From 650be6afbff3e1cc1c8e5aea1531d547bd5b78ef Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Fri, 17 Oct 2014 10:12:44 +0200
Subject: [PATCH] - Allow systemd-networkd to be running as dhcp client. -
Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for
/var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket
for init_t in MLS. Previously it was for xinetd_t. - Allow systemd-networkd
to be running as dhcp client. - Label /usr/bin/cockpit-bridge as
shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow
listen and accept on tcp socket for init_t in MLS. Previously it was for
xinetd_t.
---
policy-rawhide-base-cockpit.patch | 12 +
policy-rawhide-base.patch | 162 +++++-----
policy-rawhide-contrib.patch | 476 ++++++++++++++++++------------
selinux-policy.spec | 14 +-
4 files changed, 405 insertions(+), 259 deletions(-)
create mode 100644 policy-rawhide-base-cockpit.patch
diff --git a/policy-rawhide-base-cockpit.patch b/policy-rawhide-base-cockpit.patch
new file mode 100644
index 00000000..a98354aa
--- /dev/null
+++ b/policy-rawhide-base-cockpit.patch
@@ -0,0 +1,12 @@
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 9a8ff3e..593281c 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -308,7 +308,6 @@ ifdef(`distro_gentoo',`
+ /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+-/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index bf9912e6..02ad0417 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2397,10 +2397,10 @@ index 0960199..aa51ab2 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..612503a 100644
+index d9fce57..5c4a213 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,105 @@ attribute sudodomain;
+@@ -7,3 +7,110 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -2419,6 +2419,7 @@ index d9fce57..612503a 100644
+
+# Use capabilities.
+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
++dontaudit sudodomain self:capability net_admin;
+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sudodomain self:process { setexec setrlimit };
+allow sudodomain self:fd use;
@@ -2501,6 +2502,10 @@ index d9fce57..612503a 100644
+
+optional_policy(`
+ dbus_system_bus_client(sudodomain)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(sudodomain)
++ ')
+')
+
+optional_policy(`
@@ -3274,7 +3279,7 @@ index 7590165..85186a9 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..885da9a 100644
+index 33e0f8d..9a8ff3e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3478,7 +3483,7 @@ index 33e0f8d..885da9a 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +291,39 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +291,40 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3502,6 +3507,7 @@ index 33e0f8d..885da9a 100644
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3523,7 +3529,7 @@ index 33e0f8d..885da9a 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +339,15 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +340,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3539,7 +3545,7 @@ index 33e0f8d..885da9a 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +362,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +363,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3564,7 +3570,7 @@ index 33e0f8d..885da9a 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +395,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +396,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3593,7 +3599,7 @@ index 33e0f8d..885da9a 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +423,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +424,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3601,7 +3607,7 @@ index 33e0f8d..885da9a 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,11 +465,16 @@ ifdef(`distro_suse', `
+@@ -387,11 +466,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3619,7 +3625,7 @@ index 33e0f8d..885da9a 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -401,3 +484,12 @@ ifdef(`distro_suse', `
+@@ -401,3 +485,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -30738,7 +30744,7 @@ index 79a45f6..f142c45 100644
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..dd417eb 100644
+index 17eda24..d4113cc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -30848,18 +30854,19 @@ index 17eda24..dd417eb 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -98,7 +145,9 @@ ifdef(`enable_mls',`
+@@ -98,7 +145,10 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
+allow init_t self:capability2 ~{ mac_admin mac_override };
++allow init_t self:tcp_socket { listen accept };
+allow init_t self:key manage_key_perms;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +157,43 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +158,43 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -30909,7 +30916,7 @@ index 17eda24..dd417eb 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +203,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +204,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -30934,7 +30941,7 @@ index 17eda24..dd417eb 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +227,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +228,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -30958,7 +30965,7 @@ index 17eda24..dd417eb 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +252,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +253,53 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -31016,7 +31023,7 @@ index 17eda24..dd417eb 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +307,241 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +308,241 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -31267,7 +31274,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -216,7 +549,31 @@ optional_policy(`
