* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-284

- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files - Allow automount domain to manage mount pid files - Allow stunnel_t domain setsched - Add keepalived domain setpgid capability - Merge pull request #24 from teg/rawhide - Merge pull request #28 from lslebodn/revert_1e8403055 - Allow sysctl_irq_t assciate with proc_t - Enable cgourp sec labeling - Allow sshd_t domain to send signull to xdm_t processes
2017-09-14 09:11:13 +02:00 · 2017-09-14 09:11:13 +02:00 · 83eed32c03
parent 21c53d34a6
commit 83eed32c03
4 changed files with 150 additions and 116 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -22769,7 +22769,7 @@ index e100d886b..355a67b18 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c5e..af9ee60b6 100644
+index 8dbab4c5e..2d283007a 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -22832,7 +22832,12 @@ index 8dbab4c5e..af9ee60b6 100644
 type proc_xen_t, proc_type;
 files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+@@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
+ 
+ # /proc/irq directory and files
+ type sysctl_irq_t, sysctl_type;
+fs_associate_proc(sysctl_irq_t)
+ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
 
 # /proc/net/rpc directory and files
 type sysctl_rpc_t, sysctl_type;
@ -22840,7 +22845,7 @@ index 8dbab4c5e..af9ee60b6 100644
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
 
 # /proc/sys/crypto directory and files
-@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +164,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
 
@ -22855,7 +22860,7 @@ index 8dbab4c5e..af9ee60b6 100644
 # /proc/sys/net directory and files
 type sysctl_net_t, sysctl_type;
 genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +176,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 type sysctl_vm_t, sysctl_type;
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
 
@ -22866,7 +22871,7 @@ index 8dbab4c5e..af9ee60b6 100644
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +192,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 type unlabeled_t;
 fs_associate(unlabeled_t)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -22881,7 +22886,7 @@ index 8dbab4c5e..af9ee60b6 100644
 
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +223,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +224,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
 
@ -22889,7 +22894,7 @@ index 8dbab4c5e..af9ee60b6 100644
 allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +269,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
 
@ -22897,7 +22902,7 @@ index 8dbab4c5e..af9ee60b6 100644
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +278,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +279,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
@ -22928,7 +22933,7 @@ index 8dbab4c5e..af9ee60b6 100644
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
-@@ -263,7 +306,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +307,8 @@ fs_unmount_all_fs(kernel_t)
 
 selinux_load_policy(kernel_t)
 
@ -22938,7 +22943,7 @@ index 8dbab4c5e..af9ee60b6 100644
 
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,13 +321,23 @@ files_list_root(kernel_t)
+@@ -277,13 +322,23 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -22962,7 +22967,7 @@ index 8dbab4c5e..af9ee60b6 100644
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
-@@ -291,11 +345,29 @@ ifdef(`distro_redhat',`
+@@ -291,11 +346,29 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
@ -22992,7 +22997,7 @@ index 8dbab4c5e..af9ee60b6 100644
 ')
 
 optional_policy(`
-@@ -305,6 +377,19 @@ optional_policy(`
+@@ -305,6 +378,19 @@ optional_policy(`
 
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -23012,7 +23017,7 @@ index 8dbab4c5e..af9ee60b6 100644
 ')
 
 optional_policy(`
-@@ -312,6 +397,11 @@ optional_policy(`
+@@ -312,6 +398,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23024,7 +23029,7 @@ index 8dbab4c5e..af9ee60b6 100644
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +422,6 @@ optional_policy(`
+@@ -332,9 +423,6 @@ optional_policy(`
 
 	sysnet_read_config(kernel_t)
 
@ -23034,7 +23039,7 @@ index 8dbab4c5e..af9ee60b6 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +430,7 @@ optional_policy(`
+@@ -343,9 +431,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
@ -23045,7 +23050,7 @@ index 8dbab4c5e..af9ee60b6 100644
 	')
 
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +439,7 @@ optional_policy(`
+@@ -354,7 +440,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
@ -23054,7 +23059,7 @@ index 8dbab4c5e..af9ee60b6 100644
 	')
 ')
 
-@@ -364,9 +449,22 @@ optional_policy(`
+@@ -364,9 +450,22 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -23077,7 +23082,7 @@ index 8dbab4c5e..af9ee60b6 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -388,6 +486,8 @@ optional_policy(`
+@@ -388,6 +487,8 @@ optional_policy(`
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
 
@ -23086,7 +23091,7 @@ index 8dbab4c5e..af9ee60b6 100644
 	# load_module() calls stop_machine() which
 	# calls sched_setscheduler()
 	allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +499,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +500,38 @@ if( ! secure_mode_insmod ) {
 # Rules for unconfined acccess to this module
 #
 
@ -29351,7 +29356,7 @@ index fe0c68272..79d568a54 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7b0..3038b0862 100644
+index cc877c7b0..b14a28d5c 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@ -29734,7 +29739,7 @@ index cc877c7b0..3038b0862 100644
 	rpm_use_script_fds(sshd_t)
 ')
 
-@@ -289,13 +379,93 @@ optional_policy(`
+@@ -289,13 +379,94 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29776,6 +29781,7 @@ index cc877c7b0..3038b0862 100644
 +
 +optional_policy(`
 	xserver_domtrans_xauth(sshd_t)
+    xserver_xdm_signull(sshd_t)
 ')
 
 +ifdef(`TODO',`
@ -29828,7 +29834,7 @@ index cc877c7b0..3038b0862 100644
 ########################################
 #
 # ssh_keygen local policy
-@@ -304,19 +474,33 @@ optional_policy(`
+@@ -304,19 +475,33 @@ optional_policy(`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 
@ -29863,7 +29869,7 @@ index cc877c7b0..3038b0862 100644
 dev_read_urand(ssh_keygen_t)
 
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +517,9 @@ auth_use_nsswitch(ssh_keygen_t)
 
 logging_send_syslog_msg(ssh_keygen_t)
 
@ -29873,7 +29879,7 @@ index cc877c7b0..3038b0862 100644
 
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +527,150 @@ optional_policy(`
+@@ -341,3 +528,150 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -30194,7 +30200,7 @@ index 8274418c6..a47fd0b4d 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc2d..29db5fd25 100644
+index 6bf0ecc2d..75b2f31f9 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@ -31197,7 +31203,32 @@ index 6bf0ecc2d..29db5fd25 100644
 ')
 
 ########################################
-@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1135,6 +1456,24 @@ interface(`xserver_signal',`
+ 
+ ########################################
+ ## <summary>
+##	Send a null signal to xdm processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_signull',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process signull;
+')
+
+########################################
+## <summary>
+ ##	Kill X servers
+ ## </summary>
+ ## <param name="domain">
+@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
 
 ########################################
 ## <summary>
@ -31223,7 +31254,7 @@ index 6bf0ecc2d..29db5fd25 100644
 ##	Connect to the X server over a unix domain
 ##	stream socket.
 ## </summary>
-@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -31250,7 +31281,7 @@ index 6bf0ecc2d..29db5fd25 100644
 ')
 
 ########################################
-@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -31259,7 +31290,7 @@ index 6bf0ecc2d..29db5fd25 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -31288,7 +31319,7 @@ index 6bf0ecc2d..29db5fd25 100644
 ')
 
 ########################################
-@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -34703,7 +34734,7 @@ index 3efd5b669..190c29841 100644
 +	allow $1 login_pgm:key manage_key_perms;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..2d255df93 100644
+index 09b791dcc..385cd6d79 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -34918,11 +34949,12 @@ index 09b791dcc..2d255df93 100644
 allow updpwd_t self:process setfscreate;
 allow updpwd_t self:fifo_file rw_fifo_file_perms;
 allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,12 @@ kernel_read_system_state(updpwd_t)
 dev_read_urand(updpwd_t)
 
 files_manage_etc_files(updpwd_t)
 +auth_manage_passwd(updpwd_t)
+auth_filetrans_named_content(updpwd_t)
 +
 +mls_file_read_all_levels(updpwd_t)
 +mls_file_write_all_levels(updpwd_t)
@ -34930,7 +34962,7 @@ index 09b791dcc..2d255df93 100644
 
 term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +377,7 @@ auth_use_nsswitch(updpwd_t)
 
 logging_send_syslog_msg(updpwd_t)
 
