* Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286

- Add new boolean tomcat_read_rpm_db() - Allow tomcat to connect on mysqld tcp ports - Add new interface apache_delete_tmp() - Add interface fprintd_exec() - Add interface fprintd_mounton_var_lib() - Allow mozilla plugin to mmap video devices BZ(1492580) - Add ctdbd_t domain sys_source capability and allow setrlimit - Allow systemd-logind to use ypbind - Allow systemd to remove apache tmp files - Allow ldconfig domain to mmap ldconfig cache files - Allow systemd to exec fprintd BZ(1491808) - Allow systemd to mounton fprintd lib dir
2017-09-18 15:03:29 +02:00 · 2017-09-18 15:03:29 +02:00 · 7c73871fb5
parent 6551841efc
commit 7c73871fb5
4 changed files with 232 additions and 123 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -37845,7 +37845,7 @@ index 79a45f62e..6ed0c399a 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..4593a868a 100644
+index 17eda2480..6c22a0a1f 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -38167,7 +38167,7 @@ index 17eda2480..4593a868a 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +347,283 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -38202,22 +38202,30 @@ index 17eda2480..4593a868a 100644
 +')
 +
 +optional_policy(`
 +    fprintd_exec(init_t)
 +    fprintd_mounton_var_lib(init_t)
 +')
 +
 +optional_policy(`
 +    apache_delete_tmp(init_t)
 +')
 +
 +optional_policy(`
 +	journalctl_exec(init_t)
 +')
 +
 +optional_policy(`
 +	kdump_read_crash(init_t)
 +	kdump_read_config(init_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	auth_rw_login_records(init_t)
 +	gnome_filetrans_home_content(init_t)
 +	gnome_manage_data(init_t)
 +	gnome_manage_config(init_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 +    gssproxy_noatsecure(init_t)
 +')
 +
@ -38245,16 +38253,17 @@ index 17eda2480..4593a868a 100644
 +optional_policy(`
 +	modutils_domtrans_insmod(init_t)
 +	modutils_list_module_config(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	auth_rw_login_records(init_t)
 +	postfix_exec(init_t)
 +	postfix_list_spool(init_t)
 +	mta_read_config(init_t)
 +	mta_manage_aliases(init_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 +    systemd_allow_mount_dir(init_t)
 +')
 +
@ -38433,18 +38442,18 @@ index 17eda2480..4593a868a 100644
 +	optional_policy(`
 +		devicekit_dbus_chat_power(init_t)
 +	')
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	nscd_use(init_t)
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	nscd_use(init_t)
 +	networkmanager_stream_connect(init_t)
 +	networkmanager_stream_connect(initrc_t)
 +')
@ -38460,7 +38469,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -216,7 +631,30 @@ optional_policy(`
+@@ -216,7 +640,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -38492,7 +38501,7 @@ index 17eda2480..4593a868a 100644
 ')
 ########################################
-@@ -225,9 +663,9 @@ optional_policy(`
+@@ -225,9 +672,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38504,7 +38513,7 @@ index 17eda2480..4593a868a 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +696,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38521,7 +38530,7 @@ index 17eda2480..4593a868a 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +721,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38564,7 +38573,7 @@ index 17eda2480..4593a868a 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +758,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -38576,7 +38585,7 @@ index 17eda2480..4593a868a 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +770,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -38587,7 +38596,7 @@ index 17eda2480..4593a868a 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +781,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38597,7 +38606,7 @@ index 17eda2480..4593a868a 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +790,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -38605,7 +38614,7 @@ index 17eda2480..4593a868a 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +797,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38613,7 +38622,7 @@ index 17eda2480..4593a868a 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +805,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38631,7 +38640,7 @@ index 17eda2480..4593a868a 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +823,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -38645,7 +38654,7 @@ index 17eda2480..4593a868a 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +838,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -38659,7 +38668,7 @@ index 17eda2480..4593a868a 