+@@ -216,7 +550,31 @@ optional_policy(`
')
optional_policy(`
@@ -31299,7 +31306,7 @@ index 17eda24..dd417eb 100644
')
########################################
-@@ -225,9 +582,9 @@ optional_policy(`
+@@ -225,9 +583,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -31311,7 +31318,7 @@ index 17eda24..dd417eb 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +615,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +616,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -31328,7 +31335,7 @@ index 17eda24..dd417eb 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +640,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +641,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -31371,7 +31378,7 @@ index 17eda24..dd417eb 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +677,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +678,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -31383,7 +31390,7 @@ index 17eda24..dd417eb 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +689,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +690,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -31394,7 +31401,7 @@ index 17eda24..dd417eb 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +700,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +701,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -31404,7 +31411,7 @@ index 17eda24..dd417eb 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +709,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +710,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -31412,7 +31419,7 @@ index 17eda24..dd417eb 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +716,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +717,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -31420,7 +31427,7 @@ index 17eda24..dd417eb 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +724,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +725,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -31438,7 +31445,7 @@ index 17eda24..dd417eb 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +742,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +743,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -31452,7 +31459,7 @@ index 17eda24..dd417eb 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +757,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +758,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -31466,7 +31473,7 @@ index 17eda24..dd417eb 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +770,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +771,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -31477,7 +31484,7 @@ index 17eda24..dd417eb 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +783,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +784,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -31485,7 +31492,7 @@ index 17eda24..dd417eb 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +802,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +803,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -31509,7 +31516,7 @@ index 17eda24..dd417eb 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +835,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +836,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -31517,7 +31524,7 @@ index 17eda24..dd417eb 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +869,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +870,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -31528,7 +31535,7 @@ index 17eda24..dd417eb 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +893,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +894,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -31537,7 +31544,7 @@ index 17eda24..dd417eb 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +908,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +909,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -31545,7 +31552,7 @@ index 17eda24..dd417eb 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +929,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +930,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -31553,7 +31560,7 @@ index 17eda24..dd417eb 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +939,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +940,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -31598,7 +31605,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -559,14 +984,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +985,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -31630,7 +31637,7 @@ index 17eda24..dd417eb 100644
')
')
-@@ -577,6 +1019,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1020,39 @@ ifdef(`distro_suse',`
')
')
@@ -31670,7 +31677,7 @@ index 17eda24..dd417eb 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1064,8 @@ optional_policy(`
+@@ -589,6 +1065,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -31679,7 +31686,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -610,6 +1087,7 @@ optional_policy(`
+@@ -610,6 +1088,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -31687,7 +31694,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -626,6 +1104,17 @@ optional_policy(`
+@@ -626,6 +1105,17 @@ optional_policy(`
')
optional_policy(`
@@ -31705,7 +31712,7 @@ index 17eda24..dd417eb 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1131,13 @@ optional_policy(`
+@@ -642,9 +1132,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -31719,7 +31726,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -657,15 +1150,11 @@ optional_policy(`
+@@ -657,15 +1151,11 @@ optional_policy(`
')
optional_policy(`
@@ -31737,7 +31744,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -686,6 +1175,15 @@ optional_policy(`
