From a4801c838b7a9751bb63e9ba4aed5aadd06c2263 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Tue, 17 Jan 2017 09:55:15 +0100
Subject: [PATCH] * Tue Jan 17 2017 Lukas Vrabec -
3.13.1-234 - After the latest changes in nfsd. We should allow nfsd_t to read
raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe
types - Make working cracklib_password_check for MariaDB service - Label
20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as
syslog_tls_port_t BZ(1410505)
---
container-selinux.tgz | Bin 5425 -> 5492 bytes
policy-rawhide-base.patch | 144 +++++++-------
policy-rawhide-contrib.patch | 351 ++++++++++++++++++-----------------
selinux-policy.spec | 8 +-
4 files changed, 256 insertions(+), 247 deletions(-)
diff --git a/container-selinux.tgz b/container-selinux.tgz
index dfc4dfddfca1b37d2db01a56ef03caed2d1319bb..d4135c69ea287e8205b0e4eb41c247b9c27fddb7 100644
GIT binary patch
literal 5492
zcmV-)6^rU0iwFR8*?m|51MOW~kK8tv&TH4N5bOZ%4(x8X?ZkkcnZY8Shk2MyFq5~<
zuA-7yRZ6R*ib(Zk4gdE&hc{6YNl_}5?FG63yQ`(ckK`eFcy45;RmqaPB=u#!`Q}8Q
zm+<-Fhd221`tA2G&7bgjef{?J58qtBe);+j!uk960sU%h(sP4x0q4KhCsWl0@H
z-xRlXvL>mMZtVU4)6eSZ)96Rq?Dt9i@Yi2=B&rUid_k+GPDzv;4n>|OEU(HaRTCv5
z^3vw5mzE&tgiFI^D(V
zygdK*`eJpas*4W^gI3{FH<;}WyI5fbCm1N;>{mNV$d4%_6gC)XQgTY~ARNi>fAcyG
zb{F|N%AolvtLmK437kIjaXLv;LOI&mG!{#yK(j&^e4Err+VYmyAANgmqj?AYj3hpM
zjSr;WQz*E}3qn=JlA4dm!ZZ78V>O>ppOev!39ic>$?<=YB<=q
z#ct;uJ>%fwwOxp7tk1x6x=U*EHF2FcD4g$tJb>#(P8rT^7tpy_s
z6b+2T7z(JRGaL_Cp{xTIG{ab*@_rj
zVZldJoOh+#a7iqfg2FrHT$)mqC>y6mLaC!F{%%;;n#k(1DfQw1PonC8{7;I%JYjX?
z>LQZ%s$G-3+y+%^Um{Az1)JyA1>&=|jYaV7EBN;s{=HdNKl|k$AHI^EgKIH|Je#&}
zfGzA0H~>W_D8wAd`fzcxkCOU!5eJlaAO^0Dsdo1RWn`bSVv^_S{qS8==8Uty9VmgF
zNkvOlBt|Po@|qMCD(k?h9Oe^$6UmP%EQfVd3Gf35mb(mFB5*ABsL_&l_#@IYLtCUH
zrDTI5xq-=FRq55)0j5}8;R+aWpel?z{Ml3g)URo3hA*nBew@e
zk+b*`8HGPB{8fbS(p?>k1#%ZdE0$q0euTN$8i-=|HJFXxNXe$K8b8CDJS^u0Cb7NU
zsImSmmaW852pJ{MOJ?y#U{vWm&h}bBB?e5t
zE$GX98oE&U6jcbtecGvBO@Ch#q_XR1!c3e2BPJtQhI1yyivq+QHD^|!{%>*QwX=Vd
zZ!bxCyCmwaqKqyL$nCWSF>6Ar;`S0bun4ReDGG|fy1FOJbYEbiQoA5r1@=RcJS>m+
zYC*_^Rr_4Y08m_N*tO#%+vla&i!c!6T0Ua4Qb?Ej1)v@2`l-rN`8TxEft`<%2o(MM
zh%!(~_I!UK?2GHqqBW>*V5?{60EAk~-Rfpp%cn4Qj6wVNFF&;v(64#q4r%b{AuZ}O
z@FR4j#A9x*#L!m0xr?6Dp83nc-yw%odjwr1o5iY0dc8FSqbN1Fec=|F{c+ulF1(
zhJBCwN4p6=w|QNa`$-D_X@-lp^H@)Z(`l_n)bAP@YW$$%+Fxv~&xI-wXhKUrMf4F2
z+#0wM(R^Dbg)sG^Pw%HWGoUgq+3kd?Vg9Iq55aK#JJ-ZmdFjpTl}9cI0EofB(n=H7
z<+nk_W%n%(w(-)&JQ??FDIXPzg@J=gIm_ciRpjXdpW(`(COv2gtN^BhmlwwS5r^Be
zr5&Yl(y*P(avFF``OB{?8;rMiO2Qs5(2*8Kmyb-GApN)p>aDr>m^PRd6U85V6aut$obUcheV)Wi8URMQ4lf%_0=iBDa%_;V&eu7Q}z}lL`Xc)~B4y$fXXbYwu>$KQmNo%^D(VX6E
z50W(>tJjt=Bx`z7i`0Luk^E3PL&l1PZ#_*KrV$ug99PKn%Q7b<2GeT1td_TyrJHg;JR1@9p2&~Q83^XTv
z^H*Ll?yD+_=+~cqi4IlGbaeh8SCv4=rNWvrS(|;(iYF)|&!bIJPy+pN=|@mao}m80
zWfd$j?{?m$R$DyJk;xLWugX|RjB`s(zB5CjR7{)oA2DnP=`Ja^{Oz7Q2yAe=5b803
zCA67jYo5DxD^mo?TJh1jlsMP|nFkctT-l|Hy3bCbzIWLuo((u}x*LY{LA>`G^k%;d
z)217pJ@337&Liyz>o(CyE)aN}U3UMOH8G$Ir;-I!*am-!hgc4@#`AvpA+B=zb&*>i
zrD&)8op;^pFtj>FyO_#RDi8~m8gSk(WkVY@P&!xp@$U0pAaL7#a@cM+
z@D0E=l(0OD_BUmfMc7#G4Cmk0d8zY2`GY#S15CC7NQ_d9R1BN7ig(qd0L7}nc-Kgw
zHZ-y&pe3`q8ykVz>muLhjJJcz9JcYcXxBNW)fs+t;hP^RYzyG=in|X3(O7y|0Hw(W
zC{v2Jlj2ph<`SAV^gznYSF%5Y&90yc#U~7?0bZ}9U0GRKPZy0SRw`3rxF6aMxf}~N
zJhU_$aWo?%5ZRWZF{A5h$G3+K=ZuUWQ9u!vhWEGy>?Nqp?6OcwY(d63-F2h&)S{ri
zDzuN-SDp?OebPyN^E$h=Jeb>6FV^Hm;=;4%JcfZ8j8pB2K3xO}HjeO4Ek<#i3bsH7
zm~s!>)YZP-&v5G*CTxu~)0(Rw+uqNseenma%1d}TbL>0nt@FjaxiArX^4ti;@9OqJ
zGo=UZm@!8(9QA$AtD~77ihm5_!}}n0s#8{?&PJTFj&*TDW`&5LULk&ehar33`yD&J
z+Bc?&I(3x;4>)u$^lPZ}Nf)?AVF?xwAJ2bE*;<
z2t03^1pv>QW(0%6m-wf)DRq<3C=D7#L2
zYhMh{{S9!F6f$8##2b0ugk4UX)FokeRecjm&XcttXvzvJt6SnbL=GYae$aGBvarh0
z=k3^iWB?ZPcX&!klCu037E0!*U(#pzuF3dq4zd#QhWePYQW>{AX1caVwlBI=bVrK9
z1BV<#H!+VTY~j~BPvf%698EBbP*P@4)2%L+Z)OylSywM)<0!^^#fK2{7RKpQnXRy6
z>=0OmDw0~!*cMxR}vuV>Yr16p23qY~!qRGbLkH?AJF
zhlX(K@ap$;>!9usgQ!QhEKs|QgPf+uWaEL^{C^X7QqGEdJ@i2p*BFq7<#L0_$R=qD
zCajcu*OWI)h$-)aexSINGHLz9;vBbwx009(`h4TXwH$7$4|}JDe<5Cr9$9SAm?NNF72~!aqvVrq1nFybZV8U$;gqlp>#63PepAL{^gkvQQ4_
zagge|XG--+Jp=F*n+dxbm7zEnS@i4AAAXMh1s%F2(XV)Nj;Ct5(*{?)<0L#)kyj(m
zm~nl6)LA78sGpLl+WQmV^L6PRftHvXFN@eW{F3)w19G8QJB=6aZ9-#2oAG$)$x5q9
z4{U$$AyI+|ker?7gtFV?glgV3C2qqhUV$4kXFFH8kAZIA>ZGs_Qh4ZA@OhrCFp2mw
z(CM`<1FJ0|hN7*=(|cQmH?nm@m1`8gimUS+#*{ca!O3=smq<(laT^0(M}gDF(I@Yn
z7P>ObZOUEBh>d=qq&uK{9q4rWR=+RSS(oT%
zaULjw?Z6~#Pk2wN>Nc<0xRXGTc}#cyK4jtBC}Vla+gRO-&bJN)wF>ft(yLY5DZnS8
zqtw%AQ`KmuOMv#Kl9-Afy1VpTAC}Tb!#ic=~1$rj<&DCuo|Ve#S*kp6M5;cHCeC2#`8lJPcl*8vNU`(;{G@mTl=%^2bcvXuGFx+@%oyt)_@q3S}u
zR%p89iE3wGIC+BRM#JZwy%N^|jU2#|=U!(VJTgm8Jawe~Y7RKVajZ{yb*#cja~LsKdA
zT<_(RSe&?;)E5EOL`IZQ9elEag+&xK`FJ=_lg<=)tS{}JMn5$*Xhp1e5Z5{7;vOy7
zok5L7VSI`AjYbxoF$R%-C_3gly17s<5$9*kYQ+<=Ie_ZTM*;K}n~TdR#{FEpj1HVC
z!IyV9E~dm#W)8)rI3a77u$JSL-Sd>uP{_|b!Fk;AQD1~@QcO(60=ecqrvo#J)X81G
zM6Yk;U&(67Ejl)QEeTFunvl|BkYaX4AnB;-!6qc)*jhV6=go6s_GBdo>1sqZTy-9D
z!Pa+(FiQ^OAUuuk0}8h94ga<$Twf2!knU_D;y!}mlc1dFK%{}?+hG9iDLQ`7uZwc@
z+z?ip{=L<*9^mtH|AE+?HV_wQ02HNx(2`vK+WV7GUUAzk`O5rrIirn~a>3Weu28hg
zim|e=GO|3`28r7-tO+9Q+4Jc4_R3^4?(WKilBSWV`{ebX7Tt$+lUObBa~0ZF>ARcW
zOZ^Vawc7Ej7s2*Lw|gp2OKK)+cV(3L6?#p>PEqn72<=tC9VkqA`82F3#|CcLyvM9*w891xX`5Yxr^*
zPpXrX$+*Tygh_fKIg7GwP2P5dP$;FD+jMn1DFT8NvhbI_z3upq?$YJvWOv*7@Be%G
z_RX7@gZuxkuOILK`y8Ju%=Nqa?NSI5e&-}k33AWQrJJpJC%2XQT|58fEh7|f2)t@&
zeO2UZ)Tgcl&ei32XD?m^qbUkt{hjcGEXz#!hqM-Ju|!RUS7B+`vbwE`W=~#BXN7rtl3gyMoqwF)>C&a
zEzSX>hUMm13oUnM`E%X^HZGKt=!7W|a}I**;%{fcSgE>th%=zYk;~vHxYgBdB6FV9h<^FqZ+OK`I1|NXIpe_Ue0ex>
zc%%8z@@0TA?Plsc^5My=0VYm@0K`{EK(?4IAD5Y?#<++-e78i$Q6w+ZJVd(Ef7x&m
z4jv_eyo+68o?y)@Wc$)Tdga^U7Zm{RDwdH03V&g7pkNo53O(TCg#+jXGdJlr2&mhM
zV47ggQnuiU#{GtWIeC&kG6IKwJHVsM;K@IsybufJ1|XC?Iufqc!9h02^x01PQ>e
qM>K)9^Kg_T`O^0JuZ%wW-(hke+c#!SC$
z@2XW2t4eKMszu3{4f5aj9Nt7pBt@xIi5GAIiObUANAi$7JU7yDS=3Qlkm@4cyg1V5
z3O+yn_#S`0{qVz;{u4g$-hO!Z;rhdech@hj-oCrOzIqW{9jih5r=fLJ
z1;LB#u8P(qw$hEg|9|>fot_3i(I(HM>hZ6??nqGXN%4l3O%;=(J
zfD~K!dGXVwEVcp=zfY$&_~qp94{&i5pC-x$UvaGx(Nl=$TT}1^=u~R0{ONI*HS7}j`Y7@oe?040guxg4r%}EIL
zF`QSge_x$!NfB1$&nB&ac6D-6Kkl_2s513y!$Sfb22Li;Zr-9=}mpU!U~QsP{7$IJ4(opDI?@J7;#iEO6MRP$nSr#
zIyH7@={iWD`EgxVDWMZMed6MD6vu=zw3BHp7EFO=`7rn{s*tqhEvrBH?yZUD2KpHY
zeE1sfNtIJ5xJffYWyOM;jmW|?`>C;-O{lNQXv+jwlXUN7&XT|Mo
z1pfga4EMjWRge2K-IF-oq%c5yAaQRc1Cht-O!$Pr@&|72N0ftyO%#h{o56Ae)BhtX
zqHTX8c^YdhXH7erY!mQ@NH>WwwqTAbC5iT
z@SCE65otpKwRDE#5sTcX^)85ju&IH=bs7h(_pR{&;tuH|O%Cp>^bYGm%C9(}J!H{}
z5L;ouM^l`2rQ9${%$b71J7!#(QWY;7##uzEr7HGrSl60}>XIq-;r}m#a*zCvvcJ5n
ztH#zvB<)qZCTX$ts@A+jq>S@6&y5SjWo>JV;Ja)1_YVHOUsgZ+<=;O&k)4BSG5a)`
zwr_wfY!NsBMJFi449NI!akGz->TVGSlye{ku8pa7_am)I9@p6<&(p`@yQWBM#{PDo
zICdfwEm;vCtrW>Cl9i~e1E*4$PwY(~KC-YF)=kO5_aIpA6Kn~`G1#M8OK$K-pk{`$
zNJmPE1_fdR6TiyRtCKxUv8u!sFycU4#LS9{B)G3qlY*U-9Cog6zo_qlNBPtlWb-E|
z8W@K>;MkJ)6S&!DW)Sqa*{v;Hw#8L1c25tMdP$(M`-}M(rR&E_dwY|_nu`6@Zp95l36q_#Vp?zyalGnjY
z_3i@7y*!_dla%r8d=Lty!$FJi=^Qjr^>vahAgH&PU>XTc9Pgc*8NucphhaEuaDe
zrr#FyWi}0MC~S&KgzO>iR4=E$s|iBcwKQQS&VUh<5e&mQ6XQ(=;*RPw%Txb1IP%)r
zze%?jq_|rWbyw1wE)B@+wFNONLd)##0y(e0W1>>KAY2LdLl!+Q
zk9fTxWK@@VDrEpDE*0$BVU*-)!S^Bz1lg7k->f9kg?a&K2fBXBqLBU#rF3BDgD3z+
z{~@3?s3bYtUr7DU^=IB1)HkrzvvUA^E#+=?v#jM~7(3da{p**X+Y0DY9=Uz&J$gus
zIt~2r9Vz~pnJXc*m2K|4=d@@3GVmMZkZcd93q-T(a*|$e3;{{cTGc?S0?|L_f?(@C
zg^FR{WB$=@g3n!Al|?>D;XlrBv34Hn>99Jj<%qgnBSVcJbX@a`t?@Zm1w2h?;im{b
zgMnKCHv*b&izwr!Uhw7PG-n1>#w5F$P&UjR6>uSFu7B&A7%MNldA;(;We)&87+6|r
z!m9k%tGMXC!NE3OTAL^1o-OI4La{J#P)TQbxG%Fbeq=LTI@E**ErJzL%i!g?_I||S
z_G)QIX&5#2PGmU^yrt~r6Uzo;?VXaa#|m_$h1TT*Q}r~Y!Q;bX{^o%?G*9nHa$R!4
zdpHhC&C?K;(|LM)e!4mj>-}_HBW_f-#I{Kgh$JbL+Ax63P|~
zMk1GyWjvUw;19@YZJRjDf3Np&NCn&1;c6%Bf>H5kfERlP=LM*ou%T6t`x3g#HPw^~
zZhyTM1K+DMBXP999OZo5+_^c$F4d3I@c>v`6CVw&S=?dO%?WM61nA)@{x?J8Qc9HR{y;F`
zcfRzneIq^zDa$REAfsV?8$bWk25D+?tTRUL^Iz}Zf4IIHp8xvreE#cee7L$$EF`aHED$U
z2a{E>#GKoCms)P|EJr4ZNM05pml$V;np|gwc&U&!>pw!+4&q%@Y}wnKIS5Q}su1ci
zo+Xr-WNMzhbt_#2iCXc|nUFZx0+9z4R!rHYlDf}MuD*BK$e#^3ue%$D^j^Go8uWU<
zG}ERVojvQk9nK@=2m#=rA-oMZ1{NQOXfBnHq4`FJ(d-G*CEK`|<9xULnT{&-a5>j*ryHz%M<-
zPEjZFh8nOpw1W=6+VPRrJgeA*8_p{8EH!&pd#HW0x(hxu@~w6BNrzQw4$y8b9T&Uw
zWU7Z}MuZ`}%#7+{w~19eNveK48x|RYi8yH&OXdD>Cgfl_*UT_G8x%A!8g{G!d)c#(
zEA(I$q-MXL^@~j1cia6FR#cP)d{>88+}<>8ca&tC8!&sLb(*F1WAHhMcjbK%+@`SI
zZr~e$Z78YJB*<@zG6}G;%o)zUtZ?TijD2P4K*1N4)HkoQTf>97U3FqjUL-a=bIzk5n8rBSp5V*5mtbQEH*zuZ<5aK(
z)_^JYuuWCw?S6(^&oE(Yq?yKC1=03?UhSJdXjxpq%b8=}QE#m;=FNqP*pugmFMe0I
z_nIj^Xv>T_km0EBJ6;{kbYJ{K81LT)p;H~R5_vY_n02hPBQncJ1oaBB`#Ut*^U>|t
zan-)jP1LE&g!fI~lje0too``gR#|+UwaQ#qD$JcM9+;CShX>};c#~JV3)5$W1@XjP
z({~oDrYy6~nv=tig573{9~1t1d3@99hT~MBolH1h1$dZXb=uOjHFZvuxee1P!fEUR
zg*gk~6LYfA^TeGj_&jmdS+b>pCriOGTpvl;xpZry1z|eZzH1hzSHO*YOT|d0{G!T%cX`uSfCWOy49-c++&E0z?XIi%``fB@+zX`FF8xrexz}o8Cl&D-y^aYDe!~FJCgWS
zjy`Y8?jr)Qn7_kPN}{+hg
zY*ln0vRK&zsK`l5Z!PpJ#Dnswp!7biu6-coSBLd;rqtc
zqxR4cP90W#PPZ274l#&&bjt#@%{WMDtW7o+m`(pTvM1%NnAbxcRI!Z#Y3fvL5DD2t
zO;&R&<-s=P^%8u_+n^sQE~P|RKOsNIZQ-pTW`aK5IB^Y!o2q?oweZjRYu>}PgTfB*
z%3SLPCUBY25f)ntr~4Z7%Vw6wYt`@gBJc`&vZUA5X^=g{{P-rO(@lxyCs7=t8=y)P
zf;!kXP4LGa
ztOA&9DC9yAjVhoWaJ7p)?}WHVW8AV7U-I2xxe?JT44^oO
z9Z3N}ERPM3Fwb{x4Tcq1Jo?6LQR_7#fI}C)%>V#OCRG~{Ul!IX
zn(U5AsJbd0_2OM$Sf!I9E6cqX)M%ALvy#0{DVV~Tay6=p35)!I0;5Xepu~t)W-g?B
zbdyRc51gwM->IoOWa6qo%uuBEp)24YC2>=wW-H!=+wHGiBj!qxODzSWrtl)GhzFT3
z2h=zSb=@(g`lOBlIK^hdu0};D&PEpe`j1cl2>uBjx+B4_cyf-VYT45USH0sTELD+J
z!_Sy8eSXwg#S6%vf~m^;6F#tY=^TNUm>DmN*f;Ew_gw>WAzNFG7v^n3V?>$pc<9MU
zt4Q~C{@@^yf(VeToo0lh+v9|C-Zceo!!cfg8`jo#u5cd%-M-aHVIQRM(5~RKJX>xO
zv1OprYi-6uTcoN(^_#o^)Lf6uVe?UR6)m?>T^a3$Qp$ye51bCHwgexFwjxLGjfG?~
z$<#7-0bw#2w)=K|!FN2`H^tsa)(w@eQT)oU&a)U({OklH+eJbLcTGiuD0#4>I-PwDeg>Rw^#U*cJbxS(eI^@(c$m2^dS8b;N
zn}n89r@^MI&`cKq?M)>i9sm6rH+Po%7`&H8Dlq_1TSy_n!^@Pn-ajZ{G)Rr=CkN3%YcTLXm
z5r?o|tm~(a__bZ5r8+T!k=mx6Wd=15PbnMEbg*-E=n@zj)We*I;LGq{0oP%@!5uau
zw!BKM5C;LLme-=y0>Lri*u`nBzsc%RGMtV!uR*^Wg}22Jw6Duf2o(J<2KnmP%0vt7
zyJLHz+q%~?@^-^lnA%I=1d1i?t?#Y_79R77IC6P)J|;rt
zg?z2hw8<0M&c1MR1kJUE&pUg?uK^l4fF;ho&Nz6amz;R&Ncq()aGK*-o$~6O)v@m9
z@)n+vWRmf#gk0}N^GX(icV>btREH}mgQFr7<9%EMEXAKnD6N3LcN5apVh17Px$5lsy7=2&|6F{F0B~9OKD^a
z;_p>tRZ7ORGbF&XPFcq1zJ10g)==^eg)Tp5YnIc7Lz&%EnZaxqjx
z5)`GL(1Kk2+WR{=&e_o|d9DAAkkLkp(5I`7-RP+Kfbm#au$YoG+Iq!Z$FOe2UpH&W
z9Xh03&3g4Z_`SU+Ru4AXl0Sq#s0;kG`qLor>u%}DUs0h)jC=N*wSf(y?6Kcf2P+C^vCIvn2V~9H_mwz|2R0$f_&W!KPDJXS6XULca!e_efe|9*J?*VPZt_kVqj&n4#iT>f^!
z*A%;R4yOcp02`W{+0BiRu+>dF)5I+U6mJN-Y-n|vrE63zE;-KS#rG#~-gu))6<%D6
zjHo71@u!IvfnKLYi?c7~W=Bhx0miWV)OqB>6Gww5P67|a
z>jNNL%$ASKOjB)K_#eJnqT?u%muVg%U8=uqwg?9gl0eSIE-;U<<|VRu=^woE&G3r~
z0DBe7$N`DJusD#gi%W$b@ZrJ%^n#h2bQ=Uv?L;s|FlQ+n@Oa~X!@rz5Ngo-3Ll+j{
z(Pi+&pHN+hg<=EXN*=lS#edHy_qmiqi3jR{!d0H6Q>A^5H^
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 148e1caa..df71d930 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5948,7 +5948,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..9729941 100644
+index b191055..4d57db3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6302,8 +6302,9 @@ index b191055..9729941 100644
+network_port(swift, tcp,6200-6203,s0)
network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
-network_port(syslogd, udp,514,s0)
-+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
- network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+-network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0)
++network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -51833,7 +51834,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..adc5f75 100644
+index 9dc60c6..269ce67 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -53002,11 +53003,12 @@ index 9dc60c6..adc5f75 100644
##############################
#
# Local policy
-@@ -907,53 +1195,142 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1195,143 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
+ allow $1_usertype self:cap_userns { sys_admin sys_chroot };
++ dontaudit $1_usertype self:cap_userns sys_ptrace;
+ allow $1_usertype self:dir { add_name write };
