From 9b85087129d0153e982438e651c8577e1f0622d0 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 9 Jan 2014 15:11:05 +0100 Subject: [PATCH] - Add gluster fixes - Remove ability to transition to unconfined_t from confined domains - Additional allow rules to get libvirt-lxc containers working with docker --- policy-rawhide-base.patch | 105 +++-- policy-rawhide-contrib.patch | 721 ++++++++++++++++++++++------------- selinux-policy.spec | 7 +- 3 files changed, 528 insertions(+), 305 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index fa3531ed..d8abe18e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5400,7 +5400,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..4dec289 100644 +index b191055..fd1a0d0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5598,7 +5598,7 @@ index b191055..4dec289 100644 network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) -network_port(milter) # no defined portcon -+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon ++network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) network_port(monopd, tcp,1234,s0) @@ -12850,7 +12850,7 @@ index f962f76..35cd90c 100644 + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1a03abd..92d1a8f 100644 +index 1a03abd..0335af9 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) @@ -13030,9 +13030,12 @@ index 1a03abd..92d1a8f 100644 ######################################## # -@@ -226,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile) + # + # Create/access any file in a labeled filesystem; - allow files_unconfined_type file_type:{ file chr_file } ~execmod; +-allow files_unconfined_type file_type:{ file chr_file } ~execmod; ++allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint }; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; +allow files_unconfined_type file_type:service *; @@ -17998,7 +18001,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..de53b7b 100644 +index 2522ca6..9da6c17 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1) @@ -18409,7 +18412,7 @@ index 2522ca6..de53b7b 100644 ') optional_policy(` -@@ -356,19 +478,15 @@ optional_policy(` +@@ -356,19 +478,11 @@ optional_policy(` ') optional_policy(` @@ -18422,16 +18425,15 @@ index 2522ca6..de53b7b 100644 optional_policy(` - uml_role(sysadm_r, sysadm_t) -+ unconfined_domtrans(sysadm_t) - ') - - optional_policy(` +-') +- +-optional_policy(` - unconfined_domtrans(sysadm_t) + udev_run(sysadm_t, sysadm_r) ') optional_policy(` -@@ -380,10 +498,6 @@ optional_policy(` +@@ -380,10 +494,6 @@ optional_policy(` ') optional_policy(` @@ -18442,7 +18444,7 @@ index 2522ca6..de53b7b 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +505,9 @@ optional_policy(` +@@ -391,6 +501,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -18452,7 +18454,7 @@ index 2522ca6..de53b7b 100644 ') optional_policy(` -@@ -398,31 +515,34 @@ optional_policy(` +@@ -398,31 +511,34 @@ optional_policy(` ') optional_policy(` @@ -18493,7 +18495,7 @@ index 2522ca6..de53b7b 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +555,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +551,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18504,7 +18506,7 @@ index 2522ca6..de53b7b 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +575,75 @@ ifndef(`distro_redhat',` +@@ -459,15 +571,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19263,7 +19265,7 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..539c163 +index 0000000..993b768 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,328 @@ @@ -19306,7 +19308,7 @@ index 0000000..539c163 +userdom_unpriv_type(unconfined_t) + +type unconfined_exec_t; -+init_system_domain(unconfined_t, unconfined_exec_t) ++application_domain(unconfined_t, unconfined_exec_t) +role unconfined_r types unconfined_t; +role_transition system_r unconfined_exec_t unconfined_r; +allow system_r unconfined_r; @@ -21883,7 +21885,7 @@ index 8274418..830bb6f 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..5a7e2a4 100644 +index 6bf0ecc..115c533 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -22618,10 +22620,30 @@ index 6bf0ecc..5a7e2a4 100644 ') ######################################## -@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',` ######################################## ## ++## Manage X keyboard extension libraries. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xkb_libs',` ++ gen_require(` ++ type xkb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 xkb_var_lib_t:dir list_dir_perms; ++ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ++') ++ ++######################################## ++## +## dontaudit access checks X keyboard extension libraries. +## +## @@ -22683,7 +22705,7 @@ index 6bf0ecc..5a7e2a4 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -22692,7 +22714,7 @@ index 6bf0ecc..5a7e2a4 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -22735,7 +22757,7 @@ index 6bf0ecc..5a7e2a4 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -22744,7 +22766,7 @@ index 6bf0ecc..5a7e2a4 100644 ') ######################################## -@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -22756,7 +22778,7 @@ index 6bf0ecc..5a7e2a4 100644 ') ######################################## -@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -22782,7 +22804,7 @@ index 6bf0ecc..5a7e2a4 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -22809,7 +22831,7 @@ index 6bf0ecc..5a7e2a4 100644 ') ######################################## -@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -22818,7 +22840,7 @@ index 6bf0ecc..5a7e2a4 100644 ## ## ## -@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -22847,7 +22869,7 @@ index 6bf0ecc..5a7e2a4 100644 ') ######################################## -@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -23475,7 +23497,7 @@ index 6bf0ecc..5a7e2a4 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..4a84226 100644 +index 8b40377..326b206 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -24615,7 +24637,7 @@ index 8b40377..4a84226 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,16 +1264,44 @@ optional_policy(` +@@ -785,17 +1264,44 @@ optional_policy(` ') optional_policy(` @@ -24657,11 +24679,12 @@ index 8b40377..4a84226 100644 optional_policy(` - unconfined_domain_noaudit(xserver_t) +- unconfined_domtrans(xserver_t) + unconfined_domain(xserver_t) - unconfined_domtrans(xserver_t) ') -@@ -803,6 +1310,10 @@ optional_policy(` + optional_policy(` +@@ -803,6 +1309,10 @@ optional_policy(` ') optional_policy(` @@ -24672,7 +24695,7 @@ index 8b40377..4a84226 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -24686,7 +24709,7 @@ index 8b40377..4a84226 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -24695,7 +24718,7 @@ index 8b40377..4a84226 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1353,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1352,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24730,7 +24753,7 @@ index 8b40377..4a84226 100644 ') optional_policy(` -@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24739,7 +24762,7 @@ index 8b40377..4a84226 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -24771,7 +24794,7 @@ index 8b40377..4a84226 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -31944,7 +31967,7 @@ index 4e94884..ae63d78 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..b4f9029 100644 +index 59b04c1..7b0ef85 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -31965,7 +31988,7 @@ index 59b04c1..b4f9029 100644 +## Allow syslogd the ability to read/write terminals +##

