* Mon Feb 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242

- Add radius_use_jit boolean - Allow nfsd_t domain to create sysctls_rpc_t files - add the policy required for nextcloud - Allow can_load_kernmodule to load kernel modules. BZ(1426741) - Create kernel_create_rpc_sysctls() interface
2017-02-27 10:50:42 +01:00 · 2017-02-27 10:50:42 +01:00 · 73a41e1268
commit 73a41e1268
parent acb049dbc4
4 changed files with 221 additions and 149 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -11256,7 +11256,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..d9660e9 100644
+index f962f76..1ac470a 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -13234,20 +13234,15 @@ index f962f76..d9660e9 100644
 ########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links in /mnt.
-@@ -4012,6 +4928,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',`
 	allow $1 modules_object_t:dir list_dir_perms;
 	read_files_pattern($1, modules_object_t, modules_object_t)
 	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
 +
-+    # FIXME:
-+    # needed for already labeled module deps by modules_dep_t
-+    optional_policy(`
-+        modutils_read_module_deps_files($1)
-+    ')
 ')
 
 ########################################
-@@ -4217,78 +5139,289 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
@ -13577,7 +13572,7 @@ index f962f76..d9660e9 100644
 	allow $1 tmp_t:dir search_dir_perms;
 ')
 
-@@ -4325,6 +5458,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',`
 		type tmp_t;
 	')
 
@ -13585,7 +13580,7 @@ index f962f76..d9660e9 100644
 	allow $1 tmp_t:dir list_dir_perms;
 ')
 
-@@ -4334,7 +5468,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -13594,7 +13589,7 @@ index f962f76..d9660e9 100644
 ##	</summary>
 ## </param>
 #
-@@ -4346,6 +5480,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',`
 	dontaudit $1 tmp_t:dir list_dir_perms;
 ')
 
@ -13620,7 +13615,7 @@ index f962f76..d9660e9 100644
 ########################################
 ## <summary>
 ##	Remove entries from the tmp directory.
-@@ -4361,6 +5514,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',`
 		type tmp_t;
 	')
 
@ -13628,7 +13623,7 @@ index f962f76..d9660e9 100644
 	allow $1 tmp_t:dir del_entry_dir_perms;
 ')
 
-@@ -4402,6 +5556,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',`
 
 ########################################
 ## <summary>
@ -13661,7 +13656,7 @@ index f962f76..d9660e9 100644
 ##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
-@@ -4456,6 +5636,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',`
 
 ########################################
 ## <summary>
@ -13704,7 +13699,7 @@ index f962f76..d9660e9 100644
 ##	Set the attributes of all tmp directories.
 ## </summary>
 ## <param name="domain">
-@@ -4474,6 +5690,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',`
 
 ########################################
 ## <summary>
@ -13765,7 +13760,7 @@ index f962f76..d9660e9 100644
 ##	List all tmp directories.
 ## </summary>
 ## <param name="domain">
-@@ -4519,7 +5789,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -13774,7 +13769,7 @@ index f962f76..d9660e9 100644
 ##	</summary>
 ## </param>
 #
-@@ -4579,7 +5849,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -13783,7 +13778,7 @@ index f962f76..d9660e9 100644
 ##	</summary>
 ## </param>
 #
-@@ -4611,15 +5881,53 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',`
 
 ########################################
 ## <summary>
@ -13841,7 +13836,7 @@ index f962f76..d9660e9 100644
 ##	<summary>
 ##	The type of the object to be created.
 ##	</summary>
-@@ -4664,6 +5972,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',`
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -13858,7 +13853,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -5112,6 +6430,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6425,24 @@ interface(`files_create_kernel_symbol_table',`
 
 ########################################
 ## <summary>
@ -13883,7 +13878,7 @@ index f962f76..d9660e9 100644
 ##	Read system.map in the /boot directory.
 ## </summary>
 ## <param name="domain">
-@@ -5241,6 +6577,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6572,24 @@ interface(`files_list_var',`
 
 ########################################
 ## <summary>
@ -13908,7 +13903,7 @@ index f962f76..d9660e9 100644
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
-@@ -5328,7 +6682,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',`
 		type var_t;
 	')
 
@ -13917,7 +13912,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -5419,6 +6773,24 @@ interface(`files_var_filetrans',`
+@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',`
 	filetrans_pattern($1, var_t, $2, $3, $4)
 ')
 
@ -13942,7 +13937,7 @@ index f962f76..d9660e9 100644
 ########################################
 ## <summary>
 ##	Get the attributes of the /var/lib directory.
-@@ -5527,6 +6899,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',`
 
 ########################################
 ## <summary>
@ -13968,7 +13963,7 @@ index f962f76..d9660e9 100644
 ##	Create objects in the /var/lib directory
 ## </summary>
 ## <param name="domain">
-@@ -5596,6 +6987,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',`
 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 ')
 
@ -13994,7 +13989,7 @@ index f962f76..d9660e9 100644
 # cjp: the next two interfaces really need to be fixed
 # in some way.  They really neeed their own types.
 