@ -34941,7 +34973,7 @@ index 09b791dcc..2d255df93 100644
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
-@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +405,15 @@ term_dontaudit_use_all_ttys(utempter_t)
 term_dontaudit_use_all_ptys(utempter_t)
 term_dontaudit_use_ptmx(utempter_t)
 
@ -34958,7 +34990,7 @@ index 09b791dcc..2d255df93 100644
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_user_tmp_files(utempter_t)
 
-@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +424,29 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
@ -34992,7 +35024,7 @@ index 09b791dcc..2d255df93 100644
 files_list_var_lib(nsswitch_domain)
 
 # read /etc/nsswitch.conf
-@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +454,42 @@ files_read_etc_files(nsswitch_domain)
 
 sysnet_dns_name_resolve(nsswitch_domain)
 
@ -35037,7 +35069,7 @@ index 09b791dcc..2d255df93 100644
 		ldap_stream_connect(nsswitch_domain)
 	')
 ')
-@@ -438,6 +501,7 @@ optional_policy(`
+@@ -438,6 +502,7 @@ optional_policy(`
 	likewise_stream_connect_lsassd(nsswitch_domain)
 ')
 
@ -35045,7 +35077,7 @@ index 09b791dcc..2d255df93 100644
 optional_policy(`
 	kerberos_use(nsswitch_domain)
 ')
-@@ -456,10 +520,159 @@ optional_policy(`
+@@ -456,10 +521,159 @@ optional_policy(`
 
 optional_policy(`
 	sssd_stream_connect(nsswitch_domain)
@ -58088,7 +58120,7 @@ index f4ac38dc7..1589d6065 100644
 +	ssh_signal(confined_admindomain)
 +')
 diff --git a/policy/policy_capabilities b/policy/policy_capabilities
-index db3cbca45..0728639e8 100644
+index db3cbca45..40fd5a518 100644
 --- a/policy/policy_capabilities
 +++ b/policy/policy_capabilities
@@ -31,3 +31,21 @@ policycap network_peer_controls;
@ -58102,7 +58134,7 @@ index db3cbca45..0728639e8 100644
 +#
 +# Added checks:
 +# (none)
-+#policycap cgroup_seclabel;
+policycap cgroup_seclabel;
 +
 +# Enable NoNewPrivileges support.  Requires libsepol 2.7+
 +# and kernel 4.14 (estimated).
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644
 +		ps_process_pattern(httpd_t, $1)
 ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..a6b4312e6 100644
+index 6649962b6..1a0189a44 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6828,7 +6828,7 @@ index 6649962b6..a6b4312e6 100644
 		avahi_dbus_chat(httpd_t)
 	')
 +
-+    tunable_policy(`httpd_dbus_sssd',
+    tunable_policy(`httpd_dbus_sssd',`
 +        sssd_dbus_chat(httpd_t)
 +    ')
 ')
@ -9010,7 +9010,7 @@ index f24e36960..4484a98da 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
 ')
 diff --git a/automount.te b/automount.te
-index 27d2f400b..1297f5bbe 100644
+index 27d2f400b..f74f75f1b 100644
 --- a/automount.te
 +++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@ -9065,7 +9065,7 @@ index 27d2f400b..1297f5bbe 100644
 fs_search_all(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_unmount_all_fs(automount_t)
-@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t)
 logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 
@ -9082,13 +9082,14 @@ index 27d2f400b..1297f5bbe 100644
 +	mount_domtrans(automount_t)
 +	mount_domtrans_showmount(automount_t)
 +	mount_signal(automount_t)
+    mount_rw_pid_files(automount_t)
 +')
 +
 +optional_policy(`
 	fstools_domtrans(automount_t)
 ')
 