+@@ -686,6 +1176,15 @@ optional_policy(`
')
optional_policy(`
@@ -31753,7 +31760,7 @@ index 17eda24..dd417eb 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1224,7 @@ optional_policy(`
+@@ -726,6 +1225,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -31761,7 +31768,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -743,7 +1242,13 @@ optional_policy(`
+@@ -743,7 +1243,13 @@ optional_policy(`
')
optional_policy(`
@@ -31776,7 +31783,7 @@ index 17eda24..dd417eb 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1271,10 @@ optional_policy(`
+@@ -766,6 +1272,10 @@ optional_policy(`
')
optional_policy(`
@@ -31787,7 +31794,7 @@ index 17eda24..dd417eb 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1284,20 @@ optional_policy(`
+@@ -775,10 +1285,20 @@ optional_policy(`
')
optional_policy(`
@@ -31808,7 +31815,7 @@ index 17eda24..dd417eb 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1306,10 @@ optional_policy(`
+@@ -787,6 +1307,10 @@ optional_policy(`
')
optional_policy(`
@@ -31819,7 +31826,7 @@ index 17eda24..dd417eb 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1331,6 @@ optional_policy(`
+@@ -808,8 +1332,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -31828,7 +31835,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -818,6 +1339,10 @@ optional_policy(`
+@@ -818,6 +1340,10 @@ optional_policy(`
')
optional_policy(`
@@ -31839,7 +31846,7 @@ index 17eda24..dd417eb 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1352,12 @@ optional_policy(`
+@@ -827,10 +1353,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -31852,7 +31859,7 @@ index 17eda24..dd417eb 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1384,60 @@ optional_policy(`
+@@ -857,21 +1385,60 @@ optional_policy(`
')
optional_policy(`
@@ -31914,7 +31921,7 @@ index 17eda24..dd417eb 100644
')
optional_policy(`
-@@ -887,6 +1453,10 @@ optional_policy(`
+@@ -887,6 +1454,10 @@ optional_policy(`
')
optional_policy(`
@@ -31925,7 +31932,7 @@ index 17eda24..dd417eb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1467,218 @@ optional_policy(`
+@@ -897,3 +1468,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -37796,7 +37803,7 @@ index 3822072..270bde3 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..86595e5 100644
+index dc46420..4cc658b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -38227,16 +38234,16 @@ index dc46420..86595e5 100644
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -38324,7 +38331,7 @@ index dc46420..86595e5 100644
')
########################################
-@@ -522,111 +598,192 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +598,196 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -38401,6 +38408,11 @@ index dc46420..86595e5 100644
-miscfiles_read_localization(setfiles_t)
+optional_policy(`
++ cloudform_dontaudit_write_cloud_log(setfiles_t)
++')
+
+-seutil_libselinux_linked(setfiles_t)
++optional_policy(`
+ devicekit_dontaudit_read_pid_files(setfiles_t)
+ devicekit_dontaudit_rw_log(setfiles_t)
+')
@@ -38416,7 +38428,7 @@ index dc46420..86595e5 100644
+
+ifdef(`hide_broken_symptoms',`
--seutil_libselinux_linked(setfiles_t)
+-userdom_use_all_users_fds(setfiles_t)
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@@ -38428,8 +38440,7 @@ index dc46420..86595e5 100644
+ unconfined_domain(setfiles_t)
+ ')
+')
-
--userdom_use_all_users_fds(setfiles_t)
++
+########################################
+#
+# Setfiles common policy
@@ -38662,10 +38673,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..b39e137 100644
+index 40edc18..04ea6dd 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,22 +17,24 @@ ifdef(`distro_debian',`
+@@ -17,22 +17,25 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -38691,10 +38702,11 @@ index 40edc18..b39e137 100644
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
')
#
-@@ -55,6 +57,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +58,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -38716,7 +38728,7 @@ index 40edc18..b39e137 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -77,3 +94,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +95,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@@ -41115,10 +41127,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4fa43d7
+index 0000000..5b904b0
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,695 @@
+@@ -0,0 +1,699 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41355,12 +41367,14 @@ index 0000000..4fa43d7
+# systemd-networkd local policy
+#
+
-+allow systemd_networkd_t self:capability { net_admin net_raw };
++allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:process { getcap setcap };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+allow systemd_networkd_t self:packet_socket create_socket_perms;
++allow systemd_networkd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
@@ -41370,6 +41384,8 @@ index 0000000..4fa43d7
+
+dev_read_sysfs(systemd_networkd_t)
+
++auth_read_passwd(systemd_networkd_t)
++
+sysnet_filetrans_named_content(systemd_networkd_t)
+sysnet_manage_config(systemd_networkd_t)
+sysnet_manage_config_dirs(systemd_networkd_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e886127d..be15f418 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9230,7 +9230,7 @@ index 531a8f2..67b6c3d 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..a0b7423 100644
+index 1241123..88edc92 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9306,7 +9306,15 @@ index 1241123..a0b7423 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -215,7 +226,8 @@ optional_policy(`
+@@ -187,6 +198,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_filetrans_named_content(named_t)
+ kerberos_read_keytab(named_t)
+ kerberos_use(named_t)
+ ')