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +851,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -38670,7 +38679,7 @@ index 17eda2480..4593a868a 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +864,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -38678,7 +38687,7 @@ index 17eda2480..4593a868a 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +883,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -38702,7 +38711,7 @@ index 17eda2480..4593a868a 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +916,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -38710,7 +38719,7 @@ index 17eda2480..4593a868a 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +950,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -38721,7 +38730,7 @@ index 17eda2480..4593a868a 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +974,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +983,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -38730,7 +38739,7 @@ index 17eda2480..4593a868a 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +989,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +998,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -38738,7 +38747,7 @@ index 17eda2480..4593a868a 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1010,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -38746,7 +38755,7 @@ index 17eda2480..4593a868a 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1020,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -38791,7 +38800,7 @@ index 17eda2480..4593a868a 100644
 	')
 	optional_policy(`
-@@ -559,14 +1065,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -38823,7 +38832,7 @@ index 17eda2480..4593a868a 100644
 	')
 ')
-@@ -577,6 +1100,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1109,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -38863,7 +38872,7 @@ index 17eda2480..4593a868a 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1145,8 @@ optional_policy(`
+@@ -589,6 +1154,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -38872,7 +38881,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -610,6 +1168,7 @@ optional_policy(`
+@@ -610,6 +1177,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -38880,7 +38889,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -626,6 +1185,17 @@ optional_policy(`
+@@ -626,6 +1194,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -38898,7 +38907,7 @@ index 17eda2480..4593a868a 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1212,13 @@ optional_policy(`
+@@ -642,9 +1221,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38912,7 +38921,7 @@ index 17eda2480..4593a868a 100644
 	')
 	optional_policy(`
-@@ -657,15 +1231,11 @@ optional_policy(`
+@@ -657,15 +1240,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -38930,7 +38939,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -686,6 +1256,15 @@ optional_policy(`
+@@ -686,6 +1265,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -38946,7 +38955,7 @@ index 17eda2480..4593a868a 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1305,7 @@ optional_policy(`
+@@ -726,6 +1314,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -38954,7 +38963,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -743,7 +1323,13 @@ optional_policy(`
+@@ -743,7 +1332,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -38969,7 +38978,7 @@ index 17eda2480..4593a868a 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1352,10 @@ optional_policy(`
+@@ -766,6 +1361,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38980,7 +38989,7 @@ index 17eda2480..4593a868a 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1365,20 @@ optional_policy(`
+@@ -775,10 +1374,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -39001,7 +39010,7 @@ index 17eda2480..4593a868a 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1387,10 @@ optional_policy(`
+@@ -787,6 +1396,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39012,7 +39021,7 @@ index 17eda2480..4593a868a 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1412,6 @@ optional_policy(`
+@@ -808,8 +1421,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -39021,7 +39030,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -818,6 +1420,10 @@ optional_policy(`
+@@ -818,6 +1429,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39032,7 +39041,7 @@ index 17eda2480..4593a868a 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1433,12 @@ optional_policy(`
+@@ -827,10 +1442,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -39045,7 +39054,7 @@ index 17eda2480..4593a868a 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1465,62 @@ optional_policy(`
+@@ -857,21 +1474,62 @@ optional_policy(`
 ')
 optional_policy(`