-@@ -166,3 +173,8 @@ optional_policy(`
+@@ -166,3 +174,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(automount_t)
 ')
@ -22522,10 +22523,10 @@ index f55c42082..e9d64ab5f 100644
 -
 -miscfiles_read_localization(dbskkd_t)
 diff --git a/dbus.fc b/dbus.fc
-index dda905b9c..558729530 100644
+index dda905b9c..60806a524 100644
 --- a/dbus.fc
 +++ b/dbus.fc
-@@ -1,20 +1,29 @@
+@@ -1,20 +1,31 @@
 -HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:session_dbusd_home_t,s0)
 +/etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
@ -22541,6 +22542,8 @@ index dda905b9c..558729530 100644
 
 -/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 +/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker	 --	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker-launch --	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
 -/usr/bin/dbus-daemon(-1)?	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
@ -23505,7 +23508,7 @@ index 62d22cb46..c0c2ed47d 100644
 +	manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
 ')
 diff --git a/dbus.te b/dbus.te
-index c9998c80d..d8ef03416 100644
+index c9998c80d..131d809ae 100644
 --- a/dbus.te
 +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -23632,7 +23635,7 @@ index c9998c80d..d8ef03416 100644
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +124,176 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
@ -23654,6 +23657,7 @@ index c9998c80d..d8ef03416 100644
 +init_domtrans_script(system_dbusd_t)
 +init_rw_stream_sockets(system_dbusd_t)
 +init_status(system_dbusd_t)
+init_start_system(system_dbusd_t) # needed by dbus-broker
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
@ -23823,7 +23827,7 @@ index c9998c80d..d8ef03416 100644
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
-@@ -191,23 +302,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
@ -23848,7 +23852,7 @@ index c9998c80d..d8ef03416 100644
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
-@@ -215,7 +321,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
@ -23856,7 +23860,7 @@ index c9998c80d..d8ef03416 100644
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
-@@ -225,18 +330,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
@ -23898,7 +23902,7 @@ index c9998c80d..d8ef03416 100644
 ')
 
 ########################################
-@@ -244,5 +367,9 @@ optional_policy(`
+@@ -244,5 +368,9 @@ optional_policy(`
 # Unconfined access to this module
 #
 
@ -25814,10 +25818,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..86c5021d6
+index 000000000..22cafcd43
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,211 @@
+@@ -0,0 +1,207 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@ -25982,10 +25986,6 @@ index 000000000..86c5021d6
 +	systemd_manage_passwd_run(dirsrv_t)
 +')
 +
-+optional_policy(`
-+    rolekit_read_tmp(dirsrv_t)
-+')
-+
 +########################################
 +#
 +# dirsrv-snmp local policy
@ -43317,7 +43317,7 @@ index 000000000..bd7e7fa17
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 000000000..923edd01e
+index 000000000..7395ac19a
 --- /dev/null
 +++ b/keepalived.te
@@ -0,0 +1,100 @@
@ -43346,7 +43346,7 @@ index 000000000..923edd01e
 +# keepalived local policy
 +#
 +
-+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setpgid sys_ptrace };
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
 +allow keepalived_t self:netlink_generic_socket create_socket_perms;
@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..3c24a12ef 100644
+index 11ac8e4fc..94822ad40 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -53911,15 +53911,15 @@ index 11ac8e4fc..3c24a12ef 100644
 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
 
