* Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254

- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes - Update targetd policy to accommodate changes in the service - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit - Allow glusterd_t domain start ganesha service - Made few cosmetic changes in sssd SELinux module - Merge pull request #11 from lslebodn/sssd_kcm - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. - Allow keepalived_t domain read usermodehelper_t - Allow radius domain stream connec to postgresql - Merge pull request #8 from bowlofeggs/142-rawhide - Add fs_manage_configfs_lnk_files() interface
2017-05-15 22:07:43 +02:00 · 2017-05-15 22:07:43 +02:00 · c1e28f68d8
commit c1e28f68d8
parent 52a7727e8d
4 changed files with 586 additions and 380 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -27883,6 +27883,127 @@ index ef62363..0841716 100644
 +optional_policy(`
 +    procmail_domtrans(dspam_t)
 +')
 diff --git a/ejabberd.fc b/ejabberd.fc
 new file mode 100644
 index 0000000..e797d62
 --- /dev/null
 +++ b/ejabberd.fc
@@ -0,0 +1,7 @@
 +/usr/bin/ejabberdctl    --  gen_context(system_u:object_r:ejabberd_exec_t,s0)
 +
 +/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:ejabberd_unit_t,s0)
 +
 +/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_lib_t,s0)
 +
 +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_log_t,s0)
 diff --git a/ejabberd.if b/ejabberd.if
 new file mode 100644
 index 0000000..91ef4a4
 --- /dev/null
 +++ b/ejabberd.if
@@ -0,0 +1,34 @@
 +## <summary>ejabberd is a Free and Open Source distributed fault-tolerant: Jabber/XMPP server. </summary>
 +########################################
 +## <summary>
 +##	All of the rules required to
 +##	administrate an ejabberd environment.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	Role allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`ejabberd_admin',`
 +	gen_require(`
 +		type ejabberd_t, ejabberd_exec_t;
 +		type ejabberd_var_lib_t, ejabberd_var_log_t;
 +	')
 +
 +    admin_process_pattern($1, ejabberd_t)
 +
 +    init_startstop_service($1, $2, ejabberd_t, ejabberd_initrc_exec_t, ejabberd_unit_t)
 +
 +	files_search_var_lib($1)
 +	admin_pattern($1, ejabberd_var_lib_t)
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, ejabberd_var_log_t)
 +')
 diff --git a/ejabberd.te b/ejabberd.te
 new file mode 100644
 index 0000000..4498b11
 --- /dev/null
 +++ b/ejabberd.te
@@ -0,0 +1,62 @@
 +policy_module(ejabberd,0.0)
 +
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +# Private type declarations
 +type ejabberd_t;
 +type ejabberd_exec_t;
 +init_daemon_domain(ejabberd_t, ejabberd_exec_t)
 +
 +type ejabberd_unit_t;
 +systemd_unit_file(ejabberd_unit_t)
 +
 +type ejabberd_var_lib_t;
 +files_type(ejabberd_var_lib_t)
 +
 +type ejabberd_var_log_t;
 +logging_log_file(ejabberd_var_log_t)
 +
 +
 +# What will we allow
 +allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
 +allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write };
 +allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write };
 +
 +auth_use_nsswitch(ejabberd_t)
 +
 +corecmd_exec_bin(ejabberd_t)
 +corecmd_exec_shell(ejabberd_t)
 +
 +corenet_tcp_bind_epmd_port(ejabberd_t)
 +corenet_tcp_bind_generic_node(ejabberd_t)
 +corenet_tcp_bind_generic_port(ejabberd_t)
 +corenet_tcp_bind_jabber_client_port(ejabberd_t)
 +corenet_tcp_bind_jabber_interserver_port(ejabberd_t)
 +corenet_tcp_connect_epmd_port(ejabberd_t)
 +corenet_tcp_connect_generic_port(ejabberd_t)
 +corenet_tcp_connect_jabber_interserver_port(ejabberd_t)
 +
 +corenet_udp_bind_generic_node(ejabberd_t)
 +
 +dev_read_rand(ejabberd_t)
 +dev_read_sysfs(ejabberd_t)
 +
 +files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir)
 +
 +kernel_dgram_send(ejabberd_t)
 +
 +logging_create_devlog_dev(ejabberd_t)
 +logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file })
 +
 +manage_dirs_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t)
