From 6551841efc162cb5152d7613efba4e3af1943c63 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 14 Sep 2017 14:11:08 +0200 Subject: [PATCH] * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285 - Allow svirt_t read userdomain state --- container-selinux.tgz | Bin 7000 -> 6999 bytes policy-rawhide-contrib.patch | 349 +++++++++++++++++++---------------- selinux-policy.spec | 5 +- 3 files changed, 194 insertions(+), 160 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 9960e8d5192dee3f82f3a0fae1b4f0908509e767..5bac115b0f6460c86914aac68953313ae095b716 100644 GIT binary patch delta 6936 zcmV+z8|UQMHrFUm@55JQLV6o^j#;p6nhL$pUvD z4hVJ^xDS`Rj#^T8E2Fna>Up_=_qShF@kNwGQj}V4djSzh+9OpxB#UIRSS(UOp4EPw zMdf9@eQ~1n4$_AY-{J4|58uC2e<8j9@c#Px#r6B^?>~Hh_rtpn*FU^?cm4k6`ojzF z-Kh$srbAWxrRTj!?n{3Y1xC7|_y3}4_3D-PV|7SVzkK@hKlYKA7g6@M$`54_d45qO zap2c+o_T@jC|;E9;P>*!E5Wt`5VzFI4gNU$>thrg>PSJ4Gq2vO55hc!e_RslmBQ=& zSoo!%dYPYpMt^$As9yfLm&4EW!t;|Pe~3b_&b_+yvns|)=|Hat75=@7vpOobeh{7i zCQGv}4_O_j(Hin2oY!xDTb=EqY+Xiw9O4paS7&GSQ=!yA^3-oM4Y{4P;Pu`&QABHzF1)fGd3khR+@Cz zdBa-Gy=l)zHSL+HX*(H|c@k;h{|1jGxE};jRSlscQs5U?gWU&yNA;Yh^~EdE-mLX8 zV`%p>-e41abEC&Vh*OMJ5YksWP_e_05w#qT*3lOD8BtnC*^vY4Z;>C8e2X&2&ga2Q z1>(EEdt75OFc#tWgCL7kUzRE_Ao zrx7IYXHYB`LEif%k~V^*{Jn3kbu=HLo*u`Cf3AzDOee&7m&Z;-;qk;({jSfHkDzOcJ*fv5%e+ID4&E9TMv^$h_M7W%MSV&1mE1ifA8VH@8(^L{PG_^eM&)>qekcgW(J#NRX&!w&hPLS)2R zD@O7%N^)G7f}~>TPxQv)Nig$f-R2Cu0LAhUVo4Z|#`mI>3JP# zwufa=KaHKjy$-%noZiUoibDmRt$rf)h-0BGR53z2q79?_q9(f+U!tJ!S0i6R_%YZs zLl*qQ?BgH7_N$f_pP4)4zX# zLi$VaU3Y*a`OdZ>?!gCvILosPunHbY4!$%bL%!8FNsN>FhO=zcq}m#G_?P^gOvgyb=3 zWiPtFtq9!MH56eYPEQb{5j4#?5#xVt0_v_(dzPd9uW?#8y?-0;E~D&zPSkx~)z#d9 zv|gJLvy7@dxxYjS%mT|=ssck`lRrlDRG(p@Q9C1C4(o@+f0`fhW=2TA&eK@v05Dui zn6=k_n8q2Ki*VD^G4PWT3E`SDht1fqz5^iSjTyj~A=Xk8B-S zmk94*d4N)Rynf_HA)OUN#xQ?(laIF@=6WBOd6te^w4A27sGP@oYmAO}(V}+uPJh(` zcDnw>PWzmhGmdTm5%Ts7i}Vtt;Z^Z2^Ak2;y-&B}95Rp@%}#nkQ84??h7Cd4zA%o7 zA%5(Do(FpNJiheuD+`FF@{S2xCx(``P^x@nIJ$z= zdwg7sj=rIe4OKpoUKdhuZjPg(lNE$x_gOW@Hk0$$Yx7X;$D7^#QBWiYP_fR&kdqPI z#dLi)e!ys2v%6764#s~?e#pX#1`O_|&ZEoNhOmS`BCNkD;-ozYwT68vn7)oTJ7E^| zvnLHapEH;&z~qDpt$ZqSs4lZq<7(b>F*6@sX^K1bScT2>V{~j2ugQtEhEgo%bZf_O zH(=ti3}f$eYQtld;&fhHkhJlWowB$gX~PK{r0#2pWQUSbK3abyd}}FEKNLc-8hc*S zZY+aA?Cn^9j?m>xOR3sB*e0V@&#P{ zX;rtb{c;!8f+kI>HRz2UcSd(!1{L;wbj(0zp?Hi_6b}+vm%L5z70nJ``XKecXp${@ zSx2YJ!+!q%!-t#e?|SF|-+#ZH|Nk6`d0N(K9)e;!m%V@Cjdyc-^ZxSP#j2w(SePgC zu6Sjh*ZJL8Q+f5u`#A!fk}ej2IcG(xER3pvhu9Q6xF*676)2APu#Z3wmTEYOPv)`k z6O%VLNxXmj^ov*IWi4ZH3a%#^I##AWWd262t6Z9ax&Fr6`biaCbc)1F#H@P0ji`G1 zA@`IAe(!(E{7`u3+%0v%wX{PixKYLcnsS&{GEm*v$BBll3ebU8!@Er_jB$#{3;ies z^~{v^xh5yu0cWo2tHb8^H5hKe9#wjy^mTBO3DvnHhjeJ@if1mJZEjnshJ-qaal1h` z*>LKvsM#XCEn@bp*D9*huut#QE>^ePg;FoYLD7GX6FG0a?e{V1&Tbb`33K9SB~V;? zFSs^DsSPK>mc#}!nG5s~`C#pL-sSJ(3fFxbx!Gx8<>Y@;)wOPa?bb#cQ*3uI#6$!s zop-r(XuSgREs}2J&3T8(GWye^rvdPhY#I2YgV51VZyOLX|tjK8f+y^1XakS_wTUwse@_oeA8eYa-U1{}cxw#4qU)bN-42xktQfIjUq%Vo#|duO4={g; zHS#|p)8J4-*Qtkj+6LzU^)|$?q+v32GSVo>(I6P4=6j16JFRRqvdv3pX64wZBX3&m zXuA}C9XT+Fo&{j5f%HR6`-W-n$^>QlLvZ209ocjNA3SUIp(9!y6f>Y4!XC;P_GUod zcpI_>szX&oS!mPodL=pv%Q>ePRanG*6~nB+kWg?AWHRJkK+d;}|~oOq5l1ND`} z+1>h%A5c6*_ZS{2Otd%i^QmmgEc5{t(kQpS+L`d zWC8h)Wucx4-MNf{dluA%%k1HjP2r)UInqmkji8qceml#mv&8Cn<@G#Vzi)q%?y>#> z%YvDO{U;X!Q67w#0n$Yy@qit?