- auth_role($1_r, $1_t)
@@ -53159,7 +53161,7 @@ index 9dc60c6..adc5f75 100644
')
#######################################
-@@ -987,27 +1364,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1365,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -53197,7 +53199,7 @@ index 9dc60c6..adc5f75 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1401,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1402,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -53271,7 +53273,7 @@ index 9dc60c6..adc5f75 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1466,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1467,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -53282,7 +53284,7 @@ index 9dc60c6..adc5f75 100644
')
')
-@@ -1079,7 +1504,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1505,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -53293,7 +53295,7 @@ index 9dc60c6..adc5f75 100644
')
##############################
-@@ -1095,6 +1522,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1523,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -53301,7 +53303,7 @@ index 9dc60c6..adc5f75 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1533,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1534,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -53318,7 +53320,7 @@ index 9dc60c6..adc5f75 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1550,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1551,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -53327,7 +53329,7 @@ index 9dc60c6..adc5f75 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1569,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1570,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -53343,7 +53345,7 @@ index 9dc60c6..adc5f75 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1588,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1589,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -53388,7 +53390,7 @@ index 9dc60c6..adc5f75 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1631,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1632,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -53397,7 +53399,7 @@ index 9dc60c6..adc5f75 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1640,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1641,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -53420,7 +53422,7 @@ index 9dc60c6..adc5f75 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1690,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1691,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -53429,7 +53431,7 @@ index 9dc60c6..adc5f75 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1700,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1701,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -53438,7 +53440,7 @@ index 9dc60c6..adc5f75 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1714,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1715,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -53450,7 +53452,7 @@ index 9dc60c6..adc5f75 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1728,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1729,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -53493,7 +53495,7 @@ index 9dc60c6..adc5f75 100644
')
optional_policy(`