@ -39109,7 +39118,7 @@ index 17eda2480..4593a868a 100644
 ')
 optional_policy(`
-@@ -887,6 +1536,10 @@ optional_policy(`
+@@ -887,6 +1545,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39120,7 +39129,7 @@ index 17eda2480..4593a868a 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1550,218 @@ optional_policy(`
+@@ -897,3 +1559,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -40917,7 +40926,7 @@ index 808ba93eb..b717d9709 100644
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5c8..b9dbbe005 100644
+index 54f8fa5c8..e14ec857c 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@ -40937,7 +40946,7 @@ index 54f8fa5c8..b9dbbe005 100644
 ifdef(`distro_gentoo',`
 	# openrc unfortunately mounts a tmpfs
-@@ -57,11 +57,13 @@ optional_policy(`
+@@ -57,11 +57,14 @@ optional_policy(`
 # ldconfig local policy
 #
@ -40947,13 +40956,14 @@ index 54f8fa5c8..b9dbbe005 100644
 +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
 manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
 +files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
 +allow ldconfig_t ldconfig_cache_t:file map;
 -allow ldconfig_t ld_so_cache_t:file manage_file_perms;
 +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
 files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
 manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -72,14 +74,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
+@@ -72,14 +75,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
 manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
 kernel_read_system_state(ldconfig_t)
@ -40974,7 +40984,7 @@ index 54f8fa5c8..b9dbbe005 100644
 files_read_etc_files(ldconfig_t)
 files_read_usr_files(ldconfig_t)
 files_search_tmp(ldconfig_t)
-@@ -90,11 +97,11 @@ files_delete_etc_files(ldconfig_t)
+@@ -90,11 +98,11 @@ files_delete_etc_files(ldconfig_t)
 init_use_script_ptys(ldconfig_t)
 init_read_script_tmp_files(ldconfig_t)
@ -40988,7 +40998,7 @@ index 54f8fa5c8..b9dbbe005 100644
 userdom_use_all_users_fds(ldconfig_t)
 ifdef(`distro_ubuntu',`
-@@ -103,6 +110,13 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +111,13 @@ ifdef(`distro_ubuntu',`
 	')
 ')
@ -41002,7 +41012,7 @@ index 54f8fa5c8..b9dbbe005 100644
 ifdef(`hide_broken_symptoms',`
 	ifdef(`distro_gentoo',`
 		# leaked fds from portage
-@@ -114,6 +128,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +129,11 @@ ifdef(`hide_broken_symptoms',`
 		')
 	')
@ -41014,7 +41024,7 @@ index 54f8fa5c8..b9dbbe005 100644
 	optional_policy(`
 		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
 	')
-@@ -131,6 +150,18 @@ optional_policy(`
+@@ -131,6 +151,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -41033,7 +41043,7 @@ index 54f8fa5c8..b9dbbe005 100644
 	puppet_rw_tmp(ldconfig_t)
 ')
-@@ -141,6 +172,3 @@ optional_policy(`
+@@ -141,6 +173,3 @@ optional_policy(`
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
@ -50022,10 +50032,10 @@ index 000000000..634d9596a
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..e7c2cc70b
+index 000000000..1927b4fc0
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1021 @@
+@@ -0,0 +1,1025 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -50334,6 +50344,10 @@ index 000000000..e7c2cc70b
 +')
 +
 +optional_policy(`
 +	nis_use_ypbind(systemd_logind_t)
 +')
 +
 +optional_policy(`
 +	rpm_dbus_chat(systemd_logind_t)
 +')
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb4851f..fe461a3fc 100644
+index f6eb4851f..422f408d4 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -4218,11 +4218,11 @@ index f6eb4851f..fe461a3fc 100644
 -	')
 +		# privileged users run the script:
 +		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
 +
 +		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 -	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 -		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
 +		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 +
 +		# apache runs the script:
 +		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
 +		allow httpd_t $1_script_t:unix_dgram_socket sendto;
@ -4499,10 +4499,12 @@ index f6eb4851f..fe461a3fc 100644
 -	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
 +	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Do not audit attempts to read and
 -##	write httpd unix domain stream sockets.
 +##	Allow attempts to read and write Apache
 +##	unix domain stream sockets.
 +## </summary>
@ -4518,12 +4520,10 @@ index f6eb4851f..fe461a3fc 100644
 +	')
 +
 +	allow $1 httpd_t:unix_stream_socket { getattr read write };
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Do not audit attempts to read and
 -##	write httpd unix domain stream sockets.