%;=dU0-6`vwkFnex-kM1%U^vY+?4jTBQhwk_}t~x0Cvueyqs2L zwnEp%%}uGU8Li_ZaH^|7d&YmdQk1^;NuITtR@t5A!PKf+u|^Lq6Q2Gkk{g&JI2r8y z$xYJ{!bdTL*)0b!Z`FXQSA3t?61pAWHc(7$_$@Dc_qf~J->W>kgqJUE6?oRV?D{@{ zPyJ|$SKeR3ki`_H{$11x_}NFno%fKJcb7o+?|Bhz4@vTb4tJ11n%{quH$L+oB5&`* zAHKJVPyk+)CkOQ40@r_W0^|vE+QQuCSPy92H!Q;CAwMJ`&m8|wVR{C03D$!V09eCw zxcij-0O748L*wrd9*{;PWC~~YcG~Xna32guy&u%^J&dQ&kUysn@!cV$`}%k$ z>`i48iU5hgvS9dH#-9WF92Tio6mAKJyE$x8k;YM=} zX2!Ql-H3nr5n|soj+M$DDm?X;Vtj!MB)d++sd|Tu{4gEIxT(3&g~X&!;p^5qa!Tg+ z87RDiFsgP-SaN+>=NY?wmfuCAuS-?uC7N&;Bth!?5u*g->drtm-VWmWYM*TG&- z$M0Y0b{|-nhWUd5nqQeK4#erHhzQ>w3^n2ed0~I&H>o3fFP4#fOO`I8z)%}YL$8{< zNN~VYts@w`Dg7_^2>T zuAq+xq#)&RS2i)q&${4E4`(dqt{Wfq{A`JS^#XAR-az9R{EW>;+Bnw!Mx5)GjCy|p zj9cxkDRbDTv11OB`?vtLoNe;~2go0XsH)dw({)dwUwGGJ_7hWpjb!2TBTZ7f^TUy9svsvtnX49z0$F8kJg$!LP z+D8ctMw|J)T7}WQx&|?Lq7)(!9BzNMo7`MLNzD$EtzooCl7j4&kH9gw=A)6U{aJ;7l4piT*V=Udkrqp`BLQwhQSqjkHcjR-eZz`a-+E9j@yvG zf$w_RUTdvl(lb-e1Cur2o^2QpU)RPE#Wwl06wB^_{u zfXc3TVsf&~;)kIrYkz>@m~1SNj=mT|i?h6rw@-GLO`Po`)X1R{ zqBKw=S<3m{Py_OOaLaquY+^}gwQ(gWNsBstw2%nN1CmklL@4|KgM?yS95OT@1D_hf zyy1ox7_8Krg(9?F1rN>3bvl12%{*7sVdVK}lPjQMDeJZTOMFYp$`fu5Xnpu-F79H} zq$v+zxU5wrE$bVOhcyJ3wCwPKbrY-MU=7z~WRaDYNrb|VF9ateRTOatponZT?> zG=mRSr!nTKY!*}gwN2oapKkn)$b;Bfltk*(JVZH8>clcEb`sZ6nT)B5cb?sPc6BnG+KIlO$7^eAI4!N6g|y>lms|jXuX>cF%}tuGPrR4g0?rPfvlUbf>MOs*ylk*Zo8r}W#HdN2ZMo~rgYt~!r-K-EDeF~zDGn0S&jNR0z%Xu4@(F2T_ zaIm7UjY7rc{3P%HL9X*n8yY6YEWj<940m3Q7qeWfUa5r58L&}V(NGxNU1DUGts6F? z9IQqir5K7sdCMVdo0y4O#5cOq3zM(KK%LOQ^@?sMO&$Xd(0rR<-O?_4pRu@DODYmJr5CiBHAGe}7JziiF(=D_Hjb`@fYYMEn4~OlIp0$XZ^Mm#t za@edvzUS6rAZdtX`p@V*)5lZ?_ZD=9QIlKH+>a>Cq6xPtsBG;>Bi~{Pb~AI0Q5t;_ z6JCU@y@H7@{X6Ect?eek-e)qjqotRPyxn*#zY-bF5iEZ_oW9M}>?#`f4K)`q>j%AC zj=Z000_35$s^P}ib30Qw&qBLrZ=O;)mwA>}?vggy97Nt29uiY|2?9d(sJwNZ{nlAd zW?X~H9o3xq7elICdbZQFc#10c!4LZk;pYXDyu0BuzPSVOw9!1~hmH zWxo>Q+=p($;8}Gi40h9}evZ+z+<5H^3ccI*kc!JcG($=_iCP|i^7D7Lt|Z}rt;jS5fhfc z21{IrEuN#Jo{UE!YR#!6R-tytZvUD{&9%Zp5`(UC^zk*{Chg|mH*O^Tt&Lg)Ln_p| zLsz<}M{Z)1zqf*g{vGrDMyW13ub*S6#9n{i@(wJ6ltne-uHZF8Tjz>s0G;))SnYnn zq;9BAyn^<)`)~VqIFHFx8w@-u+;;j!v=c6%J@(?+`7WHDEBv{yzQje~su~j)g42KH z;9x570Pq9*DKI|Vd?`3?;q39wZGMrs5+EsW3|DUdwB0e$S^m`5tq7Qu? z6uU(9So2TVtq&jhoKb#kMlrv_ym|-2|LRbcS4q6VDfNosTwQ*9_V%qanpijUuj(MG z4wU`O0}TdmgEtpo@)*2DxH;<%m{&6uk(|X;P@o8At2G0g3r$k}_y1n~&$n!^VBQ9Q zi(c-ko~^_jm4C`;ZrCip&y#;c8oeDa3gx?i4Rl39F5`T*j!M01cG%Mt^Ax4bgE*WE zuTlZ$(IRc_IeULna+q(#HqdooUsD&O$rh~gTs}| z@o?BXk3v~p-TO>-7(B+1T!EVKAS#alYKdwVEP%RVrT!J~k#z8fSp~Xb%2l8Y+xGoHQT6u&7!YlSqX50g<*i2W<#0EB?zXd z8Drsoy)5Ezl({$nhhB2PtLDLb%MU2c*&bKS1|QvDdO>@Njs;-Fo*bc_=(A=j&~6%z e&~jheVYZVT8!wYU8ww14!Sw&BHQ;6d@Bjdnouvl= delta 6938 zcmV+#8|CEJHrO_QABzY8A1k_900Zq^ZI9eGlFrxZUm@55JQLV6o^j#@JlQ=gk_GNQ z91!d-a33yr9krzH){fpHspsVe-rs&z#TQW$Nl|LGJqw6H(jKYmAz37g#bS{P@~rmb zEGjSK?KdY%?;(Bs_&xq!|KW%C>Mx`ZA3t1Qe{=oe`iGBy-{1W3{f9q%^Zxq7&GpA` zy!WRnkeUuv?U$bSO>$rQn?hy&tPXn)>C_pZ>m&yu66AcU68UgUIuX zB8daPj`Pe5L`U(WYzM!WKVAv86@a*6)WdUfvArJq$XR!RqYMX2!aRh-pPx%GqS z{5M&eb$Q6@IE~hjAK|=t``hYl7iH@*`uz}>K)X6StDg#`29l?Kt9clK1lIMfg)1$# z6;ZsoSgp>2yo`c0Tvw4_2K)6U&d$HRzF3`!0<8;wzlL(-Q*(B@H}%B|Gnla{IkM8E zyUrWdYVJ*YHmYgQOikO#pv;p<1OHceEW!OCh^lG`6_EnJxEky}@H?vKG_5aQiS}l# zj~PR|m+=Oh;M*HL211--tb&kU>_Ej1KStDYJX%Lv;Acc>9c4!jsJ}*jNb)Vp96O%} zGZlz`Ki~F;*i0kHp_3bg4Mkm3@h0`^0<;#Zn;t#2YV!Vg_|y#!)q* z^PWbKyq`g_Tm*UVmq^+OlJfVyz1Gouf_i!!AO5*6qB5<3aT_O5B{JsJ)X8U_4PKh4 zX^ehJK^t_2zi{6SLmPcm8O7P zTFvoqlg9!xwTMAA;S zn<&n9PTA^*h?viv9lY8BV)Mo-gW%g6`0oS!