 -userdom_use_user_ptys(mozilla_t)
-
+userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
 -
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_write_user_tmp_sockets(mozilla_t)
 -
 -mozilla_run_plugin(mozilla_t, mozilla_roles)
@ -54049,34 +54049,34 @@ index 11ac8e4fc..3c24a12ef 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	lpd_domtrans_lpr(mozilla_t)
+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
+	lpd_domtrans_lpr(mozilla_t)
 ')
 
 optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	nscd_socket_use(mozilla_t)
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
 ')
 
 optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
+	nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@ -54084,7 +54084,7 @@ index 11ac8e4fc..3c24a12ef 100644
 ')
 
 optional_policy(`
-@@ -300,259 +340,258 @@ optional_policy(`
+@@ -300,259 +340,260 @@ optional_policy(`
 
 ########################################
 #
@ -54168,13 +54168,15 @@ index 11ac8e4fc..3c24a12ef 100644
 -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 +fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file })
 +userdom_manage_home_texlive(mozilla_plugin_t)
+allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map;
 
- allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
+ 
 -dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
 -stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 
@ -54489,7 +54491,7 @@ index 11ac8e4fc..3c24a12ef 100644
 ')
 
 optional_policy(`
-@@ -560,7 +599,11 @@ optional_policy(`
+@@ -560,7 +601,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -54502,7 +54504,7 @@ index 11ac8e4fc..3c24a12ef 100644
 ')
 
 optional_policy(`
-@@ -568,108 +611,144 @@ optional_policy(`
+@@ -568,108 +613,144 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -56308,7 +56310,7 @@ index ed81cac5a..cd52baf59 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index ff1d68c6a..94b1dfca7 100644
+index ff1d68c6a..3f662fbef 100644
 --- a/mta.te
 +++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@ -56408,7 +56410,7 @@ index ff1d68c6a..94b1dfca7 100644
 	procmail_exec(user_mail_domain)
 ')
 
-@@ -166,57 +166,76 @@ optional_policy(`
+@@ -166,57 +166,77 @@ optional_policy(`
 	uucp_manage_spool(user_mail_domain)
 ')
 
@ -56461,6 +56463,7 @@ index ff1d68c6a..94b1dfca7 100644
 +userdom_dontaudit_list_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
 +userdom_dontaudit_list_user_tmp(system_mail_t)
+userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
 +
 +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@ -56504,7 +56507,7 @@ index ff1d68c6a..94b1dfca7 100644
 ')
 
 optional_policy(`
-@@ -225,17 +244,21 @@ optional_policy(`
+@@ -225,17 +245,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -56528,7 +56531,7 @@ index ff1d68c6a..94b1dfca7 100644
 	courier_stream_connect_authdaemon(system_mail_t)
 ')
 
-@@ -244,9 +267,10 @@ optional_policy(`
+@@ -244,9 +268,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -56542,7 +56545,7 @@ index ff1d68c6a..94b1dfca7 100644
 ')
 
 optional_policy(`
-@@ -258,10 +282,17 @@ optional_policy(`
+@@ -258,10 +283,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -56560,7 +56563,7 @@ index ff1d68c6a..94b1dfca7 100644
 	nagios_read_tmp_files(system_mail_t)
 ')
 
-@@ -272,6 +303,19 @@ optional_policy(`
+@@ -272,6 +304,19 @@ optional_policy(`
 	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@ -56580,7 +56583,7 @@ index ff1d68c6a..94b1dfca7 100644
 ')
 
 optional_policy(`
-@@ -279,6 +323,10 @@ optional_policy(`
+@@ -279,6 +324,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -56591,7 +56594,7 @@ index ff1d68c6a..94b1dfca7 100644
 	userdom_dontaudit_use_user_ptys(system_mail_t)
 
 	optional_policy(`
-@@ -287,42 +335,36 @@ optional_policy(`
+@@ -287,42 +336,36 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -56644,7 +56647,7 @@ index ff1d68c6a..94b1dfca7 100644
 
 allow mailserver_delivery mail_spool_t:dir list_dir_perms;
 create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 
@ -56714,7 +56717,7 @@ index ff1d68c6a..94b1dfca7 100644
 ')
 
 optional_policy(`
-@@ -381,24 +427,49 @@ optional_policy(`
+@@ -381,24 +428,49 @@ optional_policy(`
 