-@@ -1357,14 +1813,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1814,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -53512,7 +53514,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1397,12 +1856,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1857,52 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -53566,7 +53568,7 @@ index 9dc60c6..adc5f75 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +2008,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2009,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -53598,7 +53600,7 @@ index 9dc60c6..adc5f75 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2074,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2075,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -53613,7 +53615,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1570,9 +2097,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2098,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -53625,7 +53627,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1613,6 +2142,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2143,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -53650,7 +53652,7 @@ index 9dc60c6..adc5f75 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2178,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2179,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -53710,7 +53712,7 @@ index 9dc60c6..adc5f75 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2304,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2305,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -53725,7 +53727,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1741,10 +2343,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2344,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -53740,7 +53742,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1769,7 +2373,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2374,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -53749,7 +53751,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -1777,19 +2381,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2382,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -53773,7 +53775,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -1797,55 +2399,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2400,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -53844,7 +53846,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -1853,18 +2455,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2456,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -53872,7 +53874,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -1872,13 +2475,163 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,13 +2476,163 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -54043,7 +54045,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1893,11 +2646,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2647,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -54061,7 +54063,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -1938,7 +2694,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2695,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -54070,7 +54072,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -1946,10 +2702,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2703,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -54083,7 +54085,7 @@ index 9dc60c6..adc5f75 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2713,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2714,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -54092,7 +54094,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -1966,12 +2721,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2722,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -54161,7 +54163,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2007,8 +2816,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2817,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -54171,7 +54173,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2024,20 +2832,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2833,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -54196,7 +54198,7 @@ index 9dc60c6..adc5f75 100644
########################################