-@@ -5619,6 +7029,42 @@ interface(`files_manage_urandom_seed',`
+@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',`
 	manage_files_pattern($1, var_lib_t, var_lib_t)
 ')
 
@ -14037,7 +14032,7 @@ index f962f76..d9660e9 100644
 ########################################
 ## <summary>
 ##	Allow domain to manage mount tables
-@@ -5641,7 +7087,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
@ -14046,7 +14041,7 @@ index f962f76..d9660e9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5649,12 +7095,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',`
 ##	</summary>
 ## </param>
 #
@ -14062,7 +14057,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -5672,6 +7119,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +7114,7 @@ interface(`files_search_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -14070,7 +14065,7 @@ index f962f76..d9660e9 100644
 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
-@@ -5698,7 +7146,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',`
 
 ########################################
 ## <summary>
@ -14098,7 +14093,7 @@ index f962f76..d9660e9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5706,13 +7173,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',`
 ##	</summary>
 ## </param>
 #
@ -14115,7 +14110,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -5731,7 +7197,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',`
 		type var_t, var_lock_t;
 	')
 
@ -14124,7 +14119,7 @@ index f962f76..d9660e9 100644
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')
 
-@@ -5764,7 +7230,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -14132,7 +14127,7 @@ index f962f76..d9660e9 100644
 #
 interface(`files_relabel_all_lock_dirs',`
 	gen_require(`
-@@ -5779,7 +7244,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',`
 
 ########################################
 ## <summary>
@ -14141,7 +14136,7 @@ index f962f76..d9660e9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5787,13 +7252,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',`
 ##	</summary>
 ## </param>
 #
@ -14176,7 +14171,7 @@ index f962f76..d9660e9 100644
 	allow $1 var_lock_t:dir list_dir_perms;
 	getattr_files_pattern($1, var_lock_t, var_lock_t)
 ')
-@@ -5809,13 +7294,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',`
 ## </param>
 #
 interface(`files_delete_generic_locks',`
@ -14194,7 +14189,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -5834,9 +7318,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -14205,7 +14200,7 @@ index f962f76..d9660e9 100644
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
-@@ -5878,8 +7360,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -14215,7 +14210,7 @@ index f962f76..d9660e9 100644
 	allow $1 lockfile:dir list_dir_perms;
 	read_files_pattern($1, lockfile, lockfile)
 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7382,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -14225,7 +14220,7 @@ index f962f76..d9660e9 100644
 	manage_dirs_pattern($1, lockfile, lockfile)
 	manage_files_pattern($1, lockfile, lockfile)
 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7419,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',`
 		type var_t, var_lock_t;
 	')
 
@ -14235,7 +14230,7 @@ index f962f76..d9660e9 100644
 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 ')
 
-@@ -5979,7 +7458,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',`
 		type var_run_t;
 	')
 
@ -14244,7 +14239,7 @@ index f962f76..d9660e9 100644
 	allow $1 var_run_t:dir setattr;
 ')
 
-@@ -5999,10 +7478,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7473,48 @@ interface(`files_search_pids',`
 		type var_t, var_run_t;
 	')
 
@ -14293,7 +14288,7 @@ index f962f76..d9660e9 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6025,6 +7542,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',`
 
 ########################################
 ## <summary>
@ -14337,7 +14332,7 @@ index f962f76..d9660e9 100644
 ##	List the contents of the runtime process
 ##	ID directories (/var/run).
 ## </summary>
-@@ -6039,7 +7593,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7588,7 @@ interface(`files_list_pids',`
 		type var_t, var_run_t;
 	')
 
@ -14346,7 +14341,7 @@ index f962f76..d9660e9 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 ')
 
-@@ -6058,7 +7612,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -14355,7 +14350,7 @@ index f962f76..d9660e9 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6078,7 +7632,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',`
 		type var_run_t;
 	')
 
@ -14364,7 +14359,7 @@ index f962f76..d9660e9 100644
 	allow $1 var_run_t:fifo_file write;
 ')
 