 +##	Do not audit attempts to read and write Apache
 +##	unix domain stream sockets.
 ## </summary>
@ -5016,32 +5016,12 @@ index f6eb4851f..fe461a3fc 100644
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 +## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw dirs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_dirs',`
 +	gen_require(`
 +		type httpd_sys_rw_content_t;
 +	')
 +
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	httpd system rw content.
-+##	Allow the specified domain to manage
+##	Allow the specified domain to read
-+##	apache system content rw files.
+##	apache system content rw dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -5051,12 +5031,32 @@ index f6eb4851f..fe461a3fc 100644
 +## <rolecap/>
 #
 -interface(`apache_manage_sys_rw_content',`
-+interface(`apache_manage_sys_content_rw',`
+interface(`apache_read_sys_content_rw_dirs',`
 	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 -	apache_search_sys_content($1)
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 +## <summary>
 +##	Allow the specified domain to manage
 +##	apache system content rw files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_manage_sys_content_rw',`
 +	gen_require(`
 +		type httpd_sys_rw_content_t;
 +	')
 +
 +	files_search_var($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 -	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@ -5390,7 +5390,7 @@ index f6eb4851f..fe461a3fc 100644
 	admin_pattern($1, httpd_log_t)
 	admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,183 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,201 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
@ -5554,9 +5554,7 @@ index f6eb4851f..fe461a3fc 100644
 +	files_search_pids($1)
 +	read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
 +')
- 
+
 -	apache_run_all_scripts($1, $2)
 -	apache_run_helper($1, $2)
 +########################################
 +## <summary>
 +##      Send and receive messages from
@ -5577,6 +5575,26 @@ index f6eb4851f..fe461a3fc 100644
 +        allow $1 httpd_t:dbus send_msg;
 +        allow httpd_t $1:dbus send_msg;
 +		ps_process_pattern(httpd_t, $1)
 +')
 +
 +########################################
 +## <summary>
 +##	Delete the httpd tmp.
 +## </summary>
 +## <param name="file_type">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`apache_delete_tmp',`
 +	gen_require(`
 +		type httpd_tmp_t;
 +	')
 -	apache_run_all_scripts($1, $2)
 -	apache_run_helper($1, $2)
 +	allow $1 httpd_tmp_t:file unlink;
 ')
 diff --git a/apache.te b/apache.te
 index 6649962b6..1a0189a44 100644
@ -20908,7 +20926,7 @@ index b25b01d12..06895f39a 100644
 ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 001b502e6..73da04ae1 100644
+index 001b502e6..b264e198a 100644
 --- a/ctdb.te
 +++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@ -20926,9 +20944,10 @@ index 001b502e6..73da04ae1 100644
 #
 -allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-+allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice };
+-allow ctdbd_t self:process { setpgid signal_perms setsched };
 +allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
 +allow ctdbd_t self:capability2 block_suspend;
- allow ctdbd_t self:process { setpgid signal_perms setsched };
+allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched };
 allow ctdbd_t self:fifo_file rw_fifo_file_perms;
 allow ctdbd_t self:unix_stream_socket { accept connectto listen };
 allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
@ -30088,6 +30107,59 @@ index 5010f04e1..0341ae121 100644
 ')
 optional_policy(`
 diff --git a/fprintd.if b/fprintd.if
 index 8081132cd..4fb5a13bc 100644
 --- a/fprintd.if
 +++ b/fprintd.if
@@ -19,6 +19,25 @@ interface(`fprintd_domtrans',`
 	domtrans_pattern($1, fprintd_exec_t, fprintd_t)
 ')
 +######################################