##
-@@ -2120,7 +2922,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2923,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -54205,7 +54207,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -2128,19 +2930,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2931,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -54229,7 +54231,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -2148,12 +2948,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2949,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -54245,7 +54247,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2388,18 +3188,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3189,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -54303,7 +54305,7 @@ index 9dc60c6..adc5f75 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3250,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3251,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -54312,7 +54314,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2455,6 +3291,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3292,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -54338,7 +54340,7 @@ index 9dc60c6..adc5f75 100644
########################################
##
-@@ -2538,7 +3393,27 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3394,27 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -54367,7 +54369,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -2566,6 +3441,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,6 +3442,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -54395,7 +54397,7 @@ index 9dc60c6..adc5f75 100644
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
-@@ -2661,6 +3557,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3558,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -54417,7 +54419,7 @@ index 9dc60c6..adc5f75 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3583,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3584,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -54439,7 +54441,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -2692,19 +3598,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3599,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -54462,7 +54464,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -2713,13 +3613,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3614,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -54523,7 +54525,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2814,6 +3757,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3758,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -54548,7 +54550,7 @@ index 9dc60c6..adc5f75 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3793,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3794,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -54591,7 +54593,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -2856,14 +3829,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3830,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -54629,7 +54631,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2882,8 +3874,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3875,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -54659,7 +54661,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -2955,6 +3966,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3967,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54702,7 +54704,7 @@ index 9dc60c6..adc5f75 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4025,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4026,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54727,7 +54729,7 @@ index 9dc60c6..adc5f75 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4043,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4044,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -54739,7 +54741,7 @@ index 9dc60c6..adc5f75 100644
## memory segments.
##
##
-@@ -3025,17 +4054,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4055,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -54760,7 +54762,7 @@ index 9dc60c6..adc5f75 100644