+## -+gen_tunable(logging_syslogd_use_tty, false) ++gen_tunable(logging_syslogd_use_tty, true) attribute logfile; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6e8596f1..b2be4979 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4756,7 +4756,7 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..e3e190e 100644 +index 6649962..dd376b5 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) @@ -5415,7 +5415,7 @@ index 6649962..e3e190e 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,6 +499,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,14 +499,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5424,8 +5424,10 @@ index 6649962..e3e190e 100644 allow httpd_t httpd_rotatelogs_t:process signal_perms; manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -@@ -420,6 +509,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) ++allow httpd_t httpd_suexec_exec_t:process { signal signull }; allow httpd_t httpd_suexec_exec_t:file read_file_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms; @@ -5435,7 +5437,7 @@ index 6649962..e3e190e 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +543,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +544,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5668,7 +5670,7 @@ index 6649962..e3e190e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +714,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +715,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5728,7 +5730,7 @@ index 6649962..e3e190e 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +766,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +767,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5819,7 +5821,7 @@ index 6649962..e3e190e 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,66 +813,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,66 +814,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5917,7 +5919,7 @@ index 6649962..e3e190e 100644 ') optional_policy(` -@@ -770,6 +878,23 @@ optional_policy(` +@@ -770,6 +879,23 @@ optional_policy(` ') optional_policy(` @@ -5941,7 +5943,7 @@ index 6649962..e3e190e 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +911,53 @@ optional_policy(` +@@ -786,35 +912,53 @@ optional_policy(` ') optional_policy(` @@ -6008,7 +6010,7 @@ index 6649962..e3e190e 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +965,18 @@ optional_policy(` +@@ -822,8 +966,18 @@ optional_policy(` ') optional_policy(` @@ -6027,7 +6029,7 @@ index 6649962..e3e190e 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +985,7 @@ optional_policy(` +@@ -832,6 +986,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6035,7 +6037,7 @@ index 6649962..e3e190e 100644 ') optional_policy(` -@@ -842,20 +996,39 @@ optional_policy(` +@@ -842,20 +997,39 @@ optional_policy(` ') optional_policy(` @@ -6081,7 +6083,7 @@ index 6649962..e3e190e 100644 ') optional_policy(` -@@ -863,19 +1036,35 @@ optional_policy(` +@@ -863,19 +1037,35 @@ optional_policy(` ') optional_policy(` @@ -6117,7 +6119,7 @@ index 6649962..e3e190e 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1072,173 @@ optional_policy(` +@@ -883,65 +1073,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6313,7 +6315,7 @@ index 6649962..e3e190e 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1247,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6468,7 +6470,7 @@ index 6649962..e3e190e 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1331,106 @@ optional_policy(` +@@ -1083,172 +1332,106 @@ optional_policy(` ') ') @@ -6705,7 +6707,7 @@ index 6649962..e3e190e 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6802,7 +6804,7 @@ index 6649962..e3e190e 100644 ######################################## # -@@ -1321,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6819,7 +6821,7 @@ index 6649962..e3e190e 100644 ') ######################################## -@@ -1330,49 +1529,38 @@ optional_policy(` +@@ -1330,49 +1530,38 @@ optional_policy(` # User content local policy # @@ -6884,7 +6886,7 @@ index 6649962..e3e190e 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1570,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1571,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7006,10 +7008,12 @@ index 6649962..e3e190e 100644 + corenet_tcp_connect_osapi_compute_port(httpd_t) ') diff --git a/apcupsd.fc b/apcupsd.fc -index 5ec0e13..274704f 100644 +index 5ec0e13..97c204f 100644 --- a/apcupsd.fc +++ b/apcupsd.fc -@@ -1,18 +1,21 @@ +@@ -1,18 +1,23 @@ ++/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0) ++ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) +/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) @@ -7037,7 +7041,7 @@ index 5ec0e13..274704f 100644 +/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) +/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) diff --git a/apcupsd.if b/apcupsd.if -index f3c0aba..9c06313 100644 +index f3c0aba..2b3352b 100644 --- a/apcupsd.if +++ b/apcupsd.if @@ -102,7 +102,7 @@ interface(`apcupsd_append_log',` @@ -7113,11 +7117,12 @@ index f3c0aba..9c06313 100644 ## All of the rules required to ## administrate an apcupsd environment. ## -@@ -144,11 +187,16 @@ interface(`apcupsd_admin',` +@@ -144,11 +187,17 @@ interface(`apcupsd_admin',` gen_require(` type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; + type apcupsd_unit_file_t; ++ type apcupsd_power_t; ') - allow $1 apcupsd_t:process { ptrace signal_perms }; @@ -7131,7 +7136,7 @@ index f3c0aba..9c06313 100644 apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; -@@ -165,4 +213,8 @@ interface(`apcupsd_admin',` +@@ -165,4 +214,11 @@ interface(`apcupsd_admin',` files_list_pids($1) admin_pattern($1, apcupsd_var_run_t) @@ -7139,33 +7144,42 @@ index f3c0aba..9c06313 100644 + apcupsd_systemctl($1) + admin_pattern($1, apcupsd_unit_file_t) + allow $1 apcupsd_unit_file_t:service all_service_perms; ++ ++ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t) ++ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..4b86e25 100644 +index 080bc4d..c85265d 100644 --- a/apcupsd.te +++ b/apcupsd.te -@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) +@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) ++type apcupsd_power_t; ++files_type(apcupsd_power_t) ++ +type apcupsd_unit_file_t; +systemd_unit_file(apcupsd_unit_file_t) + ######################################## # # Local policy -@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; +@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; allow apcupsd_t apcupsd_lock_t:file manage_file_perms; files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) -append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) ++manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t) ++files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ++ +manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) -@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t) +@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t) corecmd_exec_bin(apcupsd_t) corecmd_exec_shell(apcupsd_t) @@ -7173,7 +7187,7 @@ index 080bc4d..4b86e25 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) +@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) @@ -7182,7 +7196,7 @@ index 080bc4d..4b86e25 100644 corenet_udp_bind_snmp_port(apcupsd_t) corenet_sendrecv_snmp_server_packets(apcupsd_t) -@@ -74,19 +76,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) +@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) dev_rw_generic_usb_dev(apcupsd_t) @@ -7210,7 +7224,7 @@ index 080bc4d..4b86e25 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -101,6 +107,11 @@ optional_policy(` +@@ -101,6 +113,11 @@ optional_policy(` shutdown_domtrans(apcupsd_t) ') @@ -7222,7 +7236,7 @@ index 080bc4d..4b86e25 100644 ######################################## # # CGI local policy -@@ -108,20 +119,20 @@ optional_policy(` +@@ -108,20 +125,20 @@ optional_policy(` optional_policy(` apache_content_template(apcupsd_cgi) @@ -9999,10 +10013,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..8c82398 +index 0000000..b3aa772 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,44 @@ +@@ -0,0 +1,54 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10039,6 +10053,8 @@ index 0000000..8c82398 +kernel_read_system_state(bumblebee_t) +kernel_dontaudit_access_check_proc(bumblebee_t) + ++corecmd_exec_shell(bumblebee_t) ++ +dev_read_sysfs(bumblebee_t) + +auth_read_passwd(bumblebee_t) @@ -10047,6 +10063,14 @@ index 0000000..8c82398 + +modutils_domtrans_insmod(bumblebee_t) + ++sysnet_dns_name_resolve(bumblebee_t) ++ ++xserver_domtrans(bumblebee_t) ++xserver_manage_xkb_libs(bumblebee_t) ++ ++optional_policy(` ++ apm_stream_connect(bumblebee_t) ++') diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 --- a/cachefilesd.fc @@ -10612,7 +10636,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..7124d87 100644 +index 550b287..8dd67f1 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -10649,7 +10673,7 @@ index 550b287..7124d87 100644 corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) +@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) @@ -10657,6 +10681,8 @@ index 550b287..7124d87 100644 +corenet_tcp_connect_http_port(certmonger_t) +corenet_tcp_connect_http_cache_port(certmonger_t) + ++corenet_tcp_connect_ldap_port(certmonger_t) ++ +corenet_tcp_connect_pki_ca_port(certmonger_t) corenet_tcp_sendrecv_certmaster_port(certmonger_t) @@ -10672,7 +10698,7 @@ index 550b287..7124d87 100644 files_list_tmp(certmonger_t) fs_search_cgroup_dirs(certmonger_t) -@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t) +@@ -70,16 +83,17 @@ init_getattr_all_script_files(certmonger_t) logging_send_syslog_msg(certmonger_t) @@ -10693,7 +10719,7 @@ index 550b287..7124d87 100644 ') optional_policy(` -@@ -92,11 +104,47 @@ optional_policy(` +@@ -92,11 +106,47 @@ optional_policy(` ') optional_policy(` @@ -17916,7 +17942,7 @@ index 3023be7..20e370b 100644 + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ') diff --git a/cups.te b/cups.te -index c91813c..f31fa44 100644 +index c91813c..ac57f95 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.16.2) @@ -18179,12 +18205,13 @@ index c91813c..f31fa44 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,21 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) -libs_read_lib_files(cupsd_t) libs_exec_lib_files(cupsd_t) ++libs_exec_ldconfig(cupsd_t) logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -18205,7 +18232,7 @@ index c91813c..f31fa44 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -272,6 +305,8 @@ optional_policy(` +@@ -272,6 +306,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -18214,7 +18241,7 @@ index c91813c..f31fa44 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -282,8 +317,10 @@ optional_policy(` +@@ -282,8 +318,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -18225,7 +18252,7 @@ index c91813c..f31fa44 100644 ') ') -@@ -296,8 +333,8 @@ optional_policy(` +@@ -296,8 +334,8 @@ optional_policy(` ') optional_policy(` @@ -18235,7 +18262,7 @@ index c91813c..f31fa44 100644 ') optional_policy(` -@@ -306,7 +343,6 @@ optional_policy(` +@@ -306,7 +344,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -18243,7 +18270,7 @@ index c91813c..f31fa44 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -334,7 +370,11 @@ optional_policy(` +@@ -334,7 +371,11 @@ optional_policy(` ') optional_policy(` @@ -18256,7 +18283,7 @@ index c91813c..f31fa44 100644 ') ######################################## -@@ -342,12 +382,11 @@ optional_policy(` +@@ -342,12 +383,11 @@ optional_policy(` # Configuration daemon local policy # @@ -18272,7 +18299,7 @@ index c91813c..f31fa44 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -372,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -372,18 +412,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -18293,7 +18320,7 @@ index c91813c..f31fa44 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +430,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -18314,7 +18341,7 @@ index c91813c..f31fa44 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +447,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -18326,7 +18353,7 @@ index c91813c..f31fa44 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +473,12 @@ optional_policy(` +@@ -449,9 +474,12 @@ optional_policy(` ') optional_policy(` @@ -18340,7 +18367,7 @@ index c91813c..f31fa44 100644 ') optional_policy(` -@@ -487,10 +514,6 @@ optional_policy(` +@@ -487,10 +515,6 @@ optional_policy(` # Lpd local policy # @@ -18351,7 +18378,7 @@ index c91813c..f31fa44 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +531,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +532,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -18369,7 +18396,7 @@ index c91813c..f31fa44 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +560,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +561,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -18379,7 +18406,7 @@ index c91813c..f31fa44 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +570,6 @@ optional_policy(` +@@ -550,7 +571,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -18387,7 +18414,7 @@ index c91813c..f31fa44 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +585,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +586,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -18539,7 +18566,7 @@ index c91813c..f31fa44 100644 ######################################## # -@@ -735,7 +629,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +630,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -18547,7 +18574,7 @@ index c91813c..f31fa44 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +638,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +639,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -18561,7 +18588,7 @@ index c91813c..f31fa44 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +650,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +651,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -18570,7 +18597,7 @@ index c91813c..f31fa44 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +662,4 @@ optional_policy(` +@@ -773,3 +663,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -21081,12 +21108,13 @@ index 77a5003..2728ee6 100644 +') + diff --git a/dhcp.fc b/dhcp.fc -index 8182c48..74d8d39 100644 +index 8182c48..31364a5 100644 --- a/dhcp.fc +++ b/dhcp.fc -@@ -1,4 +1,5 @@ +@@ -1,4 +1,6 @@ /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) +/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) ++/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) @@ -22973,10 +23001,10 @@ index 0000000..543baf1 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..f156949 +index 0000000..5c6eaab --- /dev/null +++ b/docker.te -@@ -0,0 +1,145 @@ +@@ -0,0 +1,157 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23008,7 +23036,7 @@ index 