+@@ -215,7 +227,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9316,7 +9324,7 @@ index 1241123..a0b7423 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +241,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +242,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9328,7 +9336,7 @@ index 1241123..a0b7423 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +253,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +254,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9338,7 +9346,7 @@ index 1241123..a0b7423 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +271,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +272,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -13308,10 +13316,10 @@ index 0000000..3849f13
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
-index 0000000..8ac848b
+index 0000000..a06f04b
--- /dev/null
+++ b/cloudform.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,60 @@
+## cloudform policy
+
+#######################################
@@ -13354,12 +13362,30 @@ index 0000000..8ac848b
+
+ can_exec($1, mongod_exec_t)
+')
++
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cloudform_dontaudit_write_cloud_log',`
++ gen_require(`
++ type cloud_log_t;
++ ')
++
++ dontaudit $1 cloud_log_t:file write_inherited_file_perms;
++')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..db53a0d
+index 0000000..21e071f
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,230 @@
+@@ -0,0 +1,236 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -13454,6 +13480,8 @@ index 0000000..db53a0d
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
++auth_use_nsswitch(cloud_init_t)
++
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
@@ -13469,6 +13497,10 @@ index 0000000..db53a0d
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
++ certmonger_dbus_chat(cloud_init_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
@@ -16834,7 +16866,7 @@ index ad0bae9..615a947 100644
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
-index 1303b30..b4363e9 100644
+index 1303b30..615caac 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
@@ -17020,6 +17052,15 @@ index 1303b30..b4363e9 100644
- #
- # Declarations
- #
+-
+- role $1 types { unconfined_cronjob_t crontab_t };
+-
+- ##############################
+- #
+- # Local policy
+- #
+-
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ ##############################
+ #
+ # Declarations
@@ -17027,29 +17068,20 @@ index 1303b30..b4363e9 100644
+
+ role $1 types unconfined_cronjob_t;
-- role $1 types { unconfined_cronjob_t crontab_t };
+- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
+ ##############################
+ #
+ # Local policy
+ #
-- ##############################
-- #
-- # Local policy
-- #
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-- domtrans_pattern($2, crontab_exec_t, crontab_t)
-+ allow $2 crond_t:process sigchld;
-
-- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-- allow $2 crond_t:process sigchld;
--
-- allow $2 user_cron_spool_t:file { getattr read write ioctl };
--
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
--
++ allow $2 crond_t:process sigchld;
+
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
@@ -17186,25 +17218,23 @@ index 1303b30..b4363e9 100644
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
--
-- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
-- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-- dontaudit $2 user_cron_spool_t:file entrypoint;
+ allow $2 cronjob_t:process { signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
@@ -17212,6 +17242,8 @@ index 1303b30..b4363e9 100644
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
@@ -17463,7 +17495,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -524,36 +555,35 @@ interface(`cron_generic_log_filetrans_log',`
+@@ -524,18 +555,17 @@ interface(`cron_generic_log_filetrans_log',`
##
##
#
@@ -17481,56 +17513,72 @@ index 1303b30..b4363e9 100644
##
-## Do not audit attempts to write
-## cron daemon unnamed pipes.
-+## Read and write inherited user spool files.
++## Do not audit attempts to setattr cron daemon unnamed pipes.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -543,17 +573,17 @@ interface(`cron_read_pipes',`
##
##
#
-interface(`cron_dontaudit_write_pipes',`
++interface(`cron_dontaudit_setattr_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+- dontaudit $1 crond_t:fifo_file write;
++ dontaudit $1 crond_t:fifo_file setattr;
+ ')
+
+ ########################################
+ ##
+-## Read and write crond unnamed pipes.
++## Read and write inherited user spool files.
+ ##
+ ##
+ ##
+@@ -561,17 +591,35 @@ interface(`cron_dontaudit_write_pipes',`
+ ##
+ ##
+ #
+-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
gen_require(`
- type crond_t;
+ type user_cron_spool_t;
')
-- dontaudit $1 crond_t:fifo_file write;
+- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
- ########################################
- ##
--## Read and write crond unnamed pipes.
-+## Read and write inherited spool files.
- ##
- ##
- ##
-@@ -561,17 +591,17 @@ interface(`cron_dontaudit_write_pipes',`
- ##
- ##
- #
--interface(`cron_rw_pipes',`
-+interface(`cron_rw_inherited_spool_files',`
- gen_require(`
-- type crond_t;
-+ type cron_spool_t;
- ')
-
-- allow $1 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $1 cron_spool_t:file rw_inherited_file_perms;
- ')
-
########################################
##
-## Read and write crond TCP sockets.
++## Read and write inherited spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_spool_files',`
++ gen_require(`
++ type cron_spool_t;
++ ')
++
++ allow $1 cron_spool_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+## Read, and write cron daemon TCP sockets.