_x-$UkzfAf=NB^1lEq%c;W!(qJY)ui z15nj}h{YcPX&=t+;;5qXewHnanf%-aAJbD+M`=(eV|{hqcZV#lN&HPiG3<~pDnv%C zwPGYMqa??LDM%`Y{zPv)o&+;*)@{zf3s5W%A(n*UXnZe9Nj~9^CwqqUz6@~j0(pD_ z<9`b7FX*DAVeDt2_fW>V#bg?#FmrwVLHz)KGD;_Tdo?W~X`mfak6{bhkC0|pn4Z^> zW_wr`_0!lX-0R>Q#p#XQt~gZC+3F`!k2n_ELKP#VBib;!FKV)T@g)ihe>L(Igr9;v zGjvhLP>OkkjET8M8fOTbeHCHjzoM)jBWg_joGcZwsIAI>#O$Vuf zd)+G$KAnOFroM{vE=Xc%-swoJZZni*l57}89!!&Lrvw$pfbO>gdzreS35B|-Ku8{g zR`#O%+ls)AT|*Hj;`9VD8bQ;X6EWU@C7|vqwP!in{~D)t)BCsa?lQ{m=S1D-Rb9;u zNb9v3G0UjRllx1Qz$~z=r7AE4Hu+;TPxTol8nrXR<*pYEx4gkZY zgjsv-hiRO#xd=BsO~Z#xRs!i#z5ui%T|ar23IB#PI*8uSfrOA4X=uKnV+x$>wUf*=a7NSXm-*Qih|j9Hf#vW_Jwgw z4DoZ1WQQN6>;S+T1G$AYFZp*)?7aFKC*d%+(ocrHbHdMtYN6+36Au4>b&)4=@I*aa zI0d;E(1#IFi(rEb<^6!u@Xg%L-nDHdOgUdR<7txjBxCPF4_(-DlMp+f2?c*XE(xk2kyfqo7C*pkkekAtxia zi|P7q{D9H4W_P2C9E_WP{E&qe4H(=_oky3k4Pgm?L|A`Q#7TP)Y7P5TFnt|wcET*^ zXHObDG?n zZotH28OGk{)P~0@#p%4ZAZg<#J7sZ0(uNZ@NZr>G$qpr>e6&b^_|{USekg=uHTJxu z-B<>L*xRuH9ihvYmQuBMuuVp*o>$#yQ&`1gTdw`N!{pDgq3D<1wzc{3r!mY&i6A${ zW%0G=Xso--St4>944fV!npxt>Dw?q>+DB$igl&#S&c?6epgn;K`MOP)MHy}5M~ysx zp%;`5wpxQ`mM3(7`~vqNRB%cstjpsd@5ha?es0MR)TUC2l18AkP& z(yDG<`{gdG1x=b%YtS1z?u_od3@YsV=$L`bLh%@|uTE_s{aE1Dg?_Ce}@(Ii{+ zvW`xbhyDEj$B#GH-}lb{fB0cJ|NkWt^R%qfJOssdE_=g&Tkq!b=ELRti&aNourN>N zUGd61uk*XHrt<2w_j3d|C0#54bIyuXSr}CT53wnDa7~0EDo`BnVIP4WEY)xlpUh+7 zCnj%hl6Zgr=@+la%UZ_Z6kJa-bgWE$$o!33SGhC;bN#Ki^^+>P=oE>Uh*|Y~8&UQ2 zL+&XL{N9y+`JwR6xm)UjYiWm4aHEU?H03a@WT3jSj}r}96`%vHhIgA<7~>R?7y3~O z>X|9+b4^aR1I}F4SBK3%)?l~=dsOL-($~RBCRFE+9MYkoE1tP@wz+Mk8WQRx#_a~( zWW%YuqGpTmwusrYUaP21!#=%JyI9?F7fQVp2Sq!7PUO7xw%^C3JG)&(CCrJRl|XUn zz2Mpqr8b-hTM`?{WG>J{VJDcczBTv{7tVn0GYJl7)h;YEyQ8@mbdWZ|0i z(|Mnz55^-l+E_9QkqIHqp~=X-a^7Rq2pVS9o_Oim?F#+SSya>C=Uo<@OXF=AZO?y; zXwF-Md5=qx*E}K|CxGynX$aPO@4a^(t{Rws^!M>@4>K<YT?_`$7XF1NEUT!FLodC{ z^3cPkp$$Cx*Cx(n{5?G=eXwbwdJB*^;jJaOoKxSU8f%AX&ama)Y}lll7`99$w;FhM}uIHn(r-Q?6k7c$TlyXnU!Osj=X8L zqwP}ob>zSxdKQ4K2GS2P?Hi`OD-)FIcfp1Kc4X59eDJK*hmL4bQ8?IcKBspJ%j9e^}6EE1zK4%VQ+wPx0ZWWkO* zk_F^HmW6sIbmuY(?paV5F0+SAHid_Z=14CEHiBL*`0XsK&JwHRmDlrd{k}NCqjYy%RJpF z@?*jJ_bg0C91MAOMApPW3usBb05EPwTpa8ugTj>w?E;&Yc%1K2q?@@iU@ z*$Q13H#eoaX0(ovz^SeR?HTKTN>TdWXL;6UT4i^d2UDwR#Tq@dOnCaENN!+?;AF7( zXE#kp2%p3dX15%`yj26HUh#cqOXzlh+dwh3;kUf(-Q#ZW{!!)GCA@rPtH86?W!Lus zeC|h6y!QSahAgHq_3xrqz|TGk?!1S*yt@Rlf6t3(dq|Qebhv{A()^x(yz!a$5P5qa z{_wp`gaYuYJUO5T7r6e56Ch8R(-!77$9h2HzGV?E5BVVpdFJ?c3ez)~ORye{0Kgia z!`-Ls2MBK+85)0w@PITTAyYu>5b2l@7;e{LWA}ccf5Bu&Oc=f`cb)OYwBbAwd%WQ> zGK10j!xg{n40X~b9cY7pRyndo2hO=1-Kwtm#|YlN4&3u`%1p$u_EY9D+M*wmhs!k8 zVIs?1nV)X$yJWW9x2jKn>@Z<%)sa^dG#l+{#@@#u$x1^r-Z+mA76Jc{WMu9hssZXmjRvwU%hT_(@&p-x!3| zef*h+Gw{8Tc2t9Zwk}Pm12JN_KCZoM4B6M~=Q|L3l<;tJ7RN8MG`%( zsZS2`wzf}QC8%X`+eDtcRXbs?dT8sFO?NcZxw>N^>IQm+JZPdlt;CIvYiS2O4>y`? zFf+bY>PF0ej}ZH&ajaDKP~oY!6ypnAAlY>iPSrbP3SYO@kyA3i z&p_cFgi*Cy!jkL5I?vecv-~a^eO;D*c&@gB?F_}W~){3jSm8Pop z&52|1LjbcHwF$g`sUNJ-eOkt0M1QcbX(t>C*2$_VMYvIT z%|&pHtA6%iZlPdq`GY+Me~VoldSY?eyHm?GkP%dX3}E!wsoT_#4Zpd7 