 ########################################
 #
@ -92198,10 +92201,10 @@ index 000000000..504b6e13e
 +/usr/sbin/roled		--	gen_context(system_u:object_r:rolekit_exec_t,s0)
 diff --git a/rolekit.if b/rolekit.if
 new file mode 100644
-index 000000000..df5e3338c
+index 000000000..b11fb8f6d
 --- /dev/null
 +++ b/rolekit.if
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,120 @@
 +## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
 +
 +########################################
@ -92322,24 +92325,6 @@ index 000000000..df5e3338c
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
-+
-+########################################
-+## <summary>
-+##	Allow domain to read rolekit tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`rolekit_read_tmp',`
-+	gen_require(`
-+		type rolekit_tmp_t;
-+	')
-+
-+    read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t)
-+')
 diff --git a/rolekit.te b/rolekit.te
 new file mode 100644
 index 000000000..da944537b
@ -107829,7 +107814,7 @@ index 49dd63ca1..ae2e798f5 100644
 +
 +/var/log/stunnel.* 		--	gen_context(system_u:object_r:stunnel_log_t,s0)
 diff --git a/stunnel.te b/stunnel.te
-index 27a8480bc..5482c7549 100644
+index 27a8480bc..fc3fca520 100644
 --- a/stunnel.te
 +++ b/stunnel.te
@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t)
@ -107842,15 +107827,18 @@ index 27a8480bc..5482c7549 100644
 type stunnel_tmp_t;
 files_tmp_file(stunnel_tmp_t)
 
-@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t)
+@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t)
 # Local policy
 #
 
 -allow stunnel_t self:capability { setgid setuid sys_chroot };
 +allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice };
 dontaudit stunnel_t self:capability sys_tty_config;
- allow stunnel_t self:process signal_perms;
+-allow stunnel_t self:process signal_perms;
+allow stunnel_t self:process { setsched signal_perms };
 allow stunnel_t self:fifo_file rw_fifo_file_perms;
+ allow stunnel_t self:tcp_socket { accept listen };
+ allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
 allow stunnel_t stunnel_etc_t:file read_file_perms;
 allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
@ -112168,10 +112156,10 @@ index 000000000..e5cec8fda
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 000000000..bc54338c2
+index 000000000..7726f7594
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,109 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@ -112256,6 +112244,7 @@ index 000000000..bc54338c2
 +corenet_tcp_connect_oracle_port(tomcat_domain)
 +corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
 +corenet_tcp_connect_unreserved_ports(tomcat_domain)
+corenet_tcp_connect_mssql_port(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@ -114588,10 +114577,10 @@ index 3d11c6a3d..c5d84287e 100644
 
 optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index a4f20bcfc..9777de289 100644
+index a4f20bcfc..58d0a33f2 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,51 +1,109 @@
+@@ -1,51 +1,111 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@ -114726,6 +114715,8 @@ index a4f20bcfc..9777de289 100644
 +
 +/usr/libexec/qemu-ga(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
 +
+/usr/lib/virt-sysprep/firstboot.sh --  gen_context(system_u:object_r:virtd_exec_t,s0)
+
 +/usr/lib/systemd/system/*virtlogd.*	gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
 +
 +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 283%{?dist}
+Release: 284%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -682,6 +682,17 @@ exit 0
 %endif

 %changelog
+* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-284
+- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files
+- Allow automount domain to manage mount pid files
+- Allow stunnel_t domain setsched
+- Add keepalived domain setpgid capability
+- Merge pull request #24 from teg/rawhide
+- Merge pull request #28 from lslebodn/revert_1e8403055
+- Allow sysctl_irq_t assciate with proc_t
+- Enable cgourp sec labeling
+- Allow sshd_t domain to send signull to xdm_t processes
+
 * Tue Sep 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-283
 - Allow passwd_t domain mmap /etc/shadow and /etc/passwd
 - Allow pulseaudio_t domain to map user tmp files