##
##
##
-@@ -589,8 +619,7 @@ interface(`cron_rw_tcp_sockets',`
+@@ -589,8 +637,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
##
@@ -17540,7 +17588,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -608,7 +637,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
+@@ -608,7 +655,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
##
@@ -17549,7 +17597,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -627,8 +656,26 @@ interface(`cron_search_spool',`
+@@ -627,8 +674,26 @@ interface(`cron_search_spool',`
########################################
##
@@ -17578,7 +17626,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -641,13 +688,13 @@ interface(`cron_manage_pid_files',`
+@@ -641,13 +706,13 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -17594,7 +17642,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -660,13 +707,13 @@ interface(`cron_anacron_domtrans_system_job',`
+@@ -660,13 +725,13 @@ interface(`cron_anacron_domtrans_system_job',`
type system_cronjob_t, anacron_exec_t;
')
@@ -17610,7 +17658,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -684,7 +731,7 @@ interface(`cron_use_system_job_fds',`
+@@ -684,7 +749,7 @@ interface(`cron_use_system_job_fds',`
########################################
##
@@ -17619,7 +17667,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -692,19 +739,17 @@ interface(`cron_use_system_job_fds',`
+@@ -692,19 +757,17 @@ interface(`cron_use_system_job_fds',`
##
##
#
@@ -17643,7 +17691,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -712,18 +757,17 @@ interface(`cron_read_system_job_lib_files',`
+@@ -712,18 +775,17 @@ interface(`cron_read_system_job_lib_files',`
##
##
#
@@ -17666,7 +17714,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -731,18 +775,17 @@ interface(`cron_manage_system_job_lib_files',`
+@@ -731,18 +793,17 @@ interface(`cron_manage_system_job_lib_files',`
##
##
#
@@ -17688,7 +17736,7 @@ index 1303b30..b4363e9 100644
##
##
##
-@@ -750,86 +793,142 @@ interface(`cron_write_system_job_pipes',`
+@@ -750,86 +811,142 @@ interface(`cron_write_system_job_pipes',`
##
##
#
@@ -26123,7 +26171,7 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..5138658 100644
+index f2516cc..6f78534 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
@@ -26149,7 +26197,7 @@ index f2516cc..5138658 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -38,18 +41,32 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+@@ -38,18 +41,36 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
files_lock_filetrans(drbd_t, drbd_lock_t, file)
@@ -26165,18 +26213,22 @@ index f2516cc..5138658 100644
+can_exec(drbd_t, drbd_exec_t)
+
+corecmd_exec_bin(drbd_t)
++
++corenet_tcp_connect_http_port(drbd_t)
+
dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
-files_read_etc_files(drbd_t)
-+logging_send_syslog_msg(drbd_t)
++files_read_kernel_modules(drbd_t)
-storage_raw_read_fixed_disk(drbd_t)
-+modutils_exec_insmod(drbd_t)
++logging_send_syslog_msg(drbd_t)
-miscfiles_read_localization(drbd_t)
++modutils_exec_insmod(drbd_t)
++
+storage_raw_read_fixed_disk(drbd_t)
sysnet_dns_name_resolve(drbd_t)
@@ -28401,10 +28453,10 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..431dda0
+index 0000000..65fb9b8
--- /dev/null
+++ b/freeipmi.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,79 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
@@ -28455,6 +28507,8 @@ index 0000000..431dda0
+# bmc-watchdog local policy
+#
+
++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem { unix_read unix_write };
++
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
@@ -28464,6 +28518,8 @@ index 0000000..431dda0
+# ipmidetectd local policy
+#
+
++allow freeipmi_ipmidetectd_t self:tcp_socket listen;
++
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
@@ -28477,6 +28533,8 @@ index 0000000..431dda0
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
++dev_read_raw_memory(freeipmi_ipmiseld_t)
++
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
@@ -35317,7 +35375,7 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..a2a7a78 100644
+index c6450df..93445b7 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -35352,7 +35410,17 @@ index c6450df..a2a7a78 100644
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
-@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t)
+@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
+ corenet_tcp_bind_git_port(inetd_t)
+ corenet_udp_bind_git_port(inetd_t)
+
++dev_read_urand(inetd_t)
++dev_read_rand(inetd_t)
++
+ dev_read_sysfs(inetd_t)
+
+ domain_use_interactive_fds(inetd_t)
+@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
@@ -35361,7 +35429,7 @@ index c6450df..a2a7a78 100644
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -188,17 +192,13 @@ optional_policy(`
+@@ -188,17 +195,13 @@ optional_policy(`
')
optional_policy(`
@@ -35380,7 +35448,7 @@ index c6450df..a2a7a78 100644
########################################
#
# Child local policy
-@@ -220,6 +220,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -35395,7 +35463,7 @@ index c6450df..a2a7a78 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +238,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -38453,14 +38521,16 @@ index 0000000..ad2d023
+ snmp_manage_var_lib_dirs(keepalived_t)
+')
diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..b029c28 100644
+index 4fe75fd..b05128a 100644
--- a/kerberos.fc
+++ b/kerberos.fc
-@@ -1,52 +1,46 @@
+@@ -1,52 +1,50 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
++HOME_DIR/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
++/root/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0)
-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
@@ -38484,9 +38554,11 @@ index 4fe75fd..b029c28 100644
-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/(kerberos/)?sbin/\_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
++/usr/sbin/\_kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
@@ -38541,7 +38613,7 @@ index 4fe75fd..b029c28 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..c0946cf 100644
+index f6c00d8..59923df 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -39010,7 +39082,7 @@ index f6c00d8..c0946cf 100644
##
##
##
-@@ -450,82 +416,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -450,82 +416,87 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
##
##
#
@@ -39054,6 +39126,7 @@ index f6c00d8..c0946cf 100644
+ ')
+
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
+
+########################################
@@ -39105,6 +39178,7 @@ index f6c00d8..c0946cf 100644
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
- files_list_etc($1)
@@ -76345,10 +76419,10 @@ index afc0068..97bbea4 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..f45e193 100644
+index 8644d8b..0bee752 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,177 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,178 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -76539,6 +76613,7 @@ index 8644d8b..f45e193 100644
+optional_policy(`
+ dnsmasq_domtrans(neutron_t)
+ dnsmasq_signal(neutron_t)
++ dnsmasq_kill(neutron_t)
+ dnsmasq_read_state(neutron_t)
+')
@@ -80112,10 +80187,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..d5caec9 100644
+index 47de2d6..2c625fb 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,90 @@
+@@ -1,31 +1,91 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -80128,6 +80203,7 @@ index 47de2d6..d5caec9 100644
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
++/usr/sbin/haproxy-systemd-wrapper -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -82445,7 +82521,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..902fa17 100644
+index d32e1a2..a76de40 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -82484,7 +82560,7 @@ index d32e1a2..902fa17 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,61 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,65 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -82528,6 +82604,10 @@ index d32e1a2..902fa17 100644
optional_policy(`
- rpm_read_db(rhsmcertd_t)
++ dbus_system_domain(rhsmcertd_t,rhsmcertd_exec_t)
++')
++
++optional_policy(`
+ dmidecode_domtrans(rhsmcertd_t)
+')
+
@@ -93695,10 +93775,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..01ade60
+index 0000000..1da64f9
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,74 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -93757,6 +93837,10 @@ index 0000000..01ade60
+auth_use_nsswitch(snapperd_t)
+
+optional_policy(`
++ cron_system_entry(snapperd_t, snapperd_exec_t)
++')
++
++optional_policy(`
+ dbus_system_domain(snapperd_t, snapperd_exec_t)
+ dbus_system_bus_client(snapperd_t)
+ dbus_connect_system_bus(snapperd_t)
@@ -104714,10 +104798,10 @@ index facdee8..c7a2d97 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..e74f60a 100644
+index f03dcf5..0890a2a 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,150 +1,227 @@
+@@ -1,150 +1,241 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -104884,8 +104968,7 @@ index f03dcf5..e74f60a 100644
+##
+##
+gen_tunable(virt_sandbox_use_audit, true)
-
--attribute svirt_lxc_domain;
++
+##
+##
+## Allow sandbox containers to use netlink system calls
@@ -104893,17 +104976,14 @@ index f03dcf5..e74f60a 100644
+##
+gen_tunable(virt_sandbox_use_netlink, false)
--attribute_role virt_domain_roles;
--roleattribute system_r virt_domain_roles;
+-attribute svirt_lxc_domain;
+##
+##
+## Allow sandbox containers to use sys_admin system calls, for example mount
+##
+##
+gen_tunable(virt_sandbox_use_sys_admin, false)
-
--attribute_role virt_bridgehelper_roles;
--roleattribute system_r virt_bridgehelper_roles;
++
+##
+##
+## Allow sandbox containers to use mknod system calls
@@ -104911,8 +104991,8 @@ index f03dcf5..e74f60a 100644
+##
+gen_tunable(virt_sandbox_use_mknod, false)
--attribute_role svirt_lxc_domain_roles;
--roleattribute system_r svirt_lxc_domain_roles;
+-attribute_role virt_domain_roles;
+-roleattribute system_r virt_domain_roles;
+##
+##
+## Allow sandbox containers to use all capabilities
@@ -104920,6 +105000,24 @@ index f03dcf5..e74f60a 100644
+##
+gen_tunable(virt_sandbox_use_all_caps, false)
+-attribute_role virt_bridgehelper_roles;
+-roleattribute system_r virt_bridgehelper_roles;
++##
++##
++## Allow qemu-ga to read qemu-ga date.