-@@ -6140,7 +7694,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',`
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@ -14372,7 +14367,7 @@ index f962f76..d9660e9 100644
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')
 
-@@ -6169,7 +7722,7 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',`
 
 ########################################
 ## <summary>
@ -14381,7 +14376,7 @@ index f962f76..d9660e9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6177,12 +7730,30 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',`
 ##	</summary>
 ## </param>
 #
@ -14415,7 +14410,7 @@ index f962f76..d9660e9 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6249,6 +7820,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
@ -14532,7 +14527,7 @@ index f962f76..d9660e9 100644
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -6261,12 +7942,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
 interface(`files_read_all_pids',`
 	gen_require(`
 		attribute pidfile;
@ -14640,7 +14635,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -6286,8 +8060,8 @@ interface(`files_delete_all_pids',`
+@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',`
 		type var_t, var_run_t;
 	')
 
@ -14650,7 +14645,7 @@ index f962f76..d9660e9 100644
 	allow $1 var_run_t:dir rmdir;
 	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
 	delete_files_pattern($1, pidfile, pidfile)
-@@ -6311,36 +8085,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',`
 		type var_t, var_run_t;
 	')
 
@ -14742,7 +14737,7 @@ index f962f76..d9660e9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6348,12 +8166,33 @@ interface(`files_manage_all_pids',`
+@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -14779,7 +14774,7 @@ index f962f76..d9660e9 100644
 ')
 
 ########################################
-@@ -6580,3 +8419,605 @@ interface(`files_unconfined',`
+@@ -6580,3 +8414,605 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
@ -19175,7 +19170,7 @@ index 7be4ddf..9710b33 100644
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..d780b64 100644
+index e100d88..ff9e7ba 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -19598,7 +19593,34 @@ index e100d88..d780b64 100644
 ########################################
 ## <summary>
 ##	Read and write RPC sysctls.
-@@ -2085,7 +2261,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',`
+ 
+ ########################################
+ ## <summary>
+##	Read and write RPC sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_create_rpc_sysctls',`
+	gen_require(`
+		type proc_t, proc_net_t, sysctl_rpc_t;
+	')
+
+	create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+')
+
+########################################
+## <summary>
+ ##	Do not audit attempts to list all sysctl directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -2085,7 +2281,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -19654,11 +19676,71 @@ index e100d88..d780b64 100644
 ')
 
 ########################################
-@@ -2282,6 +2505,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,7 +2525,7 @@ interface(`kernel_list_unlabeled',`
 
 ########################################
 ## <summary>
+-##	Read the process state (/proc/pid) of all unlabeled_t.
 +##	Delete unlabeled files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2290,19 +2533,18 @@ interface(`kernel_list_unlabeled',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`kernel_read_unlabeled_state',`
+interface(`kernel_delete_unlabeled',`
+ 	gen_require(`
+ 		type unlabeled_t;
+ 	')
+ 
+-	allow $1 unlabeled_t:dir list_dir_perms;
+-	read_files_pattern($1, unlabeled_t, unlabeled_t)
+-	read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+	allow $1 unlabeled_t:dir delete_dir_perms;
+	allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to list unlabeled directories.
+##	Read the process state (/proc/pid) of all unlabeled_t.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2310,6 +2552,26 @@ interface(`kernel_read_unlabeled_state',`
+ ##	</summary>
+ ## </param>
+ #
+interface(`kernel_read_unlabeled_state',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir list_dir_perms;
+	read_files_pattern($1, unlabeled_t, unlabeled_t)
+	read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+ interface(`kernel_dontaudit_list_unlabeled',`
+ 	gen_require(`
+ 		type unlabeled_t;
+@@ -2488,6 +2750,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+ 
+ ########################################
+ ## <summary>
+##	Read and write unlabeled sockets.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -19666,75 +19748,20 @@ index e100d88..d780b64 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`kernel_delete_unlabeled',`
+interface(`kernel_rw_unlabeled_socket',`
 +	gen_require(`
 +		type unlabeled_t;
 +	')
 +
-+	allow $1 unlabeled_t:dir delete_dir_perms;
-+	allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Read the process state (/proc/pid) of all unlabeled_t.
- ## </summary>
- ## <param name="domain">
-@@ -2306,7 +2548,7 @@ interface(`kernel_read_unlabeled_state',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -2488,21 +2730,39 @@ interface(`kernel_rw_unlabeled_blk_files',`
- 
- ########################################
- ## <summary>
-##	Do not audit attempts by caller to get attributes for
-##	unlabeled character devices.
-+##	Read and write unlabeled sockets.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
-interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
-+interface(`kernel_rw_unlabeled_socket',`
- 	gen_require(`
- 		type unlabeled_t;
- 	')
- 
-	dontaudit $1 unlabeled_t:chr_file getattr;
 +	allow $1 unlabeled_t:socket rw_socket_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts by caller to get attributes for
-+##	unlabeled character devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
-+	gen_require(`
-+		type unlabeled_t;
-+	')
-+
-+	dontaudit $1 unlabeled_t:chr_file getattr;
- ')
- 
- ########################################
-@@ -2525,6 +2785,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+ ##	Do not audit attempts by caller to get attributes for
+ ##	unlabeled character devices.
+ ## </summary>
+@@ -2525,6 +2805,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 
 ########################################
 ## <summary>
@ -19759,7 +19786,7 @@ index e100d88..d780b64 100644
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
-@@ -2667,6 +2945,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2965,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
@ -19784,7 +19811,7 @@ index e100d88..d780b64 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2694,6 +2990,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +3010,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
@ -19810,7 +19837,7 @@ index e100d88..d780b64 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2803,6 +3118,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3138,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -19844,7 +19871,7 @@ index e100d88..d780b64 100644
 