 +manage_dirs_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
 +manage_files_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t)
 +manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
 +
 +miscfiles_read_generic_certs(ejabberd_t)
 +
 +sysnet_read_config(ejabberd_t)
 diff --git a/entropyd.te b/entropyd.te
 index b8b8328..111084c 100644
 --- a/entropyd.te
@ -32826,10 +32947,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..03db2af
+index 0000000..ce9dd75
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,308 @@
+@@ -0,0 +1,312 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -33081,6 +33202,10 @@ index 0000000..03db2af
 +')
 +
 +optional_policy(`
 +    ganesha_systemctl(glusterd_t)
 +')
 +
 +optional_policy(`
 +    hostname_exec(glusterd_t)
 +')
 +
@ -42725,10 +42850,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..66e747b
+index 0000000..82772f2
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,93 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -42768,6 +42893,7 @@ index 0000000..66e747b
 +kernel_read_system_state(keepalived_t)
 +kernel_read_network_state(keepalived_t)
 +kernel_request_load_module(keepalived_t)
 +kernel_read_usermodehelper_state(keepalived_t)
 +
 +auth_use_nsswitch(keepalived_t)
 +
@ -84339,30 +84465,20 @@ index f47c8e8..af09c76 100644
 +    dbus_connect_system_bus(quota_nld_t)
 ')
 diff --git a/rabbitmq.fc b/rabbitmq.fc
-index c5ad6de..af2d46f 100644
+index c5ad6de..44135d4 100644
 --- a/rabbitmq.fc
 +++ b/rabbitmq.fc
-@@ -1,10 +1,18 @@
+@@ -1,7 +1,8 @@
 /etc/rc\.d/init\.d/rabbitmq-server	--	gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
 -/usr/lib/erlang/erts.*/bin/beam.*	--	gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
 -/usr/lib/erlang/erts.*/bin/epmd	--	gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
 +/usr/lib/systemd/system/rabbitmq-server.*   --  gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
 +/usr/lib/systemd/system/ejabberd.*          --  gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
 +
 +/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server   --  gen_context(system_u:object_r:rabbitmq_exec_t,s0)
 +
 +/usr/bin/ejabberdctl    --      gen_context(system_u:object_r:rabbitmq_exec_t,s0)
 /var/lib/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
 +/var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
 +
 +/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
 /var/log/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
 +/var/log/ejabberd(/.*)?	gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
 /var/run/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
 diff --git a/rabbitmq.if b/rabbitmq.if
 index 2c3d338..7d49554 100644
 --- a/rabbitmq.if
@ -84682,7 +84798,7 @@ index 4460582..4c66c25 100644
 +
 ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..b1668fa 100644
+index 403a4fe..c659271 100644
 --- a/radius.te
 +++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@ -84805,10 +84921,11 @@ index 403a4fe..b1668fa 100644
 	logrotate_exec(radiusd_t)
 ')
-@@ -132,6 +159,10 @@ optional_policy(`
+@@ -132,6 +159,11 @@ optional_policy(`
 ')
 optional_policy(`
 +    postgresql_stream_connect(radiusd_t)
 +    postgresql_tcp_connect(radiusd_t)
 +')
 +
@ -84816,7 +84933,7 @@ index 403a4fe..b1668fa 100644
 	samba_domtrans_winbind_helper(radiusd_t)
 ')
-@@ -140,5 +171,10 @@ optional_policy(`
+@@ -140,5 +172,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -105585,10 +105702,10 @@ index 0000000..821e158
 +')
 +
 diff --git a/sssd.fc b/sssd.fc
-index dbb005a..25d119e 100644
+index dbb005a..47b49ea 100644
 --- a/sssd.fc
 +++ b/sssd.fc
-@@ -1,15 +1,28 @@
+@@ -1,15 +1,30 @@
 /etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
 -/etc/sssd(/.*)?	gen_context(system_u:object_r:sssd_conf_t,s0)
@ -105599,6 +105716,7 @@ index dbb005a..25d119e 100644
