -5048,7 +5069,7 @@ index f6eb485..ce5dba7 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -966,7 +1297,8 @@ interface(`apache_run_all_scripts',`
@@ -966,7 +1317,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@ -5058,7 +5079,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -979,12 +1311,13 @@ interface(`apache_read_squirrelmail_data',`
@@ -979,12 +1331,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@ -5074,7 +5095,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1002,7 +1335,7 @@ interface(`apache_append_squirrelmail_data',`
@@ -1002,7 +1355,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@ -5083,7 +5104,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1015,13 +1348,12 @@ interface(`apache_search_sys_content',`
@@ -1015,13 +1368,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@ -5098,7 +5119,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1041,7 +1373,7 @@ interface(`apache_read_sys_content',`
@@ -1041,7 +1393,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@ -5107,7 +5128,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1059,8 +1391,7 @@ interface(`apache_search_sys_scripts',`
@@ -1059,8 +1411,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@ -5117,7 +5138,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1071,18 +1402,21 @@ interface(`apache_search_sys_scripts',`
@@ -1071,18 +1422,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
@ -5145,7 +5166,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1100,7 +1434,8 @@ interface(`apache_search_sys_script_state',`
@@ -1100,7 +1454,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@ -5155,7 +5176,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1117,10 +1452,29 @@ interface(`apache_read_tmp_files',`
@@ -1117,10 +1472,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@ -5187,7 +5208,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1133,7 +1487,7 @@ interface(`apache_dontaudit_write_tmp_files',`
@@ -1133,7 +1507,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@ -5196,7 +5217,7 @@ index f6eb485..ce5dba7 100644
')
########################################
@@ -1142,6 +1496,9 @@ interface(`apache_dontaudit_write_tmp_files',`
@@ -1142,6 +1516,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@ -5206,7 +5227,7 @@ index f6eb485..ce5dba7 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',`
@@ -1171,8 +1548,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@ -5240,7 +5261,7 @@ index f6eb485..ce5dba7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',`
@@ -1189,18 +1589,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@ -5269,7 +5290,7 @@ index f6eb485..ce5dba7 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1210,10 +1591,10 @@ interface(`apache_admin',`
@@ -1210,10 +1611,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@ -5283,7 +5304,7 @@ index f6eb485..ce5dba7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1605,182 @@ interface(`apache_admin',`
@@ -1224,9 +1625,182 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@ -5427,9 +5448,7 @@ index f6eb485..ce5dba7 100644
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+
+########################################
+## <summary>
+## Read apache pid files.
@ -5448,7 +5467,9 @@ index f6eb485..ce5dba7 100644
+ files_search_pids($1)
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
+
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+########################################
+## <summary>
+## Send and receive messages from
@ -15252,10 +15273,10 @@ index 0000000..d5920c0
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 0000000..77cdd5e
index 0000000..23ebc59
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,111 @@
@@ -0,0 +1,115 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@ -15355,10 +15376,14 @@ index 0000000..77cdd5e
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_passwd(cockpit_session_t)
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
@ -15570,7 +15595,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8..b82bae6 100644
index 6471fa8..cb6a356 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@ -15596,8 +15621,9 @@ index 6471fa8..b82bae6 100644
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
-allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:rawip_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:unix_stream_socket { accept listen connectto };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
@ -29895,7 +29921,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
index 36838c2..21cc5ed 100644
index 36838c2..34a9ced 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -30069,9 +30095,9 @@ index 36838c2..21cc5ed 100644
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
+
-tunable_policy(`allow_ftpd_anon_write',`
+
+tunable_policy(`ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
@ -30130,8 +30156,11 @@ index 36838c2..21cc5ed 100644
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
-')
-
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
+ corenet_tcp_connect_oracle_port(ftpd_t)
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
')
-tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-
@ -30144,11 +30173,8 @@ index 36838c2..21cc5ed 100644
-',`
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
+ corenet_tcp_connect_oracle_port(ftpd_t)
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
')
-')
-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(ftpd_t)
@ -30184,7 +30210,17 @@ index 36838c2..21cc5ed 100644
kerberos_use(ftpd_t)
')
@@ -416,86 +387,39 @@ optional_policy(`
@@ -410,92 +381,49 @@ optional_policy(`
udev_read_db(ftpd_t)
')
+optional_policy(`
+ apache_manage_user_content(ftpd_t)
+')
+
########################################
#
# Ctl local policy
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -30244,14 +30280,13 @@ index 36838c2..21cc5ed 100644
- fs_manage_nfs_files(sftpd_t)
- fs_manage_nfs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
- fs_manage_cifs_symlinks(sftpd_t)
-')
+userdom_home_reader(sftpd_t)
-
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
@ -30265,13 +30300,14 @@ index 36838c2..21cc5ed 100644
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
-
+userdom_home_reader(sftpd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
@ -67699,13 +67735,15 @@ index 0000000..3bcd32c
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 0000000..c416596
index 0000000..5655fac
--- /dev/null
+++ b/oracleasm.fc
@@ -0,0 +1,6 @@
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
+/etc/sysconfig/oracleasm(/.*)? gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
@ -67792,10 +67830,10 @@ index 0000000..6ae382c
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
index 0000000..48fdbd5
index 0000000..c4b5ddb
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,64 @@
@@ -0,0 +1,66 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
@ -67826,6 +67864,7 @@ index 0000000..48fdbd5
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
+allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
@ -67852,6 +67891,7 @@ index 0000000..48fdbd5
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
+storage_rw_inherited_fixed_disk_dev(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
@ -109549,7 +109589,7 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
index 5ceacde..9353adb 100644
index 5ceacde..f24416b 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@ -109566,17 +109606,18 @@ index 5ceacde..9353adb 100644
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
@@ -33,6 +40,9 @@ type tor_var_run_t;
@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t)
type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_run_dir(tor_var_run_t, "tor")
+files_mountpoint(tor_var_run_t)
+
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
+
########################################
#
# Local policy
@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@ -109585,7 +109626,7 @@ index 5ceacde..9353adb 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@ -109593,7 +109634,7 @@ index 5ceacde..9353adb 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@ -109601,7 +109642,7 @@ index 5ceacde..9353adb 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
@@ -98,19 +111,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)

14
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 214%{?dist}
Release: 215%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -675,6 +675,18 @@ exit 0
%endif
%changelog
* Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215
- Make tor_var_run_t as mountpoint. BZ(1368621)
- Fix typo in ftpd SELinux module.
- Allow cockpit-session to reset expired passwords BZ(1374262)
- Allow ftp daemon to manage apache_user_content
- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
- Allow oracleasm to rw inherited fixed disk device
- Allow collectd to connect on unix_stream_socket
- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
- Add interface files_dontaudit_mounton_isid()
* Thu Sep 15 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-214
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace