* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165

- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662) - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662)
2016-01-06 12:19:09 +01:00 · 2016-01-06 12:19:09 +01:00 · 936bb7a648
commit 936bb7a648
parent f1750fb373
4 changed files with 142 additions and 84 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -26517,10 +26517,10 @@ index cc877c7..b8e6e98 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..b3baa75 100644
+index 8274418..12a5645 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,36 @@
+@@ -2,13 +2,38 @@
 # HOME_DIR
 #
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -26538,6 +26538,7 @@ index 8274418..b3baa75 100644
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +HOME_DIR/\.cache/gdm(/.*)?	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.wayland-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +
 +/root/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -26553,11 +26554,12 @@ index 8274418..b3baa75 100644
 +/root/\.Xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +/root/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +/root/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +/root/\.wayland-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +/root/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 #
 # /dev
-@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
@ -26580,7 +26582,7 @@ index 8274418..b3baa75 100644
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 # /tmp
 #
@ -26621,7 +26623,7 @@ index 8274418..b3baa75 100644
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -91,19 +130,34 @@ ifndef(`distro_debian',`
+@@ -91,19 +132,34 @@ ifndef(`distro_debian',`
 /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@ -26660,7 +26662,7 @@ index 8274418..b3baa75 100644
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -111,7 +165,18 @@ ifndef(`distro_debian',`
+@@ -111,7 +167,18 @@ ifndef(`distro_debian',`
 /var/run/slim.*			gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -26680,7 +26682,7 @@ index 8274418..b3baa75 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..f2bbe7e 100644
+index 6bf0ecc..7d0c3c3 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@ -27756,7 +27758,7 @@ index 6bf0ecc..f2bbe7e 100644
 ')
 ########################################
-@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -28290,6 +28292,7 @@ index 6bf0ecc..f2bbe7e 100644
 +	userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
 +	userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
 +	userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
 +	userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
 +	userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
 +	userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
 +	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
@ -28334,6 +28337,7 @@ index 6bf0ecc..f2bbe7e 100644
 +	userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
 +	userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
 +	userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
 +	userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
 +	userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
 +	userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
 +	userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
@ -45258,10 +45262,10 @@ index 0000000..c253b33
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..56ba5a6
+index 0000000..b4a073f
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,824 @@
+@@ -0,0 +1,825 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -45463,6 +45467,7 @@ index 0000000..56ba5a6
 +init_undefined(systemd_logind_t)
 +init_signal_script(systemd_logind_t)
 +init_getattr_script_status_files(systemd_logind_t)
 +init_read_utmp(systemd_logind_t)
 +
 +getty_systemctl(systemd_logind_t)
 +
@ -47499,7 +47504,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..cb235f4 100644
+index 9dc60c6..e6556aa 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -50801,7 +50806,7 @@ index 9dc60c6..cb235f4 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4622,1763 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
 	')
 	allow $1 userdomain:dbus send_msg;
@ -51369,6 +51374,24 @@ index 9dc60c6..cb235f4 100644
 +
 +########################################
 +## <summary>
 +##	Read and write	userdomain stream.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_connectto_stream',`
 +	gen_require(`
 +		attribute userdomain;
 +	')
 +
 +	allow $1 userdomain:unix_stream_socket connectto;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to read and write
 +##	unserdomain datagram socket.
 +## </summary>
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb485..c55558a 100644
+index f6eb485..f1f976b 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -3948,7 +3948,7 @@ index f6eb485..c55558a 100644
 +	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 +	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 +
-+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
 +
 +	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
@ -20497,7 +20497,7 @@ index 3023be7..0317731 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
 diff --git a/cups.te b/cups.te
-index c91813c..999581c 100644
+index c91813c..3d89006 100644
 --- a/cups.te
 +++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -20771,13 +20771,14 @@ index c91813c..999581c 100644
 selinux_compute_access_vector(cupsd_t)
 selinux_validate_context(cupsd_t)
-@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
 -libs_read_lib_files(cupsd_t)
 libs_exec_lib_files(cupsd_t)
 +libs_exec_ldconfig(cupsd_t)
 +libs_exec_ld_so(cupsd_t)
 logging_send_audit_msgs(cupsd_t)
 logging_send_syslog_msg(cupsd_t)
@ -20804,7 +20805,7 @@ index c91813c..999581c 100644
 optional_policy(`
 	apm_domtrans_client(cupsd_t)
-@@ -272,6 +321,8 @@ optional_policy(`
+@@ -272,6 +322,8 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(cupsd_t)
@ -20813,7 +20814,7 @@ index c91813c..999581c 100644
 	userdom_dbus_send_all_users(cupsd_t)
 	optional_policy(`
-@@ -279,11 +330,17 @@ optional_policy(`
+@@ -279,11 +331,17 @@ optional_policy(`
 	')
 	optional_policy(`
@ -20831,7 +20832,7 @@ index c91813c..999581c 100644
 	')
 ')
-@@ -296,8 +353,8 @@ optional_policy(`
+@@ -296,8 +354,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -20841,7 +20842,7 @@ index c91813c..999581c 100644
 ')
 optional_policy(`
-@@ -306,7 +363,6 @@ optional_policy(`
+@@ -306,7 +364,6 @@ optional_policy(`
 optional_policy(`
 	lpd_exec_lpr(cupsd_t)
@ -20849,7 +20850,7 @@ index c91813c..999581c 100644
 	lpd_read_config(cupsd_t)
 	lpd_relabel_spool(cupsd_t)
 ')
-@@ -316,6 +372,10 @@ optional_policy(`
+@@ -316,6 +373,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -20860,7 +20861,7 @@ index c91813c..999581c 100644
 	samba_read_config(cupsd_t)
 	samba_rw_var_files(cupsd_t)
 	samba_stream_connect_nmbd(cupsd_t)
-@@ -334,7 +394,11 @@ optional_policy(`
+@@ -334,7 +395,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -20873,7 +20874,7 @@ index c91813c..999581c 100644
 ')
 ########################################
-@@ -342,12 +406,11 @@ optional_policy(`
+@@ -342,12 +407,11 @@ optional_policy(`
 # Configuration daemon local policy
 #
@ -20889,7 +20890,7 @@ index c91813c..999581c 100644
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -20910,7 +20911,7 @@ index c91813c..999581c 100644
 corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_sendrecv_all_client_packets(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
@ -20931,7 +20932,7 @@ index c91813c..999581c 100644
 fs_search_auto_mountpoints(cupsd_config_t)
 domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t)
 logging_send_syslog_msg(cupsd_config_t)
@ -20943,7 +20944,7 @@ index c91813c..999581c 100644
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +497,12 @@ optional_policy(`
+@@ -449,9 +498,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -20957,7 +20958,7 @@ index c91813c..999581c 100644
 ')
 optional_policy(`
-@@ -467,6 +518,10 @@ optional_policy(`
+@@ -467,6 +519,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -20968,7 +20969,7 @@ index c91813c..999581c 100644
 	rpm_read_db(cupsd_config_t)
 ')
-@@ -487,10 +542,6 @@ optional_policy(`
+@@ -487,10 +543,6 @@ optional_policy(`
 # Lpd local policy
 #
@ -20979,7 +20980,7 @@ index c91813c..999581c 100644
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
@ -20997,7 +20998,7 @@ index c91813c..999581c 100644
 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
 corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t)
 logging_send_syslog_msg(cupsd_lpd_t)
@ -21007,7 +21008,7 @@ index c91813c..999581c 100644
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
-@@ -550,7 +598,6 @@ optional_policy(`
+@@ -550,7 +599,6 @@ optional_policy(`
 #
 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -21015,7 +21016,7 @@ index c91813c..999581c 100644
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 kernel_read_system_state(cups_pdf_t)
@ -21167,7 +21168,7 @@ index c91813c..999581c 100644
 ########################################
 #
-@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
@ -21175,7 +21176,7 @@ index c91813c..999581c 100644
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -21189,7 +21190,7 @@ index c91813c..999581c 100644
 files_read_etc_runtime_files(ptal_t)
 fs_getattr_all_fs(ptal_t)
-@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t)
 logging_send_syslog_msg(ptal_t)
@ -21198,7 +21199,7 @@ index c91813c..999581c 100644
 sysnet_read_config(ptal_t)
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +690,4 @@ optional_policy(`
+@@ -773,3 +691,4 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
@ -24084,7 +24085,7 @@ index c697edb..954c090 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..5a24c3a 100644
+index 98a24b9..cb5795e 100644
 --- a/dhcp.te
 +++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@ -24122,7 +24123,7 @@ index 98a24b9..5a24c3a 100644
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
-@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
+@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t)
 logging_send_syslog_msg(dhcpd_t)
@ -24145,17 +24146,19 @@ index 98a24b9..5a24c3a 100644
 +    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
 +    corenet_tcp_connect_ldap_port(dhcpd_t)
 +    corenet_sendrecv_ldap_client_packets(dhcpd_t)
-+')
+ ')
-+
+ 
-+tunable_policy(`dhcpd_use_ldap',`
+ optional_policy(`
-+	ldap_read_certs(dhcpd_t)
+    tunable_policy(`dhcpd_use_ldap',`
 +	    ldap_read_certs(dhcpd_t)
 +    ')
 +')
 +
 +ifdef(`distro_gentoo',`
 +	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 +	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
 ')
@ -36395,10 +36398,10 @@ index 6517fad..f183748 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
 ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..3ba4a51 100644
+index 4eb7041..76a5802 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,142 @@ policy_module(hypervkvp, 1.0.0)
 # Declarations
 #
@ -36436,7 +36439,7 @@ index 4eb7041..3ba4a51 100644
 #
 -# Local policy
 +# hyperv domain local policy
- #
+#
 +
 +allow hyperv_domain self:capability net_admin;
 +allow hyperv_domain self:netlink_socket create_socket_perms;
@ -36452,10 +36455,8 @@ index 4eb7041..3ba4a51 100644
 +########################################
 +#
 +# hypervkvp local policy
- #
+#
- 
+
 -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
 -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
 +allow hypervkvp_t self:capability sys_ptrace;
 +allow hypervkvp_t self:process setfscreate;
 +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
@ -36537,16 +36538,21 @@ index 4eb7041..3ba4a51 100644
 +')
 +
 +########################################
-+#
+ #
 +# hypervvssd local policy
-+#
+ #
-logging_send_syslog_msg(hypervkvpd_t)
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
 -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
 +allow hypervvssd_t self:capability sys_admin;
-miscfiles_read_localization(hypervkvpd_t)
+-logging_send_syslog_msg(hypervkvpd_t)
 +files_list_boot(hypervvssd_t)
 -miscfiles_read_localization(hypervkvpd_t)
 +files_list_all_mountpoints(hypervvssd_t)
 +files_write_all_mountpoints(hypervvssd_t)
 -sysnet_dns_name_resolve(hypervkvpd_t)
 +logging_send_syslog_msg(hypervvssd_t)
 diff --git a/i18n_input.te b/i18n_input.te
@ -37242,15 +37248,16 @@ index 0000000..61f2003
 +userdom_use_user_terminals(iotop_t)
 diff --git a/ipa.fc b/ipa.fc
 new file mode 100644
-index 0000000..db194ec
+index 0000000..749756a
 --- /dev/null
 +++ b/ipa.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,11 @@
 +/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
 +
 +/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
 +
 +/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains --   gen_context(system_u:object_r:ipa_helper_exec_t,s0)
 +/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
 +
 +/var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
 +
@ -61471,10 +61478,10 @@ index 57c0161..c554eb6 100644
 +    ps_process_pattern($1, nut_t)
 ')
 diff --git a/nut.te b/nut.te
-index 5b2cb0d..ad16c77 100644
+index 5b2cb0d..7655e0b 100644
 --- a/nut.te
 +++ b/nut.te
-@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
+@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0)
 attribute nut_domain;
@ -61584,12 +61591,13 @@ index 5b2cb0d..ad16c77 100644
 -allow nut_upsmon_t self:capability dac_read_search;
 -allow nut_upsmon_t self:unix_stream_socket connectto;
 +allow nut_upsmon_t self:capability kill;
 +allow nut_upsmon_t self:tcp_socket create_socket_perms;
 +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
 +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
 +
 +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
 +kernel_read_kernel_sysctls(nut_upsmon_t)
 kernel_read_system_state(nut_upsmon_t)
@ -61609,6 +61617,9 @@ index 5b2cb0d..ad16c77 100644
 -corenet_sendrecv_generic_client_packets(nut_upsmon_t)
 corenet_tcp_connect_generic_port(nut_upsmon_t)
 +dev_read_rand(nut_upsmon_t)
 +dev_read_urand(nut_upsmon_t)
 +
 +# Creates /etc/killpower
 files_manage_etc_runtime_files(nut_upsmon_t)
 files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
@ -61655,6 +61666,7 @@ index 5b2cb0d..ad16c77 100644
 dev_read_sysfs(nut_upsdrvctl_t)
 -dev_read_urand(nut_upsdrvctl_t)
 +dev_read_usbfs(nut_upsdrvctl_t)
 dev_rw_generic_usb_dev(nut_upsdrvctl_t)
 term_use_unallocated_ttys(nut_upsdrvctl_t)
@ -76890,7 +76902,7 @@ index d68e26d..d2c4d2a 100644
 +/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
 +/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)
 diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..9422c90 100644
+index 7cb8b1f..bef7217 100644
 --- a/puppet.if
 +++ b/puppet.if
@@ -1,4 +1,32 @@
@ -76971,7 +76983,7 @@ index 7cb8b1f..9422c90 100644