0000000..f156949 +# docker local policy +# +allow docker_t self:capability { chown fowner fsetid mknod net_admin }; -+allow docker_t self:process signal_perms; ++allow docker_t self:process { getattr signal_perms }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; +allow docker_t self:capability2 block_suspend; @@ -23046,13 +23074,19 @@ index 0000000..f156949 +corecmd_exec_shell(docker_t) + +corenet_tcp_bind_generic_node(docker_t) ++corenet_tcp_connect_http_port(docker_t) + +files_read_etc_files(docker_t) + +fs_read_cgroup_files(docker_t) + ++storage_raw_rw_fixed_disk(docker_t) ++ +auth_use_nsswitch(docker_t) + ++logging_send_audit_msgs(docker_t) ++logging_send_syslog_msg(docker_t) ++ +miscfiles_read_localization(docker_t) + +mount_domtrans(docker_t) @@ -23073,7 +23107,7 @@ index 0000000..f156949 +# + +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; -+allow docker_t self:process { setpgid setsched signal_perms }; ++allow docker_t self:process { getcap setcap setpgid setsched signal_perms }; +allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; +allow docker_t self:netlink_audit_socket create_netlink_socket_perms; +allow docker_t self:unix_dgram_socket create_socket_perms; @@ -23085,12 +23119,14 @@ index 0000000..f156949 + +kernel_setsched(docker_t) +kernel_get_sysvipc_info(docker_t) ++kernel_request_load_module(docker_t) + +dev_getattr_all_blk_files(docker_t) +dev_getattr_sysfs_fs(docker_t) +dev_read_urand(docker_t) +dev_read_lvm_control(docker_t) +dev_read_sysfs(docker_t) ++dev_rw_loop_control(docker_t) +dev_rw_lvm_control(docker_t) + +files_manage_isid_type_dirs(docker_t) @@ -23106,6 +23142,7 @@ index 0000000..f156949 +fs_remount_all_fs(docker_t) +fs_manage_cgroup_dirs(docker_t) +fs_manage_cgroup_files(docker_t) ++fs_relabelfrom_xattr_fs(docker_t) + +term_use_generic_ptys(docker_t) +term_use_ptmx(docker_t) @@ -23120,8 +23157,11 @@ index 0000000..f156949 +optional_policy(` + virt_read_config(docker_t) + virt_exec(docker_t) ++ virt_stream_connect(docker_t) ++ virt_stream_connect_sandbox(docker_t) ++ virt_manage_sandbox_files(docker_t) ++ virt_relabel_sandbox_filesystem(docker_t) +') -+ diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc @@ -25646,7 +25686,7 @@ index 280f875..f3a67c9 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index 5010f04..928215f 100644 +index 5010f04..3b73741 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ @@ -25756,7 +25796,7 @@ index 5010f04..928215f 100644 optional_policy(` dbus_system_bus_client(firstboot_t) -@@ -102,20 +105,18 @@ optional_policy(` +@@ -102,20 +105,17 @@ optional_policy(` ') optional_policy(` @@ -25768,7 +25808,7 @@ index 5010f04..928215f 100644 ') optional_policy(` - unconfined_domtrans(firstboot_t) +- unconfined_domtrans(firstboot_t) - unconfined_domain(firstboot_t) + # The big hammer + unconfined_domain_noaudit(firstboot_t) @@ -27257,10 +27297,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..4b88195 +index 0000000..3ec9c95 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,200 @@ +@@ -0,0 +1,201 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -27459,7 +27499,8 @@ index 0000000..4b88195 +') + +optional_policy(` -+ ssh_exec(glusterd_t) ++ ssh_basic_client_template(glusterd, glusterd_t, system_r) ++# ssh_exec(glusterd_t) +') diff --git a/glusterfs.fc b/glusterfs.fc deleted file mode 100644 @@ -31642,10 +31683,10 @@ index 6517fad..17c3627 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..ddc67b0 100644 +index 4eb7041..88bd0b2 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,57 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,59 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -31680,7 +31721,7 @@ index 4eb7041..ddc67b0 100644 # -# Local policy +# hyperv domain local policy - # ++# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -31693,25 +31734,27 @@ index 4eb7041..ddc67b0 100644 +######################################## # +# hypervkvp local policy -+# -+ -+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) + # -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) ++ +logging_send_syslog_msg(hypervkvp_t) -logging_send_syslog_msg(hypervkvpd_t) +sysnet_dns_name_resolve(hypervkvp_t) - --miscfiles_read_localization(hypervkvpd_t) ++ +######################################## +# +# hypervvssd local policy +# +-miscfiles_read_localization(hypervkvpd_t) ++allow hypervvssd_t self:capability sys_admin; + -sysnet_dns_name_resolve(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te @@ -31872,7 +31915,7 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..ea5acd7 100644 +index c6450df..a2a7a78 100644 --- a/inetd.te +++ b/inetd.te @@ -37,9 +37,9 @@ ifdef(`enable_mcs',` @@ -31916,7 +31959,7 @@ index c6450df..ea5acd7 100644 mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) -@@ -188,7 +192,7 @@ optional_policy(` +@@ -188,17 +192,13 @@ optional_policy(` ') optional_policy(` @@ -31925,7 +31968,17 @@ index c6450df..ea5acd7 100644 ') optional_policy(` -@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t) + udev_read_db(inetd_t) + ') + +-optional_policy(` +- unconfined_domtrans(inetd_t) +-') +- + ######################################## + # + # Child local policy +@@ -220,6 +220,14 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) kernel_read_system_state(inetd_child_t) @@ -31940,7 +31993,7 @@ index c6450df..ea5acd7 100644 dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +238,11 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -32083,13 +32136,32 @@ index ca07a87..6ea129c 100644 + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/iodine.if b/iodine.if -index a0bfbd0..47f7c75 100644 +index a0bfbd0..a3b02e6 100644 --- a/iodine.if +++ b/iodine.if -@@ -2,6 +2,30 @@ +@@ -2,6 +2,49 @@ ######################################## ## ++## Execute NetworkManager with a domain transition. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`iodined_domtrans',` ++ gen_require(` ++ type iodined_t, iodined_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, iodined_exec_t, iodined_t) ++') ++ ++######################################## ++## +## Execute iodined server in the iodined domain. +## +## @@ -32118,7 +32190,7 @@ index a0bfbd0..47f7c75 100644 ## administrate an iodined environment ## diff --git a/iodine.te b/iodine.te -index d443fee..475b7f4 100644 +index d443fee..6cbbf7d 100644 --- a/iodine.te +++ b/iodine.te @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) @@ -32131,11 +32203,12 @@ index d443fee..475b7f4 100644 ######################################## # # Local policy -@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t) +@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t) corecmd_exec_shell(iodined_t) -files_read_etc_files(iodined_t) ++auth_use_nsswitch(iodined_t) logging_send_syslog_msg(iodined_t) @@ -35235,7 +35308,7 @@ index f6c00d8..c0946cf 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..2242f4d 100644 +index 8833d59..3ca9e12 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -35390,7 +35463,7 @@ index 8833d59..2242f4d 100644 sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,6 +173,10 @@ optional_policy(` +@@ -154,11 +173,16 @@ optional_policy(` ') optional_policy(` @@ -35401,7 +35474,13 @@ index 8833d59..2242f4d 100644 nis_use_ypbind(kadmind_t) ') -@@ -174,24 +197,27 @@ optional_policy(` + optional_policy(` + sssd_read_public_files(kadmind_t) ++ sssd_stream_connect(kadmind_t) + ') + + optional_policy(` +@@ -174,24 +198,27 @@ optional_policy(` # Krb5kdc local policy # @@ -35433,7 +35512,7 @@ index 8833d59..2242f4d 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) +@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) @@ -35499,7 +35578,7 @@ index 8833d59..2242f4d 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +286,11 @@ optional_policy(` +@@ -261,11 +287,11 @@ optional_policy(` ') optional_policy(` @@ -35513,7 +35592,7 @@ index 8833d59..2242f4d 100644 ') optional_policy(` -@@ -273,6 +298,10 @@ optional_policy(` +@@ -273,6 +299,10 @@ optional_policy(` ') optional_policy(` @@ -35524,7 +35603,7 @@ index 8833d59..2242f4d 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +310,12 @@ optional_policy(` +@@ -281,10 +311,12 @@ optional_policy(` # kpropd local policy # @@ -35540,7 +35619,7 @@ index 8833d59..2242f4d 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -36322,7 +36401,7 @@ index 5297064..6ba8108 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 1664036..214a4fb 100644 +index 1664036..d10ed5a 100644 --- a/kudzu.te +++ b/kudzu.te @@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) @@ -36346,7 +36425,7 @@ index 1664036..214a4fb 100644 userdom_dontaudit_use_unpriv_user_fds(kudzu_t) userdom_search_user_home_dirs(kudzu_t) -@@ -122,10 +120,6 @@ optional_policy(` +@@ -122,17 +120,9 @@ optional_policy(` ') optional_policy(` @@ -36357,6 +36436,13 @@ index 1664036..214a4fb 100644 seutil_sigchld_newrole(kudzu_t) ') + optional_policy(` + udev_read_db(kudzu_t) + ') +- +-optional_policy(` +- unconfined_domtrans(kudzu_t) +-') diff --git a/l2tp.fc b/l2tp.fc index d5d1572..82267a7 100644 --- a/l2tp.fc @@ -41205,10 +41291,10 @@ index 0000000..6568bfe +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..7245033 +index 0000000..92c3b35 --- /dev/null +++ b/mock.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,275 @@ +policy_module(mock,1.0.0) + +## @@ -41479,6 +41565,8 @@ index 0000000..7245033 + +libs_exec_ldconfig(mock_build_t) + ++userdom_use_inherited_user_ptys(mock_build_t) ++ +tunable_policy(`mock_enable_homedirs',` + userdom_read_user_home_content_files(mock_build_t) +') @@ -42924,7 +43012,7 @@ index 6194b80..b8952a1 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..058f834 100644 +index 11ac8e4..ea784b3 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -43766,7 +43854,7 @@ index 11ac8e4..058f834 100644 ') optional_policy(` -@@ -568,108 +578,130 @@ optional_policy(` +@@ -568,108 +578,131 @@ optional_policy(` ') optional_policy(` @@ -43947,6 +44035,7 @@ index 11ac8e4..058f834 100644 - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_spice',` + dev_rw_generic_usb_dev(mozilla_plugin_t) ++ dev_setattr_generic_usb_dev(mozilla_plugin_t) + corenet_tcp_bind_vnc_port(mozilla_plugin_t) ') @@ -45471,7 +45560,7 @@ index ed81cac..26c97cd 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..2305a28 100644 +index ff1d68c..d5c4ceb 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -45684,14 +45773,20 @@ index ff1d68c..2305a28 100644 courier_stream_connect_authdaemon(system_mail_t) ') -@@ -246,6 +269,7 @@ optional_policy(` - optional_policy(` - fail2ban_dontaudit_rw_stream_sockets(system_mail_t) - fail2ban_append_log(system_mail_t) -+ fail2ban_dontaudit_leaks(system_mail_t) - fail2ban_rw_inherited_tmp_files(system_mail_t) +@@ -244,9 +267,10 @@ optional_policy(` ') + optional_policy(` +- fail2ban_dontaudit_rw_stream_sockets(system_mail_t) +- fail2ban_append_log(system_mail_t) +- fail2ban_rw_inherited_tmp_files(system_mail_t) ++ fail2ban_append_log(user_mail_domain) ++ fail2ban_dontaudit_leaks(user_mail_domain) ++ fail2ban_rw_inherited_tmp_files(mta_user_agent) ++ fail2ban_rw_inherited_tmp_files(user_mail_domain) + ') + + optional_policy(` @@ -258,10 +282,15 @@ optional_policy(` ') @@ -48960,7 +49055,7 @@ index 86dc29d..5b73942 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..076a73e 100644 +index 55f2009..51ec888 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -49112,7 +49207,7 @@ index 55f2009..076a73e 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +152,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +152,31 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -49130,7 +49225,9 @@ index 55f2009..076a73e 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +171,11 @@ init_domtrans_script(NetworkManager_t) + init_dontaudit_write_utmp(NetworkManager_t) + init_domtrans_script(NetworkManager_t) ++init_signull_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -49143,7 +49240,7 @@ index 55f2009..076a73e 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +191,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -49180,7 +49277,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -196,10 +231,6 @@ optional_policy(` +@@ -196,10 +232,6 @@ optional_policy(` ') optional_policy(` @@ -49191,7 +49288,7 @@ index 55f2009..076a73e 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +241,11 @@ optional_policy(` +@@ -210,16 +242,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -49210,7 +49307,7 @@ index 55f2009..076a73e 100644 ') ') -@@ -231,18 +257,19 @@ optional_policy(` +@@ -231,18 +258,23 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -49230,10 +49327,14 @@ index 55f2009..076a73e 100644 optional_policy(` - howl_signal(NetworkManager_t) + gnome_dontaudit_search_config(NetworkManager_t) ++') ++ ++optional_policy(` ++ iodined_domtrans(NetworkManager_t) ') optional_policy(` -@@ -250,6 +277,10 @@ optional_policy(` +@@ -250,6 +282,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49244,7 +49345,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -257,11 +288,10 @@ optional_policy(` +@@ -257,11 +293,10 @@ optional_policy(` ') optional_policy(` @@ -49260,7 +49361,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -274,10 +304,17 @@ optional_policy(` +@@ -274,10 +309,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -49278,7 +49379,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -289,6 +326,7 @@ optional_policy(` +@@ -289,6 +331,7 @@ optional_policy(` ') optional_policy(` @@ -49286,7 +49387,7 @@ index 55f2009..076a73e 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +334,7 @@ optional_policy(` +@@ -296,7 +339,7 @@ optional_policy(` ') optional_policy(` @@ -49295,7 +49396,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -307,6 +345,7 @@ optional_policy(` +@@ -307,6 +350,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -49303,7 +49404,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -320,14 +359,20 @@ optional_policy(` +@@ -320,14 +364,20 @@ optional_policy(` ') optional_policy(` @@ -49329,7 +49430,7 @@ index 55f2009..076a73e 100644 ') optional_policy(` -@@ -357,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +407,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -53631,7 +53732,7 @@ index c87bd2a..7de054a 100644 + ') ') diff --git a/oddjob.te b/oddjob.te -index e403097..868981b 100644 +index e403097..6f7b99d 100644 --- a/oddjob.te +++ b/oddjob.te @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) @@ -53688,8 +53789,14 @@ index e403097..868981b 100644 locallogin_dontaudit_use_fds(oddjob_t) -@@ -71,13 +71,13 @@ optional_policy(` +@@ -65,19 +65,15 @@ optional_policy(` + dbus_connect_system_bus(oddjob_t) + ') +-optional_policy(` +- unconfined_domtrans(oddjob_t) +-') +- ######################################## # -# Mkhomedir local policy @@ -53704,7 +53811,7 @@ index e403097..868981b 100644 