 ########################################
 ## <summary>
-@@ -2958,6 +3300,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3320,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 
 ########################################
 ## <summary>
@ -19869,7 +19896,7 @@ index e100d88..d780b64 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2972,5 +3332,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3352,649 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
@ -20048,7 +20075,7 @@ index e100d88..d780b64 100644
 +	')
 +
 +	dontaudit $1 proc_numa_t:dir search;
-+')
+ ')
 +
 +########################################
 +## <summary>
@ -20091,7 +20118,7 @@ index e100d88..d780b64 100644
 +	read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
 +
 +	list_dirs_pattern($1, proc_t, proc_numa_t)
- ')
+')
 +
 +########################################
 +## <summary>
@ -20521,7 +20548,7 @@ index e100d88..d780b64 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..5deb336 100644
+index 8dbab4c..88c7112 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -20816,7 +20843,16 @@ index 8dbab4c..5deb336 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) {
+@@ -388,6 +480,8 @@ optional_policy(`
+ if( ! secure_mode_insmod ) {
+ 	allow can_load_kernmodule self:capability sys_module;
+ 
+    files_load_kernel_modules(can_load_kernmodule)
+
+ 	# load_module() calls stop_machine() which
+ 	# calls sched_setscheduler()
+ 	allow can_load_kernmodule self:capability sys_nice;
+@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) {
 # Rules for unconfined acccess to this module
 #
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3504,10 +3504,10 @@ index 0000000..c679dd3
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..2029082 100644
+index 7caefc3..dac9ad5 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,215 @@
+@@ -1,162 +1,217 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -3536,6 +3536,7 @@ index 7caefc3..2029082 100644
 +/etc/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/glpi(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nextcloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/horde(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/rt(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
@ -3752,6 +3753,7 @@ index 7caefc3..2029082 100644
 +/var/lib/openshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 +/var/lib/openshift/\.log/httpd(/.*)?		  gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/lib/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/nextcloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/roundcubemail(/.*)?    gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -3863,7 +3865,7 @@ index 7caefc3..2029082 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb485..757b864 100644
+index f6eb485..fe461a3 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -5328,7 +5330,7 @@ index f6eb485..757b864 100644
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,182 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,183 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
@ -5400,6 +5402,7 @@ index f6eb485..757b864 100644
 +	files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
 +	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
 +	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
@ -84217,10 +84220,24 @@ index 4460582..4c66c25 100644
 +
 ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..0ff0178 100644
+index 403a4fe..159f21e 100644
 --- a/radius.te
 +++ b/radius.te
-@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
+@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
+ # Declarations
+ #
+ 
+## <desc>
+##      <p>
+##      Determine whether radius can use JIT compiler.
+##      </p>
+## </desc>
+gen_tunable(radius_use_jit, false)
+
+ type radiusd_t;
+ type radiusd_exec_t;
+ init_daemon_domain(radiusd_t, radiusd_exec_t)
+@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t)
 type radiusd_var_run_t;
 files_pid_file(radiusd_var_run_t)
 