++##
++##
++gen_tunable(virt_read_qemu_ga_data, false)
+
+-attribute_role svirt_lxc_domain_roles;
+-roleattribute system_r svirt_lxc_domain_roles;
++##
++##
++## Allow qemu-ga to manage qemu-ga date.
++##
++##
++gen_tunable(virt_rw_qemu_ga_data, false)
+
virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
@@ -105015,7 +105113,7 @@ index f03dcf5..e74f60a 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -153,299 +230,135 @@ ifdef(`enable_mls',`
+@@ -153,299 +244,135 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -105393,7 +105491,7 @@ index f03dcf5..e74f60a 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +368,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +382,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -105440,7 +105538,7 @@ index f03dcf5..e74f60a 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +403,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +417,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -105450,14 +105548,14 @@ index f03dcf5..e74f60a 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -105471,7 +105569,7 @@ index f03dcf5..e74f60a 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +424,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +438,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -105499,7 +105597,7 @@ index f03dcf5..e74f60a 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +444,25 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +458,25 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -105529,7 +105627,7 @@ index f03dcf5..e74f60a 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +495,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +509,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -105549,7 +105647,7 @@ index f03dcf5..e74f60a 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +517,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +531,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -105586,7 +105684,7 @@ index f03dcf5..e74f60a 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +545,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +559,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -105595,7 +105693,7 @@ index f03dcf5..e74f60a 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +570,12 @@ optional_policy(`
+@@ -665,20 +584,12 @@ optional_policy(`
')
optional_policy(`
@@ -105616,7 +105714,7 @@ index f03dcf5..e74f60a 100644
')
optional_policy(`
-@@ -691,20 +588,26 @@ optional_policy(`
+@@ -691,20 +602,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -105627,27 +105725,30 @@ index f03dcf5..e74f60a 100644
')
optional_policy(`
+- iptables_domtrans(virtd_t)
+- iptables_initrc_domtrans(virtd_t)
+- iptables_manage_config(virtd_t)
+ firewalld_dbus_chat(virtd_t)
-+')
-+
-+optional_policy(`
- iptables_domtrans(virtd_t)
- iptables_initrc_domtrans(virtd_t)
-+ iptables_systemctl(virtd_t)
-+
-+ # Manages /etc/sysconfig/system-config-firewall
- iptables_manage_config(virtd_t)
')
optional_policy(`
- kerberos_read_keytab(virtd_t)
- kerberos_use(virtd_t)
++ iptables_domtrans(virtd_t)
++ iptables_initrc_domtrans(virtd_t)
++ iptables_systemctl(virtd_t)
++
++ # Manages /etc/sysconfig/system-config-firewall
++ iptables_manage_config(virtd_t)
++')
++
++optional_policy(`
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
')
optional_policy(`
-@@ -712,11 +615,18 @@ optional_policy(`
+@@ -712,11 +629,18 @@ optional_policy(`
')
optional_policy(`
@@ -105666,29 +105767,26 @@ index f03dcf5..e74f60a 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,11 +637,19 @@ optional_policy(`
+@@ -727,10 +651,18 @@ optional_policy(`
')
optional_policy(`
-- sasl_connect(virtd_t)
+ sanlock_stream_connect(virtd_t)
- ')
-
- optional_policy(`
-- kernel_read_xen_state(virtd_t)
-+ sasl_connect(virtd_t)
+')
+
+optional_policy(`
+ sasl_connect(virtd_t)
+ ')
+
+ optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
-+ kernel_read_xen_state(virtd_t)
+ kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
- xen_exec(virtd_t)
-@@ -746,44 +664,277 @@ optional_policy(`
+@@ -746,44 +678,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -105726,7 +105824,13 @@ index f03dcf5..e74f60a 100644
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -105741,12 +105845,9 @@ index f03dcf5..e74f60a 100644
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -105778,18 +105879,15 @@ index f03dcf5..e74f60a 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
--allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
-can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -105863,7 +105961,7 @@ index f03dcf5..e74f60a 100644
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
-+
+
+optional_policy(`
+ sssd_dontaudit_stream_connect(virt_domain)
+ sssd_dontaudit_read_lib(virt_domain)
@@ -105878,7 +105976,7 @@ index f03dcf5..e74f60a 100644
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
+')
-
++
+optional_policy(`
+ xserver_rw_shm(virt_domain)
+')
@@ -105988,7 +106086,7 @@ index f03dcf5..e74f60a 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +945,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +959,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -106015,7 +106113,7 @@ index f03dcf5..e74f60a 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +965,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +979,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -106049,7 +106147,7 @@ index f03dcf5..e74f60a 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1002,20 @@ optional_policy(`
