* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149

- Add few rules related to new policy for pkcs11proxyd - Added new policy for pkcs11proxyd daemon - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Dontaudit abrt_t to rw lvm_lock_t dir. - Allow abrt_d domain to write to kernel msg device. - Add interface lvm_dontaudit_rw_lock_dir() - Merge pull request #35 from lkundrak/lr-libreswan
2015-09-29 18:17:13 +02:00 · 2015-09-29 18:17:13 +02:00 · b03747cd87
commit b03747cd87
parent 23d80687e0
3 changed files with 382 additions and 86 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -1,5 +1,5 @@
 diff --git a/Makefile b/Makefile
-index ec7b5cb..029dcaf 100644
+index ec7b5cb..a027110 100644
 --- a/Makefile
 +++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@ -19,7 +19,7 @@ index ec7b5cb..029dcaf 100644
 net_contexts := $(builddir)net_contexts
 all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -609,15 +610,17 @@ resetlabels:
+@@ -609,15 +610,16 @@ resetlabels:
 # Clean everything
 #
 bare: clean
@ -32,7 +32,6 @@ index ec7b5cb..029dcaf 100644
 -	rm -f $(booleans)
 -	rm -fR $(htmldir)
 -	rm -f $(tags)
 +	echo "hehe kde jsem asi tak"
 +	pwd
 +	#rm -f $(polxml)
 +	#rm -f $(layerxml)
@ -35357,7 +35356,7 @@ index 0d4c8d3..720ece8 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..dd6638a 100644
+index 312cd04..30cecca 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35370,7 +35369,17 @@ index 312cd04..dd6638a 100644
 type ipsec_mgmt_lock_t;
 files_lock_file(ipsec_mgmt_lock_t)
-@@ -72,24 +75,32 @@ role system_r types setkey_t;
+@@ -67,29 +70,42 @@ type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 +# The NetworkManager helper communicates the password via PTY
 +type ipsec_mgmt_devpts_t;
 +term_pty(ipsec_mgmt_devpts_t)
 +files_type(ipsec_mgmt_devpts_t)
 +
 ########################################
 #
 # ipsec Local policy
 #
@ -35408,7 +35417,7 @@ index 312cd04..dd6638a 100644
 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
 manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@ -35421,7 +35430,7 @@ index 312cd04..dd6638a 100644
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t)
 corecmd_exec_bin(ipsec_t)
 # Pluto needs network access
@ -35451,7 +35460,7 @@ index 312cd04..dd6638a 100644
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
-@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t)
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
@ -35486,7 +35495,7 @@ index 312cd04..dd6638a 100644
 	seutil_sigchld_newrole(ipsec_t)
 ')
-@@ -187,10 +208,10 @@ optional_policy(`
+@@ -187,14 +213,15 @@ optional_policy(`
 # ipsec_mgmt Local policy
 #
@ -35501,7 +35510,12 @@ index 312cd04..dd6638a 100644
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 +allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -35517,7 +35531,7 @@ index 312cd04..dd6638a 100644
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
@ -35534,7 +35548,7 @@ index 312cd04..dd6638a 100644
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
@ -35543,7 +35557,7 @@ index 312cd04..dd6638a 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
@ -35551,7 +35565,7 @@ index 312cd04..dd6638a 100644
 files_read_usr_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 term_use_console(ipsec_mgmt_t)
@ -35563,7 +35577,7 @@ index 312cd04..dd6638a 100644
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -35585,6 +35599,9 @@ index 312cd04..dd6638a 100644
 +
 +userdom_use_inherited_user_terminals(ipsec_mgmt_t)
 +
 +allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms;
 +term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t)
 +
 +optional_policy(`
 +    bind_domtrans(ipsec_mgmt_t)
 +	bind_read_dnssec_keys(ipsec_mgmt_t)
@ -35594,7 +35611,7 @@ index 312cd04..dd6638a 100644
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +367,10 @@ optional_policy(`
+@@ -322,6 +376,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -35605,7 +35622,7 @@ index 312cd04..dd6638a 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
-@@ -335,7 +384,7 @@ optional_policy(`
+@@ -335,7 +393,7 @@ optional_policy(`
 #
 allow racoon_t self:capability { net_admin net_bind_service };
@ -35614,7 +35631,7 @@ index 312cd04..dd6638a 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
@ -35634,7 +35651,7 @@ index 312cd04..dd6638a 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
@ -35647,7 +35664,7 @@ index 312cd04..dd6638a 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t)
 locallogin_use_fds(setkey_t)
@ -38136,7 +38153,7 @@ index 6b91740..5c1669a 100644
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
 /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..6293110 100644
+index 58bc27f..8f7b119 100644
 --- a/policy/modules/system/lvm.if
 +++ b/policy/modules/system/lvm.if
@@ -1,5 +1,22 @@
@ -38239,7 +38256,7 @@ index 58bc27f..6293110 100644
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.