@ -84230,7 +84247,7 @@ index 403a4fe..0ff0178 100644
 ########################################
 #
 # Local policy
-@@ -49,9 +52,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+@@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
 filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
 
 manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
@ -84241,7 +84258,7 @@ index 403a4fe..0ff0178 100644
 logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
 
 manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
-@@ -60,11 +61,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+@@ -60,11 +68,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
@ -84254,7 +84271,7 @@ index 403a4fe..0ff0178 100644
 corenet_all_recvfrom_netlabel(radiusd_t)
 corenet_tcp_sendrecv_generic_if(radiusd_t)
 corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,12 +75,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,12 +82,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
 corenet_udp_sendrecv_all_ports(radiusd_t)
 corenet_udp_bind_generic_node(radiusd_t)
 
@ -84277,7 +84294,7 @@ index 403a4fe..0ff0178 100644
 corenet_sendrecv_snmp_client_packets(radiusd_t)
 corenet_tcp_connect_snmp_port(radiusd_t)
 
-@@ -97,7 +108,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -97,7 +115,6 @@ domain_use_interactive_fds(radiusd_t)
 fs_getattr_all_fs(radiusd_t)
 fs_search_auto_mountpoints(radiusd_t)
 
@ -84285,7 +84302,7 @@ index 403a4fe..0ff0178 100644
 files_read_etc_runtime_files(radiusd_t)
 files_dontaudit_list_tmp(radiusd_t)
 
-@@ -109,7 +119,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +126,6 @@ libs_exec_lib_files(radiusd_t)
 
 logging_send_syslog_msg(radiusd_t)
 
@ -84293,7 +84310,18 @@ index 403a4fe..0ff0178 100644
 miscfiles_read_generic_certs(radiusd_t)
 
 sysnet_use_ldap(radiusd_t)
-@@ -122,6 +131,11 @@ optional_policy(`
+@@ -117,11 +133,22 @@ sysnet_use_ldap(radiusd_t)
+ userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+ userdom_dontaudit_search_user_home_dirs(radiusd_t)
+ 
+tunable_policy(`radius_use_jit',`
+    allow radiusd_t self:process execmem;
+',`
+    dontaudit radiusd_t self:process execmem;
+')
+
+ optional_policy(`
+ 	cron_system_entry(radiusd_t, radiusd_exec_t)
 ')
 
 optional_policy(`
@ -84305,7 +84333,7 @@ index 403a4fe..0ff0178 100644
 	logrotate_exec(radiusd_t)
 ')
 
-@@ -140,5 +154,10 @@ optional_policy(`
+@@ -140,5 +167,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -91354,7 +91382,7 @@ index 0bf13c2..ed393a0 100644
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..be1fab2 100644
+index 2da9fca..f97a61a 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -91558,7 +91586,7 @@ index 2da9fca..be1fab2 100644
 ')
 
 ########################################
-@@ -202,41 +232,62 @@ optional_policy(`
+@@ -202,41 +232,63 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -91577,6 +91605,7 @@ index 2da9fca..be1fab2 100644
 -# kernel_mounton_proc(nfsd_t)
 +kernel_mounton_proc(nfsd_t)
 +kernel_rw_rpc_sysctls_dirs(nfsd_t)
+kernel_create_rpc_sysctls(nfsd_t)
 
 -corenet_sendrecv_nfs_server_packets(nfsd_t)
 +corecmd_exec_shell(nfsd_t)
@ -91631,7 +91660,7 @@ index 2da9fca..be1fab2 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -91639,7 +91668,7 @@ index 2da9fca..be1fab2 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -91654,7 +91683,7 @@ index 2da9fca..be1fab2 100644
 ')
 
 ########################################
-@@ -270,7 +320,7 @@ optional_policy(`
+@@ -270,7 +321,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -91663,7 +91692,7 @@ index 2da9fca..be1fab2 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -91671,7 +91700,7 @@ index 2da9fca..be1fab2 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +339,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +340,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -91706,7 +91735,7 @@ index 2da9fca..be1fab2 100644
 ')
 
 optional_policy(`
-@@ -314,9 +371,12 @@ optional_policy(`
+@@ -314,9 +372,12 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 241%{?dist}
+Release: 242%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,13 @@ exit 0
 %endif

 %changelog
+* Mon Feb 27 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-242
+- Add radius_use_jit boolean
+- Allow nfsd_t domain to create sysctls_rpc_t files
+- add the policy required for nextcloud
+- Allow can_load_kernmodule to load kernel modules. BZ(1426741)
+- Create kernel_create_rpc_sysctls() interface
+
 * Tue Feb 21 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-241
 - Remove ganesha from gluster module and create own module for ganesha
 - FIx label for /usr/lib/libGLdispatch.so.0.0.0