kernel_read_system_state(oddjob_mkhomedir_t) -@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) +@@ -85,7 +81,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) logging_send_syslog_msg(oddjob_mkhomedir_t) @@ -53712,7 +53819,7 @@ index e403097..868981b 100644 selinux_get_fs_mount(oddjob_mkhomedir_t) selinux_validate_context(oddjob_mkhomedir_t) -@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t) +@@ -98,8 +93,11 @@ seutil_read_config(oddjob_mkhomedir_t) seutil_read_file_contexts(oddjob_mkhomedir_t) seutil_read_default_contexts(oddjob_mkhomedir_t) @@ -57249,12 +57356,15 @@ index 43d50f9..7f77d32 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..f92c71a 100644 +index 1fb1964..c5ec0c4 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") +@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + # + allow pcscd_t self:capability { dac_override dac_read_search fsetid }; - allow pcscd_t self:process signal; +-allow pcscd_t self:process signal; ++allow pcscd_t self:process { signal signull }; allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket { accept listen }; -allow pcscd_t self:tcp_socket { accept listen }; @@ -57298,10 +57408,10 @@ index 1fb1964..f92c71a 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..4694942 100644 +index dfd46e4..fabf59e 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,29 @@ +@@ -1,15 +1,30 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -57339,6 +57449,7 @@ index dfd46e4..4694942 100644 +/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + +/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -57440,7 +57551,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..938df5d 100644 +index 608f454..b4c36a9 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -57459,7 +57570,7 @@ index 608f454..938df5d 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,288 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,290 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -57615,6 +57726,8 @@ index 608f454..938df5d 100644 +dev_rw_sysfs(pegasus_openlmi_system_t) +dev_read_urand(pegasus_openlmi_system_t) + ++systemd_config_power_services(pegasus_openlmi_system_t) ++ +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_system_t) +') @@ -57753,7 +57866,7 @@ index 608f454..938df5d 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +323,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -57784,7 +57897,7 @@ index 608f454..938df5d 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +349,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -57817,7 +57930,7 @@ index 608f454..938df5d 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +377,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -57829,7 +57942,7 @@ index 608f454..938df5d 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +393,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -57865,7 +57978,7 @@ index 608f454..938df5d 100644 ') optional_policy(` -@@ -151,16 +425,24 @@ optional_policy(` +@@ -151,16 +427,24 @@ optional_policy(` ') optional_policy(` @@ -57894,7 +58007,7 @@ index 608f454..938df5d 100644 ') optional_policy(` -@@ -168,7 +450,7 @@ optional_policy(` +@@ -168,7 +452,7 @@ optional_policy(` ') optional_policy(` @@ -59653,7 +59766,7 @@ index 30e751f..78fb7c6 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..c1a1267 100644 +index 3078ce9..d0cdb5d 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -59665,7 +59778,7 @@ index 3078ce9..c1a1267 100644 type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) -@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t) +@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t) ######################################## # @@ -59678,9 +59791,11 @@ index 3078ce9..c1a1267 100644 allow plymouthd_t self:capability2 block_suspend; +dontaudit plymouthd_t self:capability dac_override; allow plymouthd_t self:process { signal getsched }; ++allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms; allow plymouthd_t self:fifo_file rw_fifo_file_perms; allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; -@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) + +@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) @@ -59691,7 +59806,7 @@ index 3078ce9..c1a1267 100644 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t) +@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t) fs_getattr_all_fs(plymouthd_t) @@ -59723,7 +59838,7 @@ index 3078ce9..c1a1267 100644 ') optional_policy(` -@@ -90,35 +96,33 @@ optional_policy(` +@@ -90,35 +97,33 @@ optional_policy(` ') optional_policy(` @@ -69691,10 +69806,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..b744b5d 100644 +index 8644d8b..9a3a093 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,119 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -69739,55 +69854,49 @@ index 8644d8b..b744b5d 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { setgid setuid sys_resource }; ++allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin }; +allow neutron_t self:process { setsched setrlimit }; +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; +allow neutron_t self:tcp_socket { accept listen }; +allow neutron_t self:unix_stream_socket { accept listen }; ++ ++manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) ++append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) ++create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) ++setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) ++logging_log_filetrans(neutron_t, neutron_log_t, dir) ++ ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) -+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -+logging_log_filetrans(neutron_t, neutron_log_t, dir) - --manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) --files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) - --manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) --manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) --files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) --can_exec(quantum_t, quantum_tmp_t) +-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +-files_tmp_filetrans(quantum_t, quantum_tmp_t, file) +can_exec(neutron_t, neutron_tmp_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) +kernel_read_kernel_sysctls(neutron_t) +kernel_read_system_state(neutron_t) ++kernel_read_network_state(neutron_t) ++kernel_request_load_module(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) +-can_exec(quantum_t, quantum_tmp_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --corenet_all_recvfrom_unlabeled(quantum_t) --corenet_all_recvfrom_netlabel(quantum_t) --corenet_tcp_sendrecv_generic_if(quantum_t) --corenet_tcp_sendrecv_generic_node(quantum_t) --corenet_tcp_sendrecv_all_ports(quantum_t) --corenet_tcp_bind_generic_node(quantum_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -69795,65 +69904,85 @@ index 8644d8b..b744b5d 