zrLs~ad0sd{xn+rk1Cye(x&VaC;wla)+-q=&&X+1jFbuBHdmJun@E()glN-e)cie{j z4UA_v1FpM}+J!EI|0qx|)_d)Bxb6Cy+MDwXt>abCgl)MWIgq(ZplTn_w{@w1F6n?P z1XOm#BX4YVkqfQ$BU^a75tEZ;7C#J4S^EPF$7ExHbo9j#TAbx|ynV8}Y~pMmp+*js z5T$_{$x_bmh8mFPgInIKW)n*~tBos3Nm|tDqlH9B9*~TZCqm%|7$g+q;*g;M8Tix) z<_$Nrz+k1`EEJ*bDtKsKuG2w(Y38}24kOP;n_K}6OIfewU*cO*R-SNkKteaR32Wz+{Ba5uGOd=F^ERR{;DYrK$LzOYolT%oKW*S&$$^>R5 zq8WUsI*l<;WwV&_Z)^gu{B+}YL>|P>q9jtM<{`>)QYV&Sv6Hxl%4`$@ztV?wL_7Gk@`0*u4WvWZrMjA19?fjqsuhvJ z+LW0hW+q%>HC$pYXNx>Nm%)YW7qq=W4P@Pf6_g_6#y$@ka@!S+DFgpDIv5P>G|lsH zADZ#$gI|X7vU`?Xb zgo71*V-zYb=O=mp4|1Jv+R!jDW&v)=WVrKcyqM);^;#ut&VY@|iiX1A?h+%jY~8RC z2I_y~!W`;5iKYVtDZ z0c|c>Wo#6$rci5tO0i8{g&07u__!6t>G1-am~NppXf(4&UsGVseK>4y^sGhPoFBCJ zki%vT@;$c}14%<9(|<EAJjZEZIR_CAxL9WA|V?X;Z>YI|SwHCA za^(F~6Ce-0RSh@Bp4*wic^29|d-Igaxy-Y)a+kEp<{S?6=Nx zGUFOl_LzMfsTJ00M{YDrTYr(>yckmD;!|La@;2!;QO>TCw8X7Xy02TkL5+QYWZ)V# zeply&8@*J2&XM<5Ni*C4rvxy_yV`Em>t~F1h4}u*zv zDEpNV=RR~32G6QHVX&J%^>d7#<;H7YQ0U#Zhg4ktt{GCoN!0TAlb^q{btMT0Y>n14 z8Yta=g?`QEN^mu?n?AcKg>vYOWO)k{EQAqmQroHfcBizHuYzZ*9~f7*e6u z9lFv*J#rJ9{Jj+{^zWGGH%fKUdHoziCHC@vmUmzoq%5itcLlE*+B#2Et;SxJ=>F}E zv3fX?t8PbzX+qg*x5JEl*w_wj&`!1M39#DzTu|+P5oJB%0?K;CX(nB12k5Ma#cKBp zCUrw~;uW;V-GAG^!+A`m+F;;O;kMH+qMdL7?Xefn&UfMLT;b1s^(8I>SJjxf5S%W5 z2M1Gu2Y?^gPl55_=1akG3uljaZu5)8l>kY3W4Lnrr|pi3)(SvurS+#Ahg&5ak^185 z(x?;SGYfY1_~shbN_+033eAggv)jdC`^T_7-4L{*%DS8N+NiY7M!HeSpI}?ubvt~- zHu&K7x5Ku#+jh6BNccFl89y#}KM(PLj=73@2y2Aidh^!%t@)m~8dq&P&F3mNVkW5# zpAdA$gqar9QRQff_73R`^9&piaxiGeWa@S#$VoJ$yB+01v`&@blyCZXCeVsWo*H9o zCdEc>f8?{FTR!3UHIi(Y%k9a&ZD;@f-}Uv)$Lrqr|K2a(|NA283eCH#UoY8z7k%jK zpx7m%$C`h_ZhiQ~=Zx}GGm7~Y=GA)`{#S>pyh`E?PN`Q6=j!sivv=>D(Zsr$e^m!j zb)f8L9%wLl8@#yylgHp4!p&KCz`UBNh~zA$f&xV_Tdf(`TxgQ&zyJ5@f4*aT1@kue zJM?l_^=u{PsQgn#bHir&eV!bD(&*iIQ7GR9Y@jO=avA5dbyVtAv%{XIn5QUZ9>n2X zc$Eq`j}~cb&)NHvlEZu>wt?m=XZ|})WhCY5tgt{4Ay=8P4HZ&Hu|8XT@v zj)%kEc@)a(>fUFv!{9N7EA_8tzv#qs+wtIP{VOUNsNiJAOcE&i1%sHu&iN(hJ&CbSwZX_T&idM4vTNfp*hy ggqHi-4zrUU8!eMS8w(CC=_{uH2aU*ieE{$P0N^ydssI20 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 93a3a6c4..859d32f7 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -116956,10 +116956,10 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..5ce41db0d 100644 +index f03dcf567..529ae6612 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,422 @@ +@@ -1,451 +1,424 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -117125,7 +117125,8 @@ index f03dcf567..5ce41db0d 100644 +##

+## +gen_tunable(virt_use_usb, true) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow confined virtual guests to use smartcards @@ -117154,8 +117155,7 @@ index f03dcf567..5ce41db0d 100644 +##

+## +gen_tunable(virt_sandbox_use_sys_admin, false) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use mknod system calls @@ -117194,11 +117194,11 @@ index f03dcf567..5ce41db0d 100644 -virt_domain_template(svirt_prot_exec) +role system_r types svirt_t; +typealias svirt_t alias qemu_t; -+ -+virt_domain_template(svirt_tcg) -+role system_r types svirt_tcg_t; -type virt_cache_t alias svirt_cache_t; ++virt_domain_template(svirt_tcg) ++role system_r types svirt_tcg_t; ++ +type qemu_exec_t, virt_file_type; + +type virt_cache_t alias