## memory segments.
##
##
-@@ -3044,12 +4073,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4074,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
##
##
#
@@ -54775,7 +54777,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -3094,7 +4123,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4124,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -54784,7 +54786,7 @@ index 9dc60c6..adc5f75 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4139,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4140,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -54818,7 +54820,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -3214,7 +4227,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4228,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -54845,7 +54847,7 @@ index 9dc60c6..adc5f75 100644
')
########################################
-@@ -3269,12 +4300,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4301,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -54861,7 +54863,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -3282,54 +4314,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4315,56 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -54933,7 +54935,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -3337,18 +4371,92 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,18 +4372,92 @@ interface(`userdom_getattr_all_users',`
##
##
#
@@ -55030,7 +55032,7 @@ index 9dc60c6..adc5f75 100644
##
##
##
-@@ -3382,6 +4490,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4491,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -55073,7 +55075,7 @@ index 9dc60c6..adc5f75 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4546,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4547,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -55134,7 +55136,7 @@ index 9dc60c6..adc5f75 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4633,1817 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4634,1817 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 924f8626..a8c9dfc3 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -56762,7 +56762,7 @@ index 687af38..5381f1b 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..31069d2 100644
+index 7584bbe..1443a3a 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -56850,11 +56850,13 @@ index 7584bbe..31069d2 100644
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -95,50 +100,64 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(mysqld_t)
++usermanage_read_crack_db(mysqld_t)
++
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
kernel_read_network_state(mysqld_t)
@@ -56933,7 +56935,7 @@ index 7584bbe..31069d2 100644
')
optional_policy(`
-@@ -146,6 +165,10 @@ optional_policy(`
+@@ -146,6 +167,10 @@ optional_policy(`
')
optional_policy(`
@@ -56944,7 +56946,7 @@ index 7584bbe..31069d2 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +178,20 @@ optional_policy(`
+@@ -155,21 +180,20 @@ optional_policy(`
#######################################
#
@@ -56972,7 +56974,7 @@ index 7584bbe..31069d2 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +199,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -56983,7 +56985,7 @@ index 7584bbe..31069d2 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +207,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -56999,9 +57001,9 @@ index 7584bbe..31069d2 100644
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-
-+files_write_root_dirs(mysqld_safe_t)
+
++files_write_root_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -57019,7 +57021,7 @@ index 7584bbe..31069d2 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +237,7 @@ optional_policy(`
+@@ -209,7 +239,7 @@ optional_policy(`
########################################
#
@@ -57028,7 +57030,7 @@ index 7584bbe..31069d2 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +246,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +248,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -57046,7 +57048,7 @@ index 7584bbe..31069d2 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +259,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -69237,10 +69239,6 @@ index 0000000..80246e6
+ can_exec($1, pcp_pmlogger_exec_t)
+')
+
-diff --git a/pcp.pp b/pcp.pp
-new file mode 100644
-index 0000000..fa4cfaa
-Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 0000000..04a0b20
@@ -91064,7 +91062,7 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
diff --git a/rpc.te b/rpc.te
-index 2da9fca..6935f5c 100644
+index 2da9fca..a37f579 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91319,7 +91317,8 @@ index 2da9fca..6935f5c 100644
-# fs_manage_nfsd_fs(nfsd_t)
+fs_manage_nfsd_fs(nfsd_t)
- storage_dontaudit_read_fixed_disk(nfsd_t)
+-storage_dontaudit_read_fixed_disk(nfsd_t)
++storage_raw_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
+allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
@@ -114658,10 +114657,10 @@ index facdee8..2cff369 100644
+ domtrans_pattern($1,container_file_t, $2)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..481f902 100644
+index f03dcf5..8036117 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,403 @@
+@@ -1,451 +1,410 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -114744,6 +114743,13 @@ index f03dcf5..481f902 100644
-## can use nfs file systems.
-##
+##
++## Allow sandbox containers to share apache content
++##
++##
++gen_tunable(virt_sandbox_share_apache_content, false)
++
++##
++##
+## Allow sandbox containers manage fuse files
+##
+##
@@ -114828,15 +114834,15 @@ index f03dcf5..481f902 100644
+##
+##
+gen_tunable(virt_sandbox_use_audit, true)
-+
+
+-attribute svirt_lxc_domain;
+##
+##
+## Allow sandbox containers to use netlink system calls
+##
+##
+gen_tunable(virt_sandbox_use_netlink, false)
-
--attribute svirt_lxc_domain;
++
+##
+##
+## Allow sandbox containers to use sys_admin system calls, for example mount
@@ -114885,10 +114891,10 @@ index f03dcf5..481f902 100644
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
++
++type qemu_exec_t, virt_file_type;
-type virt_cache_t alias svirt_cache_t;
-+type qemu_exec_t, virt_file_type;
-+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -115257,11 +115263,9 @@ index f03dcf5..481f902 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_t self:process ptrace;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
++allow svirt_t self:process ptrace;
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
@@ -115269,7 +115273,9 @@ index f03dcf5..481f902 100644
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -115375,7 +115381,7 @@ index f03dcf5..481f902 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +407,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -115422,22 +115428,22 @@ index f03dcf5..481f902 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +442,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