-@@ -123,3 +203,157 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
@ -38355,6 +38372,24 @@ index 58bc27f..6293110 100644
 +
 +########################################
 +## <summary>
 +##	Dontaudit read and write to lvm_lock_t dir.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`lvm_dontaudit_rw_lock_dir',`
 +	gen_require(`
 +		type lvm_lock_t;
 +	')
 +
 +	dontaudit $1 lvm_lock_t:dir rw_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Read the process state (/proc/pid) of lvm.
 +## </summary>
 +## <param name="domain">
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -572,7 +572,7 @@ index 058d908..7da78c7 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..f93be3c 100644
+index eb50f07..9bd797b 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -720,7 +720,7 @@ index eb50f07..f93be3c 100644
 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,48 +135,56 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,48 +135,57 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@ -781,10 +781,11 @@ index eb50f07..f93be3c 100644
 dev_rw_sysfs(abrt_t)
 -dev_dontaudit_read_raw_memory(abrt_t)
 +dev_read_raw_memory(abrt_t)
 +dev_write_kmsg(abrt_t)
 domain_getattr_all_domains(abrt_t)
 domain_read_all_domains_state(abrt_t)
-@@ -176,29 +194,43 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +195,43 @@ files_getattr_all_files(abrt_t)
 files_read_config_files(abrt_t)
 files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
@ -816,11 +817,11 @@ index eb50f07..f93be3c 100644
 +logging_send_syslog_msg(abrt_t)
 +logging_stream_connect_syslog(abrt_t)
 +logging_read_syslog_pid(abrt_t)
- 
+
 +auth_use_nsswitch(abrt_t)
 +
 +init_read_utmp(abrt_t)
-+
+ 
 +miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_public_files(abrt_t)
 +miscfiles_dontaudit_access_check_cert(abrt_t)
@ -831,7 +832,7 @@ index eb50f07..f93be3c 100644
 tunable_policy(`abrt_anon_write',`
 	miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +238,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +239,11 @@ tunable_policy(`abrt_anon_write',`
 optional_policy(`
 	apache_list_modules(abrt_t)
@ -848,7 +849,7 @@ index eb50f07..f93be3c 100644
 ')
 optional_policy(`
-@@ -222,6 +250,24 @@ optional_policy(`
+@@ -222,6 +251,28 @@ optional_policy(`
 ')
 optional_policy(`
@ -856,6 +857,10 @@ index eb50f07..f93be3c 100644
 +')
 +
 +optional_policy(`
 +	lvm_dontaudit_rw_lock_dir(abrt_t)
 +')
 +
 +optional_policy(`
 +	mcelog_read_log(abrt_t)
 +')
 +
@ -873,7 +878,7 @@ index eb50f07..f93be3c 100644
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
-@@ -234,6 +280,11 @@ optional_policy(`
+@@ -234,6 +285,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -885,7 +890,7 @@ index eb50f07..f93be3c 100644
 	rpm_exec(abrt_t)
 	rpm_dontaudit_manage_db(abrt_t)
 	rpm_manage_cache(abrt_t)
-@@ -243,6 +294,7 @@ optional_policy(`
+@@ -243,6 +299,7 @@ optional_policy(`
 	rpm_signull(abrt_t)
 ')
@ -893,7 +898,7 @@ index eb50f07..f93be3c 100644
 optional_policy(`
 	sendmail_domtrans(abrt_t)
 ')
-@@ -253,9 +305,21 @@ optional_policy(`
+@@ -253,9 +310,21 @@ optional_policy(`
 	sosreport_delete_tmp_files(abrt_t)
 ')
@ -916,7 +921,7 @@ index eb50f07..f93be3c 100644
 #
 allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +330,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +335,13 @@ tunable_policy(`abrt_handle_event',`
 	can_exec(abrt_t, abrt_handle_event_exec_t)
 ')
@ -931,7 +936,7 @@ index eb50f07..f93be3c 100644
 #
 allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +349,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +354,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -939,7 +944,7 @@ index eb50f07..f93be3c 100644
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +358,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +363,20 @@ corecmd_read_all_executables(abrt_helper_t)
 domain_read_all_domains_state(abrt_helper_t)
@ -960,7 +965,7 @@ index eb50f07..f93be3c 100644
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +379,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +384,25 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -987,7 +992,7 @@ index eb50f07..f93be3c 100644
 #
 allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +415,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +420,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