svirt_cache_t, virt_file_type; @@ -117561,10 +117561,13 @@ index f03dcf567..5ce41db0d 100644 -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) -- ++allow svirt_t self:process ptrace; + -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) @@ -117573,15 +117576,12 @@ index f03dcf567..5ce41db0d 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -+allow svirt_t self:process ptrace; - +- -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -117606,6 +117606,8 @@ index f03dcf567..5ce41db0d 100644 + +storage_raw_read_fixed_disk(svirt_t) + ++userdom_read_all_users_state(svirt_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -117692,7 +117694,7 @@ index f03dcf567..5ce41db0d 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +428,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -117739,22 +117741,22 @@ index f03dcf567..5ce41db0d 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +463,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) @@ -117773,7 +117775,7 @@ index f03dcf567..5ce41db0d 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +488,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -117801,7 +117803,7 @@ index f03dcf567..5ce41db0d 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +508,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -117832,7 +117834,7 @@ index f03dcf567..5ce41db0d 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +560,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -117852,19 +117854,29 @@ index f03dcf567..5ce41db0d 100644 selinux_validate_context(virtd_t) -@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +582,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) +-userdom_read_all_users_state(virtd_t) +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) -+ + +-ifdef(`hide_broken_symptoms',` +- dontaudit virtd_t self:capability { sys_module sys_ptrace }; +-') +- +-tunable_policy(`virt_use_fusefs',` +- fs_manage_fusefs_dirs(virtd_t) +- fs_manage_fusefs_files(virtd_t) +- fs_read_fusefs_symlinks(virtd_t) +-') +userdom_list_admin_dir(virtd_t) +userdom_getattr_all_users(virtd_t) +userdom_list_user_home_content(virtd_t) - userdom_read_all_users_state(virtd_t) ++userdom_read_all_users_state(virtd_t) +userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_tmp_files(virtd_t) +userdom_setattr_user_tmp_files(virtd_t) @@ -117877,24 +117889,9 @@ index f03dcf567..5ce41db0d 100644 +#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) +virt_filetrans_home_content(virtd_t) --ifdef(`hide_broken_symptoms',` -- dontaudit virtd_t self:capability { sys_module sys_ptrace }; --') -- --tunable_policy(`virt_use_fusefs',` -- fs_manage_fusefs_dirs(virtd_t) -- fs_manage_fusefs_files(virtd_t) -- fs_read_fusefs_symlinks(virtd_t) --') -- --tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs(virtd_t) -- fs_manage_nfs_files(virtd_t) -- fs_read_nfs_symlinks(virtd_t) -+tunable_policy(`virt_use_nfs',` -+ fs_manage_nfs_dirs(virtd_t) -+ fs_manage_nfs_files(virtd_t) -+ fs_read_nfs_symlinks(virtd_t) + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virtd_t) +@@ -640,7 +610,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -117903,7 +117900,7 @@ index f03dcf567..5ce41db0d 