@@ -115456,7 +115462,7 @@ index f03dcf5..481f902 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +467,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -115484,7 +115490,7 @@ index f03dcf5..481f902 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +487,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -115515,7 +115521,7 @@ index f03dcf5..481f902 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +539,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -115535,7 +115541,7 @@ index f03dcf5..481f902 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +561,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -115572,7 +115578,7 @@ index f03dcf5..481f902 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +589,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -115581,7 +115587,7 @@ index f03dcf5..481f902 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +614,12 @@ optional_policy(`
+@@ -665,20 +621,12 @@ optional_policy(`
')
optional_policy(`
@@ -115602,7 +115608,7 @@ index f03dcf5..481f902 100644
')
optional_policy(`
-@@ -691,20 +632,26 @@ optional_policy(`
+@@ -691,20 +639,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -115633,7 +115639,7 @@ index f03dcf5..481f902 100644
')
optional_policy(`
-@@ -712,11 +659,18 @@ optional_policy(`
+@@ -712,11 +666,18 @@ optional_policy(`
')
optional_policy(`
@@ -115652,7 +115658,7 @@ index f03dcf5..481f902 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +681,18 @@ optional_policy(`
+@@ -727,10 +688,18 @@ optional_policy(`
')
optional_policy(`
@@ -115671,7 +115677,7 @@ index f03dcf5..481f902 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +708,336 @@ optional_policy(`
+@@ -746,44 +715,336 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -115869,7 +115875,7 @@ index f03dcf5..481f902 100644
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-
++
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
@@ -115986,7 +115992,7 @@ index f03dcf5..481f902 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -116030,7 +116036,7 @@ index f03dcf5..481f902 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1048,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116057,7 +116063,7 @@ index f03dcf5..481f902 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1068,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116074,10 +116080,10 @@ index f03dcf5..481f902 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -116091,7 +116097,7 @@ index f03dcf5..481f902 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1105,20 @@ optional_policy(`
+@@ -856,14 +1112,20 @@ optional_policy(`
')
optional_policy(`
@@ -116113,7 +116119,7 @@ index f03dcf5..481f902 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1143,66 @@ optional_policy(`
+@@ -888,49 +1150,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116198,7 +116204,7 @@ index f03dcf5..481f902 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1214,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116218,7 +116224,7 @@ index f03dcf5..481f902 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1235,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116242,7 +116248,7 @@ index f03dcf5..481f902 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1260,376 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116269,12 +116275,12 @@ index f03dcf5..481f902 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -116315,7 +116321,89 @@ index f03dcf5..481f902 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-+
+
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -116413,96 +116501,12 @@ index f03dcf5..481f902 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+')
+
+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
++tunable_policy(`virt_sandbox_share_apache_content',`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++ ')
+')
+
+optional_policy(`
@@ -116592,15 +116596,11 @@ index f03dcf5..481f902 100644
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+tunable_policy(`virt_sandbox_use_mknod',`
-+ allow container_t self:capability mknod;
-+')
-
+-
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_all_caps',`
-+ allow container_t self:capability all_capability_perms;
-+ allow container_t self:capability2 all_capability2_perms;
++tunable_policy(`virt_sandbox_use_mknod',`
++ allow container_t self:capability mknod;
+')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
@@ -116613,6 +116613,14 @@ index f03dcf5..481f902 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow container_t self:capability all_capability_perms;
++ allow container_t self:capability2 all_capability2_perms;
++')
+
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow container_t self:netlink_socket create_socket_perms;
+ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -116629,32 +116637,30 @@ index f03dcf5..481f902 100644
+ logging_dontaudit_send_audit_msgs(container_t)
+')
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+allow container_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow container_t virt_lxc_var_run_t:file read_file_perms;
-
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(container_t)
-+kernel_read_messages(container_t)
++allow container_t virt_lxc_var_run_t:dir list_dir_perms;
++allow container_t virt_lxc_var_run_t:file read_file_perms;
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
++kernel_read_irq_sysctls(container_t)
++kernel_read_messages(container_t)
+
+-files_read_kernel_modules(svirt_lxc_net_t)
+dev_read_sysfs(container_t)
+dev_read_mtrr(container_t)
+dev_read_rand(container_t)
+dev_read_urand(container_t)
--files_read_kernel_modules(svirt_lxc_net_t)
-+files_read_kernel_modules(container_t)
-
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
++files_read_kernel_modules(container_t)
+
+-auth_use_nsswitch(svirt_lxc_net_t)
+fs_noxattr_type(container_file_t)
+# Do we actually need these?
+fs_mount_cgroup(container_t)
@@ -116663,19 +116669,14 @@ index f03dcf5..481f902 100644
+# Needed for docker
+fs_unmount_xattr_fs(container_t)
--auth_use_nsswitch(svirt_lxc_net_t)
+-logging_send_audit_msgs(svirt_lxc_net_t)
+term_pty(container_file_t)
--logging_send_audit_msgs(svirt_lxc_net_t)
-+auth_use_nsswitch(container_t)
-
-userdom_use_user_ptys(svirt_lxc_net_t)
-+rpm_read_db(container_t)
++logging_send_syslog_msg(container_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-+logging_send_syslog_msg(container_t)
-+
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(container_t)
')
@@ -116763,7 +116764,7 @@ index f03dcf5..481f902 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1642,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116778,7 +116779,7 @@ index f03dcf5..481f902 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1660,7 @@ optional_policy(`
+@@ -1192,7 +1661,7 @@ optional_policy(`
########################################
#
@@ -116787,7 +116788,7 @@ index f03dcf5..481f902 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1669,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 88f81d60..85fbc1e8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 233%{?dist}
+Release: 234%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,12 @@ exit 0
%endif
%changelog
+* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234
+- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
+- Tighten security on containe types
+- Make working cracklib_password_check for MariaDB service
+- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
+
* Sun Jan 08 2017 Lukas Vrabec - 3.13.1-233
-Allow thumb domain sendto via dgram sockets. BZ(1398813)
- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)