 dev_read_urand(abrt_retrace_coredump_t)
@ -1001,7 +1006,7 @@ index eb50f07..f93be3c 100644
 optional_policy(`
 	rpm_exec(abrt_retrace_coredump_t)
 	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +433,11 @@ optional_policy(`
+@@ -343,10 +438,11 @@ optional_policy(`
 #######################################
 #
@ -1015,7 +1020,7 @@ index eb50f07..f93be3c 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +461,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 dev_read_urand(abrt_retrace_worker_t)
@ -1084,7 +1089,7 @@ index eb50f07..f93be3c 100644
 #######################################
 #
-@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +526,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1147,7 +1152,7 @@ index eb50f07..f93be3c 100644
 ')
 #######################################
-@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +587,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
@ -5273,7 +5278,7 @@ index f6eb485..c55558a 100644
 +	read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..7abf562 100644
+index 6649962..1862dfb 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -5991,7 +5996,7 @@ index 6649962..7abf562 100644
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +575,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -6047,7 +6052,8 @@ index 6649962..7abf562 100644
 dev_rw_crypto(httpd_t)
 -domain_use_interactive_fds(httpd_t)
-
+files_dontaudit_write_all_mountpoints(httpd_t)
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
 -
@ -6231,7 +6237,7 @@ index 6649962..7abf562 100644
 ')
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
@ -6291,7 +6297,7 @@ index 6649962..7abf562 100644
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -6352,17 +6358,17 @@ index 6649962..7abf562 100644
 -	tunable_policy(`httpd_can_network_connect_zabbix',`
 -		zabbix_tcp_connect(httpd_t)
 -	')
 -')
 -
 -optional_policy(`
 -	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
 -		spamassassin_domtrans_client(httpd_t)
 -	')
 +    tunable_policy(`httpd_can_sendmail',`
 +    postfix_rw_spool_maildrop_files(httpd_t)
 +    ')
 ')
 -optional_policy(`
 -	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
 -		spamassassin_domtrans_client(httpd_t)
 -	')
 -')
 -
 -tunable_policy(`httpd_graceful_shutdown',`
 -	corenet_sendrecv_http_client_packets(httpd_t)
 -	corenet_tcp_connect_http_port(httpd_t)
@ -6394,7 +6400,7 @@ index 6649962..7abf562 100644
 ')
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6475,7 +6481,7 @@ index 6649962..7abf562 100644
 ')
 optional_policy(`
-@@ -749,24 +917,32 @@ optional_policy(`
+@@ -749,24 +919,32 @@ optional_policy(`
 ')
 optional_policy(`
@ -6514,7 +6520,7 @@ index 6649962..7abf562 100644
 ')
 optional_policy(`
-@@ -775,6 +951,10 @@ optional_policy(`
+@@ -775,6 +953,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6525,7 +6531,7 @@ index 6649962..7abf562 100644
 ')
 optional_policy(`
-@@ -786,35 +966,60 @@ optional_policy(`
+@@ -786,35 +968,60 @@ optional_policy(`
 ')
 optional_policy(`
@ -6599,7 +6605,7 @@ index 6649962..7abf562 100644
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1027,30 @@ optional_policy(`
+@@ -822,8 +1029,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -6630,7 +6636,7 @@ index 6649962..7abf562 100644
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1059,8 @@ optional_policy(`
+@@ -832,6 +1061,8 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6639,7 +6645,7 @@ index 6649962..7abf562 100644
 ')
 optional_policy(`
-@@ -842,20 +1071,40 @@ optional_policy(`
+@@ -842,20 +1073,44 @@ optional_policy(`
 ')
 optional_policy(`
@ -6661,6 +6667,13 @@ index 6649962..7abf562 100644
 optional_policy(`
 -	postgresql_stream_connect(httpd_t)
 -	postgresql_unpriv_client(httpd_t)
 +        pkcs11proxyd_stream_connect(httpd_t)
 +')
 -	tunable_policy(`httpd_can_network_connect_db',`
 -		postgresql_tcp_connect(httpd_t)
 -	')
 +optional_policy(`
 +	pki_apache_domain_signal(httpd_t)
 +	pki_manage_apache_config_files(httpd_t)
 +	pki_manage_apache_lib(httpd_t)
@ -6668,25 +6681,22 @@ index 6649962..7abf562 100644
 +	pki_manage_apache_run(httpd_t)
 +	pki_read_tomcat_cert(httpd_t)
 +')
- 
+
 -	tunable_policy(`httpd_can_network_connect_db',`
 -		postgresql_tcp_connect(httpd_t)
 -	')
 +optional_policy(`
 +	puppet_read_lib(httpd_t)
 +')
 +