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +633,12 @@ optional_policy(` +@@ -665,20 +635,12 @@ optional_policy(` ') optional_policy(` @@ -117924,7 +117921,7 @@ index f03dcf567..5ce41db0d 100644 ') optional_policy(` -@@ -691,20 +651,26 @@ optional_policy(` +@@ -691,99 +653,432 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -117952,113 +117949,103 @@ index f03dcf567..5ce41db0d 100644 - kerberos_use(virtd_t) + kerberos_read_keytab(virtd_t) + kerberos_use(virtd_t) - ') - - optional_policy(` -@@ -712,11 +678,18 @@ optional_policy(` - ') - - optional_policy(` ++') ++ ++optional_policy(` ++ lvm_domtrans(virtd_t) ++') ++ ++optional_policy(` + # Run mount in the mount_t domain. - mount_domtrans(virtd_t) - mount_signal(virtd_t) - ') - - optional_policy(` ++ mount_domtrans(virtd_t) ++ mount_signal(virtd_t) ++') ++ ++optional_policy(` + numad_domtrans(virtd_t) + numad_dbus_chat(virtd_t) +') + +optional_policy(` + policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) - policykit_read_lib(virtd_t) -@@ -727,10 +700,18 @@ optional_policy(` - ') - - optional_policy(` ++ policykit_domtrans_auth(virtd_t) ++ policykit_domtrans_resolve(virtd_t) ++ policykit_read_lib(virtd_t) ++') ++ ++optional_policy(` ++ qemu_exec(virtd_t) ++') ++ ++optional_policy(` + sanlock_stream_connect(virtd_t) +') + +optional_policy(` - sasl_connect(virtd_t) - ') - - optional_policy(` ++ sasl_connect(virtd_t) ++') ++ ++optional_policy(` + setrans_manage_pid_files(virtd_t) +') + +optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - -@@ -746,44 +727,356 @@ optional_policy(` - udev_read_pid_files(virtd_t) - ') - ++ kernel_read_xen_state(virtd_t) ++ kernel_write_xen_state(virtd_t) ++ ++ xen_exec(virtd_t) ++ xen_stream_connect(virtd_t) ++ xen_stream_connect_xenstore(virtd_t) ++ xen_read_image_files(virtd_t) ++') ++ ++optional_policy(` ++ udev_domtrans(virtd_t) ++ udev_read_db(virtd_t) ++ udev_read_pid_files(virtd_t) ++') ++ +optional_policy(` + unconfined_domain(virtd_t) +') + - ######################################## - # --# Virsh local policy ++######################################## ++# +# virtlogd local policy - # - --allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; --allow virsh_t self:process { getcap getsched setsched setcap signal }; --allow virsh_t self:fifo_file rw_fifo_file_perms; --allow virsh_t self:unix_stream_socket { accept connectto listen }; --allow virsh_t self:tcp_socket { accept listen }; ++# ++ +# virtlogd is allowed to manage files it creates in /var/run/libvirt +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) - --manage_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++ +# virtlogd needs to read /etc/libvirt/virtlogd.conf only +allow virtlogd_t virtlogd_etc_t:file read_file_perms; +files_search_etc(virtlogd_t) +allow virtlogd_t virt_etc_t:dir search; - --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++ +# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated +# context from other stuff in /var/run/libvirt +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file }) +# This lets systemd create the socket itself too - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++ +# virtlogd