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --dev_list_sysfs(quantum_t) --dev_read_urand(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_tcp_bind_neutron_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) +corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) --files_read_usr_files(quantum_t) -+dev_list_sysfs(neutron_t) -+dev_read_urand(neutron_t) +-corenet_all_recvfrom_unlabeled(quantum_t) +-corenet_all_recvfrom_netlabel(quantum_t) +-corenet_tcp_sendrecv_generic_if(quantum_t) +-corenet_tcp_sendrecv_generic_node(quantum_t) +-corenet_tcp_sendrecv_all_ports(quantum_t) +-corenet_tcp_bind_generic_node(quantum_t) ++domain_named_filetrans(neutron_t) --auth_use_nsswitch(quantum_t) +-dev_list_sysfs(quantum_t) +-dev_read_urand(quantum_t) ++dev_read_sysfs(neutron_t) ++dev_read_urand(neutron_t) ++dev_mounton_sysfs(neutron_t) ++dev_mount_sysfs_fs(neutron_t) + +-files_read_usr_files(quantum_t) +auth_use_nsswitch(neutron_t) --libs_exec_ldconfig(quantum_t) +-auth_use_nsswitch(quantum_t) +libs_exec_ldconfig(neutron_t) --logging_send_audit_msgs(quantum_t) --logging_send_syslog_msg(quantum_t) +-libs_exec_ldconfig(quantum_t) +logging_send_audit_msgs(neutron_t) +logging_send_syslog_msg(neutron_t) --miscfiles_read_localization(quantum_t) +-logging_send_audit_msgs(quantum_t) +-logging_send_syslog_msg(quantum_t) +sysnet_exec_ifconfig(neutron_t) --sysnet_domtrans_ifconfig(quantum_t) +-miscfiles_read_localization(quantum_t) +optional_policy(` + brctl_domtrans(neutron_t) ++') + +-sysnet_domtrans_ifconfig(quantum_t) ++optional_policy(` ++ dnsmasq_domtrans(neutron_t) +') optional_policy(` - brctl_domtrans(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) -+ -+ mysql_tcp_connect(neutron_t) ++ iptables_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ postgresql_stream_connect(neutron_t) -+ postgresql_unpriv_client(neutron_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) - mysql_tcp_connect(quantum_t) -+ postgresql_tcp_connect(neutron_t) ++ mysql_tcp_connect(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) -+ openvswitch_domtrans(neutron_t) -+ openvswitch_stream_connect(neutron_t) ++ postgresql_stream_connect(neutron_t) ++ postgresql_unpriv_client(neutron_t) ++ ++ postgresql_tcp_connect(neutron_t) +') - postgresql_tcp_connect(quantum_t) +optional_policy(` -+ sudo_exec(neutron_t) ++ openvswitch_domtrans(neutron_t) ++ openvswitch_stream_connect(neutron_t) ') ++ ++optional_policy(` ++ sudo_exec(neutron_t) ++') diff --git a/quota.fc b/quota.fc index cadabe3..54ba01d 100644 --- a/quota.fc @@ -73248,10 +73377,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..98a4280 100644 +index 47de2d6..a7e8263 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,85 @@ +@@ -1,31 +1,86 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -73333,6 +73462,7 @@ index 47de2d6..98a4280 100644 +/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) + @@ -76540,7 +76670,7 @@ index 0bf13c2..d59aef7 100644 type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; diff --git a/rpc.te b/rpc.te -index 2da9fca..b96da60 100644 +index 2da9fca..11e7bfe 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1) @@ -76807,6 +76937,15 @@ index 2da9fca..b96da60 100644 ') ######################################## +@@ -270,7 +287,7 @@ optional_policy(` + # GSSD local policy + # + +-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; ++allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice }; + allow gssd_t self:process { getsched setsched }; + allow gssd_t self:fifo_file rw_fifo_file_perms; + @@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -76815,7 +76954,7 @@ index 2da9fca..b96da60 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +306,29 @@ kernel_signal(gssd_t) +@@ -288,25 +306,30 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -76837,6 +76976,7 @@ index 2da9fca..b96da60 100644 miscfiles_read_generic_certs(gssd_t) userdom_signal_all_users(gssd_t) ++userdom_read_all_users_keys(gssd_t) -tunable_policy(`allow_gssd_read_tmp',` +tunable_policy(`gssd_read_tmp',` @@ -76848,7 +76988,7 @@ index 2da9fca..b96da60 100644 ') optional_policy(` -@@ -314,9 +336,12 @@ optional_policy(` +@@ -314,9 +337,12 @@ optional_policy(` ') optional_policy(` @@ -77757,7 +77897,7 @@ index ef3b225..064712b 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..dfa0f04 100644 +index 6fc360e..955caa1 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -78137,11 +78277,11 @@ index 6fc360e..dfa0f04 100644 logging_send_syslog_msg(rpm_script_t) -miscfiles_read_localization(rpm_script_t) -- --modutils_run_depmod(rpm_script_t, rpm_roles) --modutils_run_insmod(rpm_script_t, rpm_roles) +miscfiles_filetrans_named_content(rpm_script_t) +-modutils_run_depmod(rpm_script_t, rpm_roles) +-modutils_run_insmod(rpm_script_t, rpm_roles) +- -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) @@ -78155,7 +78295,7 @@ index 6fc360e..dfa0f04 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +379,61 @@ ifdef(`distro_redhat',` +@@ -363,41 +379,59 @@ ifdef(`distro_redhat',` ') ') @@ -78220,14 +78360,13 @@ index 6fc360e..dfa0f04 100644 ') optional_policy(` +- unconfined_domtrans(rpm_script_t) + unconfined_domain_noaudit(rpm_script_t) - unconfined_domtrans(rpm_script_t) + domain_named_filetrans(rpm_script_t) -+ optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +445,6 @@ optional_policy(` +@@ -409,6 +443,6 @@ optional_policy(` ') optional_policy(` @@ -81486,10 +81625,10 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..577dfa7 +index 0000000..8a6ad19 --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,55 @@ +@@ -0,0 +1,56 @@ + +## policy for sandbox + @@ -81520,6 +81659,7 @@ index 0000000..577dfa7 + allow sandbox_domain $1:process { sigchld signull }; + allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; + dontaudit sandbox_domain $1:process signal; ++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; +') + +######################################## @@ -82022,10 +82162,10 @@ index 0000000..e45c73a +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..9ba5803 +index 0000000..4566e9b --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,488 @@ +@@ -0,0 +1,498 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -82260,6 +82400,8 @@ index 0000000..9ba5803 + +optional_policy(` + gnome_read_gconf_config(sandbox_x_domain) ++ gnome_dontaudit_rw_inherited_config(sandbox_x_domain) ++ gnome_dontaudit_rw_inherited_config(sandbox_xserver_t) +') + +optional_policy(` @@ -82328,6 +82470,10 @@ index 0000000..9ba5803 +logging_send_syslog_msg(sandbox_x_client_t) + +optional_policy(` ++ avahi_dbus_chat(sandbox_x_client_t) ++') ++ ++optional_policy(` + colord_dbus_chat(sandbox_x_client_t) +') + @@ -82439,6 +82585,10 @@ index 0000000..9ba5803 +') + +optional_policy(` ++ avahi_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` + bluetooth_dontaudit_dbus_chat(sandbox_web_type) +') + @@ -86503,7 +86653,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..10b5705 100644 +index f2f507d..065cb98 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -86588,7 +86738,7 @@ index f2f507d..10b5705 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -92,25 +113,34 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -92,25 +113,35 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -86615,6 +86765,7 @@ index f2f507d..10b5705 100644 +init_stream_connect(sosreport_t) libs_domtrans_ldconfig(sosreport_t) ++libs_use_ld_so(sosreport_t) logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) @@ -86626,7 +86777,7 @@ index f2f507d..10b5705 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -119,6 +149,10 @@ optional_policy(` +@@ -119,6 +150,10 @@ optional_policy(` ') optional_policy(` @@ -86637,7 +86788,7 @@ index f2f507d..10b5705 100644 cups_stream_connect(sosreport_t) ') -@@ -127,6 +161,15 @@ optional_policy(` +@@ -127,6 +162,15 @@ optional_policy(` ') optional_policy(` @@ -86653,7 +86804,7 @@ index f2f507d..10b5705 100644 fstools_domtrans(sosreport_t) ') -@@ -136,6 +179,10 @@ optional_policy(` +@@ -136,6 +180,10 @@ optional_policy(` optional_policy(` hal_dbus_chat(sosreport_t) ') @@ -86664,7 +86815,7 @@ index f2f507d..10b5705 100644 ') optional_policy(` -@@ -151,9 +198,25 @@ optional_policy(` +@@ -151,9 +199,25 @@ optional_policy(` ') optional_policy(` @@ -89489,7 +89640,7 @@ index 2ac91b6..dd2ac36 100644 ') + diff --git a/svnserve.te b/svnserve.te -index 49d688d..f1c6367 100644 +index 49d688d..f07cc80 100644 --- a/svnserve.te +++ b/svnserve.te @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) @@ -89533,12 +89684,16 @@ index 49d688d..f1c6367 100644 corenet_all_recvfrom_unlabeled(svnserve_t) corenet_all_recvfrom_netlabel(svnserve_t) corenet_tcp_sendrecv_generic_if(svnserve_t) -@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t) +@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) + corenet_udp_bind_svn_port(svnserve_t) + corenet_udp_sendrecv_svn_port(svnserve_t) - logging_send_syslog_msg(svnserve_t) +-logging_send_syslog_msg(svnserve_t) ++dev_read_urand(svnserve_t) -miscfiles_read_localization(svnserve_t) -- ++logging_send_syslog_msg(svnserve_t) + sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 @@ -93210,7 +93365,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..3e41bff 100644 +index 393a330..44b286b 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -93223,7 +93378,7 @@ index 393a330..3e41bff 100644 type tuned_var_run_t; files_pid_file(tuned_var_run_t) -@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t) +@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t) # Local policy # @@ -93236,10 +93391,11 @@ index 393a330..3e41bff 100644 +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; +allow tuned_t self:netlink_socket create_socket_perms; +allow tuned_t self:udp_socket create_socket_perms; ++allow tuned_t self:socket create_socket_perms; read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) +@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -93258,11 +93414,12 @@ index 393a330..3e41bff 100644 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) ++allow tuned_t tuned_var_run_t:file relabel_file_perms; +can_exec(tuned_t, tuned_var_run_t) kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) -@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t) +@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t) kernel_rw_kernel_sysctl(tuned_t) kernel_rw_hotplug_sysctls(tuned_t) kernel_rw_vm_sysctls(tuned_t) @@ -93271,7 +93428,7 @@ index 393a330..3e41bff 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -94979,7 +95136,7 @@ index a4f20bc..9bad8b9 100644 +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..43128c6 100644 +index facdee8..3ad56e3 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -95994,7 +96151,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -860,74 +658,189 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',` ## ## # @@ -96068,12 +96225,10 @@ index facdee8..43128c6 100644 +## Execute virt server in the virt domain. +## +## - ## --## The type of the object to be created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +# +interface(`virt_systemctl',` + gen_require(` @@ -96094,11 +96249,11 @@ index facdee8..43128c6 100644 +## +## ## --## The object class of the object being created. +-## The type of the object to be created. +## Domain allowed to transition. ## ## --## +-## +# +interface(`virt_ptrace',` + gen_require(` @@ -96110,7 +96265,29 @@ index facdee8..43128c6 100644 + +####################################### +## -+## Connect to virt over a unix domain stream socket. ++## Manage Sandbox Files ++## ++## + ## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`virt_manage_sandbox_files',` ++ gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ ++ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++') ++ ++####################################### ++## ++## Relabel Sandbox File systems +## +## ## @@ -96121,9 +96298,27 @@ index facdee8..43128c6 100644 -## # -interface(`virt_pid_filetrans',` -+interface(`virt_stream_connect_sandbox',` ++interface(`virt_relabel_sandbox_filesystem',` gen_require(` - type virt_var_run_t; ++ type svirt_sandbox_file_t; ++ ') ++ ++ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto }; ++') ++ ++####################################### ++## ++## Connect to virt over a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_stream_connect_sandbox',` ++ gen_require(` + attribute svirt_sandbox_domain; + type svirt_sandbox_file_t; ') @@ -96179,11 +96374,10 @@ index facdee8..43128c6 100644 + optional_policy(` + ptchown_run(virt_domain, $2) + ') - ') - - ######################################## - ## --## Append virt log files. ++') ++ ++######################################## ++## +## Do not audit attempts to write virt daemon unnamed pipes. +## +## @@ -96199,15 +96393,16 @@ index facdee8..43128c6 100644 + + dontaudit $1 virtd_t:fd use; + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Append virt log files. +## Send a sigkill to virtual machines ## ## ## -@@ -935,19 +848,17 @@ interface(`virt_read_log',` +@@ -935,19 +886,17 @@ interface(`virt_read_log',` ## ## # @@ -96231,7 +96426,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -955,20 +866,17 @@ interface(`virt_append_log',` +@@ -955,20 +904,17 @@ interface(`virt_append_log',` ## ## # @@ -96256,7 +96451,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -976,18 +884,17 @@ interface(`virt_manage_log',` +@@ -976,18 +922,17 @@ interface(`virt_manage_log',` ## ## # @@ -96279,7 +96474,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -995,36 +902,57 @@ interface(`virt_search_images',` +@@ -995,36 +940,57 @@ interface(`virt_search_images',` ## ## # @@ -96356,7 +96551,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -1032,20 +960,28 @@ interface(`virt_read_images',` +@@ -1032,20 +998,28 @@ interface(`virt_read_images',` ## ## # @@ -96392,7 +96587,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -1053,37 +989,129 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -96536,7 +96731,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -1091,36 +1119,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -96610,7 +96805,7 @@ index facdee8..43128c6 100644 ## ## ## -@@ -1136,50 +1182,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -96658,11 +96853,11 @@ index facdee8..43128c6 100644 - - logging_search_logs($1) - admin_pattern($1, virt_log_t) -+ allow $1 virt_domain:process signal_perms; - +- - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -- ++ allow $1 virt_domain:process signal_perms; + - files_search_var($1) - admin_pattern($1, svirt_cache_t) - @@ -96683,7 +96878,7 @@ index facdee8..43128c6 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..eeb0c89 100644 +index f03dcf5..11a3c6f 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -98380,7 +98575,7 @@ index f03dcf5..eeb0c89 100644 +typeattribute svirt_lxc_net_t sandbox_net_domain; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; diff --git a/selinux-policy.spec b/selinux-policy.spec index cc101100..bc8d8e5a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -576,6 +576,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 9 2014 Miroslav Grepl 3.13.1-12 +- Add gluster fixes +- Remove ability to transition to unconfined_t from confined domains +- Additional allow rules to get libvirt-lxc containers working with docker + * Mon Jan 6 2014 Miroslav Grepl 3.13.1-11 - passwd to create gnome-keyring passwd socket - systemd_systemctl needs sys_admin capability