 +optional_policy(`
 +	pwauth_domtrans(httpd_t)
 ')
 optional_policy(`
 -	puppet_read_lib_files(httpd_t)
 +	pwauth_domtrans(httpd_t)
 +')
 +
 +optional_policy(`
 +	rpm_dontaudit_read_db(httpd_t)
 ')
 optional_policy(`
-@@ -863,16 +1112,31 @@ optional_policy(`
+@@ -863,16 +1118,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -6706,21 +6716,21 @@ index 6649962..7abf562 100644
 optional_policy(`
 	smokeping_read_lib_files(httpd_t)
 +    smokeping_read_pid_files(httpd_t)
 +')
 +
 +optional_policy(`
 +	files_dontaudit_rw_usr_dirs(httpd_t)
 +    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 ')
 optional_policy(`
 -	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 -	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 +	files_dontaudit_rw_usr_dirs(httpd_t)
 +    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 +')
 +
 +optional_policy(`
 +    thin_stream_connect(httpd_t)
 ')
 optional_policy(`
-@@ -883,65 +1147,189 @@ optional_policy(`
+@@ -883,65 +1153,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -6932,7 +6942,7 @@ index 6649962..7abf562 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
-@@ -950,123 +1338,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
@ -7086,7 +7096,7 @@ index 6649962..7abf562 100644
 	mysql_read_config(httpd_suexec_t)
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1423,107 @@ optional_policy(`
+@@ -1083,172 +1429,107 @@ optional_policy(`
 	')
 ')
@ -7253,7 +7263,8 @@ index 6649962..7abf562 100644
 -#
 -# System script local policy
 -#
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 -allow httpd_sys_script_t self:tcp_socket { accept listen };
 -
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@ -7269,8 +7280,7 @@ index 6649962..7abf562 100644
 -kernel_read_kernel_sysctls(httpd_sys_script_t)
 -
 -fs_search_auto_mountpoints(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+-
 -files_read_var_symlinks(httpd_sys_script_t)
 -files_search_var_lib(httpd_sys_script_t)
 -files_search_spool(httpd_sys_script_t)
@ -7324,7 +7334,7 @@ index 6649962..7abf562 100644
 ')
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1531,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 tunable_policy(`httpd_use_cifs',`
@ -7421,7 +7431,7 @@ index 6649962..7abf562 100644
 ########################################
 #
-@@ -1321,8 +1606,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 optional_policy(`
@ -7438,7 +7448,7 @@ index 6649962..7abf562 100644
 ')
 ########################################
-@@ -1330,49 +1622,38 @@ optional_policy(`
+@@ -1330,49 +1628,38 @@ optional_policy(`
 # User content local policy
 #
@ -7503,7 +7513,7 @@ index 6649962..7abf562 100644
 kernel_read_system_state(httpd_passwd_t)
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1663,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1669,109 @@ dev_read_urand(httpd_passwd_t)
 domain_use_interactive_fds(httpd_passwd_t)
@ -68410,6 +68420,247 @@ index 8eb3f7b..ee837c6 100644
 -miscfiles_read_localization(pkcs_slotd_t)
 +userdom_read_all_users_state(pkcs_slotd_t)
 diff --git a/pkcs11proxyd.fc b/pkcs11proxyd.fc
 new file mode 100644
 index 0000000..ca1160a
 --- /dev/null
 +++ b/pkcs11proxyd.fc
@@ -0,0 +1,7 @@
 +/usr/lib/systemd/system/pkcs11proxyd-softhsm.*  --  gen_context(system_u:object_r:pkcs11proxyd_unit_file_t,s0)
 +
 +/usr/sbin/pkcs11proxyd		--	gen_context(system_u:object_r:pkcs11proxyd_exec_t,s0)
 +
 +/var/lib/pkcs11proxyd(/.*)?		gen_context(system_u:object_r:pkcs11proxyd_var_lib_t,s0)
 +
 +/var/run/pkcs11proxyd\.socket	-s	gen_context(system_u:object_r:pkcs11proxyd_var_run_t,s0)
 diff --git a/pkcs11proxyd.if b/pkcs11proxyd.if
 new file mode 100644
 index 0000000..1fa6db2
 --- /dev/null
 +++ b/pkcs11proxyd.if
@@ -0,0 +1,175 @@
 +
 +## <summary>pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm</summary>
 +
 +########################################
 +## <summary>
 +##	Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_domtrans',`
 +	gen_require(`
 +		type pkcs11proxyd_t, pkcs11proxyd_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t)
 +')
 +
 +######################################
 +## <summary>
 +##	Execute pkcs11proxyd in the caller domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_exec',`
 +	gen_require(`