creates a /var/run/virtlogd.pid file +allow virtlogd_t virtlogd_var_run_t:file manage_file_perms; +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) +files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file) - --dontaudit virsh_t virt_var_lib_t:file read_file_perms; ++ +manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file }) - --allow virsh_t svirt_lxc_domain:process transition; ++ +kernel_read_network_state(virtlogd_t) - --can_exec(virsh_t, virsh_exec_t) ++ +allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; + +# Allow virtlogd_t to execute itself. +allow virtlogd_t virtlogd_exec_t:file execute_no_trans; + +dev_read_sysfs(virtlogd_t) - ++ +logging_send_syslog_msg(virtlogd_t) + +auth_use_nsswitch(virtlogd_t) @@ -118264,30 +118251,40 @@ index f03dcf567..5ce41db0d 100644 + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- lvm_domtrans(virtd_t) + tunable_policy(`virt_use_glusterd',` + glusterd_manage_pid(virt_domain) + ') -+') -+ + ') + +-optional_policy(` +- mount_domtrans(virtd_t) +- mount_signal(virtd_t) +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) + fs_manage_nfs_named_sockets(virt_domain) + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) -+') -+ + ') + +-optional_policy(` +- policykit_domtrans_auth(virtd_t) +- policykit_domtrans_resolve(virtd_t) +- policykit_read_lib(virtd_t) +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) + fs_manage_cifs_named_sockets(virt_domain) + fs_read_cifs_symlinks(virt_domain) + fs_getattr_cifs(virt_domain) -+') -+ + ') + +-optional_policy(` +- qemu_exec(virtd_t) +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) @@ -118295,49 +118292,83 @@ index f03dcf567..5ce41db0d 100644 + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) + udev_read_db(virt_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- sasl_connect(virtd_t) + tunable_policy(`virt_use_pcscd',` + pcscd_stream_connect(virt_domain) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- kernel_read_xen_state(virtd_t) +- kernel_write_xen_state(virtd_t) + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + ') +') -+ + +- xen_exec(virtd_t) +- xen_stream_connect(virtd_t) +- xen_stream_connect_xenstore(virtd_t) +- xen_read_image_files(virtd_t) +tunable_policy(`virt_use_rawip',` + allow virt_domain self:rawip_socket create_socket_perms; -+') -+ -+optional_policy(` + ') + + optional_policy(` +- udev_domtrans(virtd_t) +- udev_read_db(virtd_t) +- udev_read_pid_files(virtd_t) + tunable_policy(`virt_use_xserver',` + xserver_stream_connect(virt_domain) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Virsh local policy +# xm local policy -+# + # +type virsh_t, virt_system_domain; +type virsh_exec_t, virt_file_type; +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +-allow virsh_t self:process { getcap getsched setsched setcap signal }; +allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; -+allow virsh_t self:fifo_file rw_fifo_file_perms; + allow virsh_t self:fifo_file rw_fifo_file_perms; +-allow virsh_t self:unix_stream_socket { accept connectto listen }; +-allow virsh_t self:tcp_socket { accept listen }; +- +-manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +- +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +- +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; -+ + +-allow virsh_t svirt_lxc_domain:process transition; +ps_process_pattern(virsh_t, svirt_sandbox_domain) -+ -+can_exec(virsh_t, virsh_exec_t) + + can_exec(virsh_t, virsh_exec_t) +- virt_domtrans(virsh_t) virt_manage_images(virsh_t) virt_manage_config(virsh_t) @@ -118372,7 +118403,7 @@ index f03dcf567..5ce41db0d 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -118399,7 +118430,7 @@ index f03dcf567..5ce41db0d 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -118416,10 +118447,10 @@ index f03dcf567..5ce41db0d 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -118433,7 +118464,7 @@ index f03dcf567..5ce41db0d 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1144,20 @@ optional_policy(` +@@ -856,14 +1146,20 @@ optional_policy(` ') optional_policy(` @@ -118455,7 +118486,7 @@ index f03dcf567..5ce41db0d 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1182,66 @@ optional_policy(` +@@ -888,49 +1184,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -118540,7 +118571,7 @@ index f03dcf567..5ce41db0d 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -118560,7 +118591,7 @@ index f03dcf567..5ce41db0d 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -118584,7 +118615,7 @@ index f03dcf567..5ce41db0d 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -118611,7 +118642,8 @@ index f03dcf567..5ce41db0d 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + container_exec_lib(virtd_lxc_t) +') @@ -118623,8 +118655,7 @@ index f03dcf567..5ce41db0d 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -118843,14 +118874,14 @@ index f03dcf567..5ce41db0d 100644 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ udev_read_pid_files(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -119000,8 +119031,7 @@ index f03dcf567..5ce41db0d 100644 +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(container_file_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) @@ -119011,7 +119041,8 @@ index f03dcf567..5ce41db0d 100644 +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(svirt_qemu_net_t) +') -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +userdom_use_user_ptys(svirt_qemu_net_t) ######################################## @@ -119028,7 +119059,7 @@ index f03dcf567..5ce41db0d 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119043,7 +119074,7 @@ index f03dcf567..5ce41db0d 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1619,7 @@ optional_policy(` +@@ -1192,7 +1621,7 @@ optional_policy(` ######################################## # @@ -119052,7 +119083,7 @@ index f03dcf567..5ce41db0d 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 7509df1f..4abaa6d8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 284%{?dist} +Release: 285%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,9 @@ exit 0 %endif %changelog +* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285 +- Allow svirt_t read userdomain state + * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284 - Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files - Allow automount domain to manage mount pid files