+@@ -856,14 +1016,20 @@ optional_policy(`
')
optional_policy(`
@@ -106071,7 +106169,7 @@ index f03dcf5..e74f60a 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1040,65 @@ optional_policy(`
+@@ -888,49 +1054,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -106155,7 +106253,7 @@ index f03dcf5..e74f60a 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1110,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1124,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -106175,7 +106273,7 @@ index f03dcf5..e74f60a 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1131,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1145,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -106199,7 +106297,7 @@ index f03dcf5..e74f60a 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1156,317 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1170,317 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -106215,20 +106313,20 @@ index f03dcf5..e74f60a 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-
--miscfiles_read_localization(virtd_lxc_t)
++
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
--seutil_domtrans_setfiles(virtd_lxc_t)
--seutil_read_config(virtd_lxc_t)
--seutil_read_default_contexts(virtd_lxc_t)
+-miscfiles_read_localization(virtd_lxc_t)
+optional_policy(`
+ docker_exec_lib(virtd_lxc_t)
+')
-+
+
+-seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -106350,10 +106448,6 @@ index f03dcf5..e74f60a 100644
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -106438,21 +106532,25 @@ index f03dcf5..e74f60a 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
++ gear_read_pid_files(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -106504,6 +106602,11 @@ index f03dcf5..e74f60a 100644
+tunable_policy(`virt_sandbox_use_mknod',`
+ allow svirt_lxc_net_t self:capability mknod;
+')
++
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow svirt_lxc_net_t self:capability all_capability_perms;
++ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -106515,11 +106618,6 @@ index f03dcf5..e74f60a 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_all_caps',`
-+ allow svirt_lxc_net_t self:capability all_capability_perms;
-+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
-+')
-+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -106604,10 +106702,10 @@ index f03dcf5..e74f60a 100644
+term_use_ptmx(svirt_qemu_net_t)
+
+dev_rw_kvm(svirt_qemu_net_t)
-+
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
++
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
@@ -106655,7 +106753,7 @@ index f03dcf5..e74f60a 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1479,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1493,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -106670,7 +106768,7 @@ index f03dcf5..e74f60a 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1497,8 @@ optional_policy(`
+@@ -1192,9 +1511,8 @@ optional_policy(`
########################################
#
@@ -106681,7 +106779,7 @@ index f03dcf5..e74f60a 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1511,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1525,227 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -106710,9 +106808,6 @@ index f03dcf5..e74f60a 100644
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
+
-+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-+
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
@@ -106747,6 +106842,17 @@ index f03dcf5..e74f60a 100644
+
+userdom_use_user_ptys(virt_qemu_ga_t)
+
++tunable_policy(`virt_read_qemu_ga_data',`
++ read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++ read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++')
++
++tunable_policy(`virt_rw_qemu_ga_data',`
++ manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++ manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++ manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++')
++
+optional_policy(`
+ bootloader_domtrans(virt_qemu_ga_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cd7d2d77..37fb732e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,12 +19,13 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 86%{?dist}
+Release: 87%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-rawhide-base.patch
patch1: policy-rawhide-contrib.patch
+patch2: policy-rawhide-base-cockpit.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -333,6 +334,7 @@ Based off of reference policy: Checked out revision 2.20091117
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
+%patch2 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
@@ -602,6 +604,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Oct 17 2014 Miroslav Grepl 3.13.1-87
+- Allow systemd-networkd to be running as dhcp client.
+- Label /usr/bin/cockpit-bridge as shell_exec_t.
+- Add label for /var/run/systemd/resolve/resolv.conf.
+- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
+- Allow systemd-networkd to be running as dhcp client.
+- Label /usr/bin/cockpit-bridge as shell_exec_t.
+- Add label for /var/run/systemd/resolve/resolv.conf.
+- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
+
* Tue Oct 14 2014 Lukas Vrabec 3.13.1-86
- Dontaudit aicuu to search home config dir. BZ (#1104076)
- couchdb is using erlang so it needs execmem privs