 +		type pkcs11proxyd_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	can_exec($1, pkcs11proxyd_exec_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Search pkcs11proxyd lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_search_lib',`
 +	gen_require(`
 +		type pkcs11proxyd_var_lib_t;
 +	')
 +
 +	allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Read pkcs11proxyd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_read_lib_files',`
 +	gen_require(`
 +		type pkcs11proxyd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage pkcs11proxyd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_manage_lib_files',`
 +	gen_require(`
 +		type pkcs11proxyd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage pkcs11proxyd lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_manage_lib_dirs',`
 +	gen_require(`
 +		type pkcs11proxyd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an pkcs11proxyd environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	Role allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`pkcs11proxyd_admin',`
 +	gen_require(`
 +		type pkcs11proxyd_t;
 +		type pkcs11proxyd_var_lib_t;
 +	')
 +
 +	allow $1 pkcs11proxyd_t:process { signal_perms };
 +	ps_process_pattern($1, pkcs11proxyd_t)
 +
 +    tunable_policy(`deny_ptrace',`',`
 +        allow $1 pkcs11proxyd_t:process ptrace;
 +    ')
 +
 +	files_search_var_lib($1)
 +	admin_pattern($1, pkcs11proxyd_var_lib_t)
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
 +
 +########################################
 +## <summary>
 +##	Connect to pkcs11proxyd over an unix
 +##	stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`pkcs11proxyd_stream_connect',`
 +	gen_require(`
 +		type pkcs11proxyd_t, pkcs11proxyd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t)
 +')
 diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
 new file mode 100644
 index 0000000..6b49e41
 --- /dev/null
 +++ b/pkcs11proxyd.te
@@ -0,0 +1,41 @@
 +policy_module(pkcs11proxyd, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type pkcs11proxyd_t;
 +type pkcs11proxyd_exec_t;
 +init_daemon_domain(pkcs11proxyd_t, pkcs11proxyd_exec_t)
 +
 +type pkcs11proxyd_unit_file_t;
 +systemd_unit_file(pkcs11proxyd_unit_file_t)
 +
 +type pkcs11proxyd_var_lib_t;
 +files_type(pkcs11proxyd_var_lib_t)
 +
 +type pkcs11proxyd_var_run_t;
 +files_pid_file(pkcs11proxyd_var_run_t)
 +
 +########################################
 +#
 +# pkcs11proxyd local policy
 +#
 +allow pkcs11proxyd_t self:capability { kill setuid setgid };
 +allow pkcs11proxyd_t self:process { getpgid setpgid  };
 +
 +manage_dirs_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
 +manage_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
 +manage_lnk_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
 +files_var_lib_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, { dir })
 +
 +manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
 +files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
 +
 +auth_use_nsswitch(pkcs11proxyd_t)
 +
 +dev_read_urand(pkcs11proxyd_t)
 +
 +logging_send_syslog_msg(pkcs11proxyd_t)
 +
 diff --git a/pki.fc b/pki.fc
 new file mode 100644
 index 0000000..e6592ea
@ -92902,10 +93153,10 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 0000000..5b65b7c
+index 0000000..3e89d71
 --- /dev/null
 +++ b/sandboxX.if
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,396 @@
 +
 +## <summary>policy for sandboxX </summary>
 +
@ -92991,6 +93242,7 @@ index 0000000..5b65b7c
 +		attribute sandbox_x_domain;
 +		attribute sandbox_tmpfs_type;
 +		attribute sandbox_type;
 +        attribute sandbox_web_type;
 +	')
 +
 +	type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 148%{?dist}
+Release: 149%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -656,6 +656,15 @@ exit 0
 %endif
 %changelog
 * Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
 - Add few rules related to new policy for pkcs11proxyd
 - Added new policy for pkcs11proxyd daemon
 - We need to require sandbox_web_type attribute in sandbox_x_domain_template().
 - Dontaudit abrt_t to rw lvm_lock_t dir.
 - Allow abrt_d domain to write to kernel msg device.
 - Add interface lvm_dontaudit_rw_lock_dir()
 - Merge pull request #35 from lkundrak/lr-libreswan
 * Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
 - Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
 - Added support for permissive domains