 ')
 ################################################
-@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
+@@ -78,158 +107,165 @@ interface(`puppet_read_config',`
 ##	</summary>
 ## </param>
 #
@ -77202,8 +77214,9 @@ index 7cb8b1f..9422c90 100644
 -	files_search_var_lib($1)
 -	admin_pattern($1, puppet_var_lib_t)
 +    files_search_etc($1)
-+	list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+    list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
 +    read_files_pattern($1, puppet_etc_t, puppet_etc_t)
 +    read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t)
 +')
 +#####################################
@ -81711,10 +81724,10 @@ index 951db7f..00e699d 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
 ')
 diff --git a/raid.te b/raid.te
-index c99753f..c8696d7 100644
+index c99753f..c7b77bc 100644
 --- a/raid.te
 +++ b/raid.te
-@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t;
 type mdadm_initrc_exec_t;
 init_script_file(mdadm_initrc_exec_t)
@ -81822,10 +81835,11 @@ index c99753f..c8696d7 100644
 fs_rw_cgroup_files(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
 +fs_manage_cgroup_files(mdadm_t)
 +fs_read_efivarfs_files(mdadm_t)
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +118,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)
@ -81852,7 +81866,7 @@ index c99753f..c8696d7 100644
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +147,38 @@ optional_policy(`
+@@ -90,17 +148,38 @@ optional_policy(`
 ')
 optional_policy(`
@ -93982,10 +93996,10 @@ index 0000000..3e89d71
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..c9449b4
+index 0000000..3dc39bf
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,505 @@
+@@ -0,0 +1,506 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@ -94282,6 +94296,7 @@ index 0000000..c9449b4
 +#1103622
 +corenet_tcp_connect_xserver_port(sandbox_x_domain)
 +xserver_stream_connect(sandbox_x_domain)
 +userdom_connectto_stream(sandbox_x_domain)
 +
 +########################################
 +#
@ -98580,10 +98595,10 @@ index 0000000..ed76979
 +
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..90903a9
+index 0000000..243fc96
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,77 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@ -98609,6 +98624,8 @@ index 0000000..90903a9
 +# snapperd local policy
 +#
 +
 +allow snapperd_t self:capability dac_override;
 +
 +allow snapperd_t self:fifo_file rw_fifo_file_perms;
 +allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
 +
@ -110492,7 +110509,7 @@ index facdee8..19b6ffb 100644
 +        ps_process_pattern(virtd_t, $1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..a9548bd 100644
+index f03dcf5..7056171 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,248 @@
@ -112081,7 +112098,7 @@ index f03dcf5..a9548bd 100644
 +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
 +
 +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
 +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@ -112497,24 +112514,30 @@ index f03dcf5..a9548bd 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,9 +1546,8 @@ optional_policy(`
+@@ -1192,7 +1546,7 @@ optional_policy(`
 ########################################
 #
 -# Bridgehelper local policy
 +# virt_bridgehelper local policy
 #
-
+ 
 allow virt_bridgehelper_t self:process { setcap getcap };
- allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
+@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
- allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+ allow virt_bridgehelper_t self:tun_socket create_socket_perms;
-@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+ allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 +allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
 +
 manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 kernel_read_network_state(virt_bridgehelper_t)
- 
+kernel_read_system_state(virt_bridgehelper_t)
 +
 +dev_read_urand(virt_bridgehelper_t)
 +dev_read_rand(virt_bridgehelper_t)
-+
+dev_read_sysfs(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 -userdom_search_user_home_dirs(virt_bridgehelper_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 164%{?dist}
+Release: 165%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -664,6 +664,18 @@ exit 0
 %endif
 %changelog
 * Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
 - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
 - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
 - Allow arping running as netutils_t sys_module capability for removing tap devices.
 - Add userdom_connectto_stream() interface.
 - Allow systemd-logind to read /run/utmp. BZ(#1278662)
 - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
 - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
 - Allow arping running as netutils_t sys_module capability for removing tap devices.
 - Add userdom_connectto_stream() interface.
 - Allow systemd-logind to read /run/utmp. BZ(#1278662)
 * Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
 - Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
 - Add interface firewalld_read_pid_files()