 +## <summary>
 +##	Execute fprintd in the caller domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fprintd_exec',`
 +	gen_require(`
 +		type fprintd_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	can_exec($1, fprintd_exec_t)
 +')
 +
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -39,3 +58,22 @@ interface(`fprintd_dbus_chat',`
 	allow $1 fprintd_t:dbus send_msg;
 	allow fprintd_t $1:dbus send_msg;
 ')
 +
 +########################################
 +
 +## <summary>
 +##	Mounton fprintd lib  directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fprintd_mounton_var_lib',`
 +	gen_require(`
 +		type fprintd_var_lib_t;
 +	')
 +
 +	allow $1 fprintd_var_lib_t:dir mounton;
 +')
 diff --git a/fprintd.te b/fprintd.te
 index 92a6479a2..f064c940d 100644
 --- a/fprintd.te
@ -53630,7 +53702,7 @@ index 6194b806b..e27c53d6e 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..94822ad40 100644
+index 11ac8e4fc..7cba596af 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -54084,7 +54156,7 @@ index 11ac8e4fc..94822ad40 100644
 ')
 optional_policy(`
-@@ -300,259 +340,260 @@ optional_policy(`
+@@ -300,259 +340,261 @@ optional_policy(`
 ########################################
 #
@ -54299,6 +54371,7 @@ index 11ac8e4fc..94822ad40 100644
 dev_rw_xserver_misc(mozilla_plugin_t)
 +dev_rwx_zero(mozilla_plugin_t)
 +dev_dontaudit_read_mtrr(mozilla_plugin_t)
 +dev_map_video_dev(mozilla_plugin_t)
 +xserver_dri_domain(mozilla_plugin_t)
 -dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
@ -54491,7 +54564,7 @@ index 11ac8e4fc..94822ad40 100644
 ')
 optional_policy(`
-@@ -560,7 +601,11 @@ optional_policy(`
+@@ -560,7 +602,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -54504,7 +54577,7 @@ index 11ac8e4fc..94822ad40 100644
 ')
 optional_policy(`
-@@ -568,108 +613,144 @@ optional_policy(`
+@@ -568,108 +614,144 @@ optional_policy(`
 ')
 optional_policy(`
@ -112156,10 +112229,10 @@ index 000000000..e5cec8fda
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 000000000..7726f7594
+index 000000000..9c3b00220
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,117 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@ -112167,6 +112240,13 @@ index 000000000..7726f7594
 +# Declarations
 +#
 +
 +## <desc>
 +## <p>
 +## Allow tomcat to read rpm database.
 +## </p>
 +## </desc>
 +gen_tunable(tomcat_read_rpm_db, false)
 +
 +attribute tomcat_domain;
 +
 +tomcat_domain_template(tomcat)
@ -112245,6 +112325,7 @@ index 000000000..7726f7594
 +corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
 +corenet_tcp_connect_unreserved_ports(tomcat_domain)
 +corenet_tcp_connect_mssql_port(tomcat_domain)
 +corenet_tcp_connect_mysqld_port(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@ -112265,7 +112346,7 @@ index 000000000..7726f7594
 +	tomcat_search_lib(tomcat_domain)
 +')
 +
-+optional_policy(`
+tunable_policy(`tomcat_read_rpm_db',`
 +    rpm_exec(tomcat_domain)
 +    rpm_read_db(tomcat_domain)
 +')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 285%{?dist}
+Release: 286%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -682,6 +682,20 @@ exit 0
 %endif
 %changelog
 * Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
 - Add new boolean tomcat_read_rpm_db()
 - Allow tomcat to connect on mysqld tcp ports
 - Add new interface apache_delete_tmp()
 - Add interface fprintd_exec()
 - Add interface fprintd_mounton_var_lib()
 - Allow mozilla plugin to mmap video devices BZ(1492580)
 - Add ctdbd_t domain sys_source capability and allow setrlimit
 - Allow systemd-logind to use ypbind
 - Allow systemd to remove apache tmp files
 - Allow ldconfig domain to mmap ldconfig cache files
 - Allow systemd to exec fprintd BZ(1491808)
 - Allow systemd to mounton fprintd lib dir
 * Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-285
 - Allow svirt_t read userdomain state