diff --git a/container-selinux.tgz b/container-selinux.tgz index be53f4f8..627306af 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 51820512..a8864592 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -47930,10 +47930,10 @@ index 0000000..3303edd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..746fc9d +index 0000000..54d6359 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1018 @@ +@@ -0,0 +1,1020 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48916,6 +48916,8 @@ index 0000000..746fc9d +# systemd_modules_load domain +# + ++allow systemd_modules_load_t self:system module_load; ++ +kernel_dgram_send(systemd_modules_load_t) +kernel_load_module(systemd_modules_load_t) + @@ -49250,7 +49252,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..b41b341 100644 +index 39f185f..a313a7d 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -49280,7 +49282,7 @@ index 39f185f..b41b341 100644 -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; -+allow udev_t self:capability2 { block_suspend }; ++allow udev_t self:capability2 { block_suspend wake_alarm }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 24ad5d32..85bf9dba 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9823,7 +9823,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..4ec3437 100644 +index 1241123..fc5eb99 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9885,7 +9885,7 @@ index 1241123..4ec3437 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -127,6 +130,12 @@ corenet_udp_bind_generic_node(named_t) +@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t) corenet_sendrecv_all_server_packets(named_t) corenet_tcp_bind_dns_port(named_t) corenet_udp_bind_dns_port(named_t) @@ -9897,6 +9897,10 @@ index 1241123..4ec3437 100644 +corenet_udp_bind_bgp_port(named_t) corenet_tcp_sendrecv_dns_port(named_t) corenet_udp_sendrecv_dns_port(named_t) +- ++corenet_udp_bind_whois_port(named_t) + corenet_tcp_bind_rndc_port(named_t) + corenet_tcp_sendrecv_rndc_port(named_t) @@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) @@ -15713,7 +15717,7 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..cb6a356 100644 +index 6471fa8..228b603 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) @@ -15788,10 +15792,12 @@ index 6471fa8..cb6a356 100644 logging_send_syslog_msg(collectd_t) -@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',` - corenet_tcp_sendrecv_all_ports(collectd_t) +@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',` ') + optional_policy(` ++ lvm_read_config(collectd_t) ++') + +optional_policy(` + pdns_stream_connect(collectd_t) @@ -15813,7 +15819,7 @@ index 6471fa8..cb6a356 100644 + snmp_read_snmp_var_lib_dirs(collectd_t) +') + - optional_policy(` ++optional_policy(` virt_read_config(collectd_t) + virt_stream_connect(collectd_t) ') @@ -23240,7 +23246,7 @@ index 62d22cb..1287d08 100644 + ') diff --git a/dbus.te b/dbus.te -index c9998c8..8b447a3 100644 +index c9998c8..27182fd 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23284,7 +23290,7 @@ index c9998c8..8b447a3 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,62 @@ ifdef(`enable_mls',` +@@ -51,59 +47,64 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -23349,6 +23355,8 @@ index c9998c8..8b447a3 100644 -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) ++dev_rw_nvme(system_dbusd_t) ++ +files_rw_inherited_non_security_files(system_dbusd_t) fs_getattr_all_fs(system_dbusd_t) @@ -23364,7 +23372,7 @@ index c9998c8..8b447a3 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +124,174 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -23413,10 +23421,9 @@ index c9998c8..8b447a3 100644 optional_policy(` - policykit_read_lib(system_dbusd_t) + cpufreqselector_dbus_chat(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + getty_start_services(system_dbusd_t) +') + @@ -23442,9 +23449,10 @@ index c9998c8..8b447a3 100644 + +optional_policy(` + snapper_read_inherited_pipe(system_dbusd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) + sysnet_domtrans_dhcpc(system_dbusd_t) +') + @@ -23486,7 +23494,7 @@ index c9998c8..8b447a3 100644 +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms; + +fs_search_all(system_bus_type) - ++ +dbus_system_bus_client(system_bus_type) +dbus_connect_system_bus(system_bus_type) + @@ -23516,7 +23524,7 @@ index c9998c8..8b447a3 100644 +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') -+ + +######################################## +# +# session_bus_type rules @@ -23553,7 +23561,7 @@ index c9998c8..8b447a3 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +300,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -23578,7 +23586,7 @@ index c9998c8..8b447a3 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +319,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -23586,7 +23594,7 @@ index c9998c8..8b447a3 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +328,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -23628,7 +23636,7 @@ index c9998c8..8b447a3 100644 ') ######################################## -@@ -244,5 +363,9 @@ optional_policy(` +@@ -244,5 +365,9 @@ optional_policy(` # Unconfined access to this module # @@ -42717,10 +42725,10 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 2990962..abd217f 100644 +index 2990962..6629aaf 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0) +@@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0) # Declarations # @@ -42784,8 +42792,10 @@ index 2990962..abd217f 100644 fs_list_hugetlbfs(kdumpgui_t) -fs_read_dos_files(kdumpgui_t) - storage_raw_read_fixed_disk(kdumpgui_t) +-storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) ++storage_raw_read_removable_device(kdumpgui_t) ++storage_raw_read_fixed_disk(kdumpgui_t) +storage_getattr_removable_dev(kdumpgui_t) auth_use_nsswitch(kdumpgui_t) @@ -42829,7 +42839,7 @@ index 2990962..abd217f 100644 ') optional_policy(` -@@ -87,4 +97,10 @@ optional_policy(` +@@ -87,4 +98,10 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -42941,7 +42951,7 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..c4f0c32 +index 0000000..04c46e7 --- /dev/null +++ b/keepalived.te @@ -0,0 +1,95 @@ @@ -42985,7 +42995,7 @@ index 0000000..c4f0c32 +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) +kernel_request_load_module(keepalived_t) -+kernel_read_usermodehelper_state(keepalived_t) ++kernel_rw_usermodehelper_state(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -72991,10 +73001,10 @@ index 0000000..f18fcc6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..555b44a +index 0000000..94da39a --- /dev/null +++ b/pki.te -@@ -0,0 +1,283 @@ +@@ -0,0 +1,285 @@ +policy_module(pki,10.0.11) + +######################################## @@ -73121,6 +73131,8 @@ index 0000000..555b44a + +selinux_get_enforce_mode(pki_tomcat_t) + ++libs_exec_ldconfig(pki_tomcat_t) ++ +logging_send_audit_msgs(pki_tomcat_t) + +miscfiles_read_hwdata(pki_tomcat_t) @@ -84656,7 +84668,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..b0ae2c6 100644 +index dc3b0ed..37aa9a7 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) @@ -84690,7 +84702,7 @@ index dc3b0ed..b0ae2c6 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,98 +31,96 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -84793,6 +84805,7 @@ index dc3b0ed..b0ae2c6 100644 +allow rabbitmq_t self:process { setsched signal signull }; +allow rabbitmq_t self:fifo_file rw_fifo_file_perms; +allow rabbitmq_t self:tcp_socket { accept listen }; ++allow rabbitmq_t self:unix_dgram_socket { connect create getopt setopt write }; + +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) @@ -84813,6 +84826,8 @@ index dc3b0ed..b0ae2c6 100644 +manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file }) + ++kernel_dgram_send(rabbitmq_t) ++ +kernel_read_system_state(rabbitmq_t) +kernel_read_fs_sysctls(rabbitmq_t) + @@ -96185,7 +96200,7 @@ index 50d07fb..a34db48 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..0aaed65 100644 +index 2b7c441..09e193b 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -96717,7 +96732,7 @@ index 2b7c441..0aaed65 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +459,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -96726,21 +96741,25 @@ index 2b7c441..0aaed65 100644 - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) --') -- ++ userdom_manage_user_home_content(smbd_t) + ') + -tunable_policy(`samba_portmapper',` - corenet_sendrecv_all_server_packets(smbd_t) - corenet_tcp_bind_epmap_port(smbd_t) - corenet_tcp_bind_all_unreserved_ports(smbd_t) - corenet_tcp_sendrecv_all_ports(smbd_t) -+ userdom_manage_user_home_content(smbd_t) ++optional_policy(` ++ tunable_policy(`samba_enable_home_dirs',` ++ apache_manage_user_content(smbd_t) ++ ') ') +# Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +471,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -96748,7 +96767,7 @@ index 2b7c441..0aaed65 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,15 +479,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -96768,7 +96787,7 @@ index 2b7c441..0aaed65 100644 ') optional_policy(` -@@ -466,6 +492,7 @@ optional_policy(` +@@ -466,6 +498,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -96776,7 +96795,7 @@ index 2b7c441..0aaed65 100644 ') optional_policy(` -@@ -474,11 +501,31 @@ optional_policy(` +@@ -474,11 +507,31 @@ optional_policy(` ') optional_policy(` @@ -96808,7 +96827,7 @@ index 2b7c441..0aaed65 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +535,10 @@ optional_policy(` +@@ -488,6 +541,10 @@ optional_policy(` ') optional_policy(` @@ -96819,7 +96838,7 @@ index 2b7c441..0aaed65 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,12 +550,53 @@ optional_policy(` +@@ -499,12 +556,53 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -96874,7 +96893,7 @@ index 2b7c441..0aaed65 100644 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow nmbd_t self:fd use; allow nmbd_t self:fifo_file rw_fifo_file_perms; -@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -96889,7 +96908,7 @@ index 2b7c441..0aaed65 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -96914,7 +96933,7 @@ index 2b7c441..0aaed65 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -96983,7 +97002,7 @@ index 2b7c441..0aaed65 100644 ') optional_policy(` -@@ -606,18 +687,29 @@ optional_policy(` +@@ -606,18 +693,29 @@ optional_policy(` ######################################## # @@ -97019,7 +97038,7 @@ index 2b7c441..0aaed65 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -97071,7 +97090,7 @@ index 2b7c441..0aaed65 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -97107,7 +97126,7 @@ index 2b7c441..0aaed65 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -97199,7 +97218,7 @@ index 2b7c441..0aaed65 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -97223,7 +97242,7 @@ index 2b7c441..0aaed65 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -97266,7 +97285,7 @@ index 2b7c441..0aaed65 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -97280,7 +97299,7 @@ index 2b7c441..0aaed65 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +932,20 @@ optional_policy(` +@@ -840,17 +938,20 @@ optional_policy(` # Winbind local policy # @@ -97307,7 +97326,7 @@ index 2b7c441..0aaed65 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -97318,7 +97337,7 @@ index 2b7c441..0aaed65 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -97372,7 +97391,7 @@ index 2b7c441..0aaed65 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -97431,7 +97450,7 @@ index 2b7c441..0aaed65 100644 ') optional_policy(` -@@ -959,31 +1070,36 @@ optional_policy(` +@@ -959,31 +1076,36 @@ optional_policy(` # Winbind helper local policy # @@ -97475,7 +97494,7 @@ index 2b7c441..0aaed65 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1113,38 @@ optional_policy(` +@@ -997,25 +1119,38 @@ optional_policy(` ######################################## # @@ -110367,7 +110386,7 @@ index 0000000..eef708d +/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0) diff --git a/tlp.if b/tlp.if new file mode 100644 -index 0000000..46f12a4 +index 0000000..368e188 --- /dev/null +++ b/tlp.if @@ -0,0 +1,184 @@ @@ -110510,7 +110529,7 @@ index 0000000..46f12a4 + ') + + files_search_pids($1) -+ read_files_pattern($1, tlp_var_run_t, tlp_var_run_t) ++ manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t) +') + +######################################## @@ -111401,10 +111420,10 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..c919a2d 100644 +index 5ceacde..a395940 100644 --- a/tor.te +++ b/tor.te -@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) +@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0) ## gen_tunable(tor_bind_all_unreserved_ports, false) @@ -111414,11 +111433,18 @@ index 5ceacde..c919a2d 100644 +##
+## +gen_tunable(tor_can_network_relay, false) ++ ++##++## Allow tor to run onion services ++##
++##