 +/usr/libexec/sssd/sssd_autofs	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_ifp	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_nss	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_kcm	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_pac	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_pam	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_secrets	--	gen_context(system_u:object_r:sssd_exec_t,s0)
@ -105623,8 +105741,9 @@ index dbb005a..25d119e 100644
 -/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/secrets.socket		gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/.heim_org.h5l.kcm-socket	--  	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a240455..277f8f2 100644
+index a240455..aac2584 100644
 --- a/sssd.if
 +++ b/sssd.if
@@ -1,21 +1,21 @@
@ -105753,13 +105872,13 @@ index a240455..277f8f2 100644
 +    gen_require(`
 +        type sssd_conf_t;
 +    ')
- 
+
 -	files_search_etc($1)
 -	write_files_pattern($1, sssd_conf_t, sssd_conf_t)
 +    files_search_etc($1)
 +    write_files_pattern($1, sssd_conf_t, sssd_conf_t)
 +')
-+
+ 
 -	files_search_etc($1)
 -	write_files_pattern($1, sssd_conf_t, sssd_conf_t)
 +#####################################
 +## <summary>
 +##  Write sssd configuration.
@ -105836,10 +105955,11 @@ index a240455..277f8f2 100644
 	sssd_search_lib($1)
 -	manage_files_pattern($1, sssd_public_t, sssd_public_t)
 +	allow $1 sssd_public_t:file unlink;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Read sssd pid files.
 +##	Dontaudit read sssd public files.
 +## </summary>
 +## <param name="domain">
@ -105873,11 +105993,10 @@ index a240455..277f8f2 100644
 +
 +    sssd_search_lib($1)
 +    manage_files_pattern($1, sssd_public_t, sssd_public_t)
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Read sssd pid files.
 +##	Read sssd PID files.
 ## </summary>
 ## <param name="domain">
@ -105937,7 +106056,7 @@ index a240455..277f8f2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',`
 ########################################
 ## <summary>
@ -105960,6 +106079,44 @@ index a240455..277f8f2 100644
 +	dontaudit $1 sssd_var_lib_t:sock_file { read write };
 +')
 +
 +########################################
 +## <summary>
 +##	Connect to sssd over a unix stream socket in /var/run.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_run_stream_connect',`
 +	gen_require(`
 +		type sssd_t, sssd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Dontaudit attempts to connect to sssd over a unix stream socket in /var/run.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_dontaudit_run_stream_connect',`
 +	gen_require(`
 +		type sssd_t, sssd_var_lib_t;
 +	')
 +
 +	dontaudit $1 sssd_t:unix_stream_socket connectto;
 +	dontaudit $1 sssd_var_run_t:sock_file { read write };
 +')
 +
 +#######################################
 +## <summary>
 +##     Manage keys for all user domains.
@ -106032,7 +106189,7 @@ index a240455..277f8f2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -106041,7 +106198,7 @@ index a240455..277f8f2 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',`
 interface(`sssd_admin',`
 	gen_require(`
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -106083,7 +106240,7 @@ index a240455..277f8f2 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..d4fee07 100644
+index 2d8db1f..f0f3862 100644
 --- a/sssd.te
 +++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@ -106122,7 +106279,7 @@ index 2d8db1f..d4fee07 100644
 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
 manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
@ -106137,7 +106294,9 @@ index 2d8db1f..d4fee07 100644
 logging_log_filetrans(sssd_t, sssd_var_log_t, file)
 manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 +manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
 kernel_read_network_state(sssd_t)
 kernel_read_system_state(sssd_t)
@ -106160,7 +106319,7 @@ index 2d8db1f..d4fee07 100644
 corecmd_exec_bin(sssd_t)
-@@ -83,28 +94,36 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
 files_list_tmp(sssd_t)
@ -106201,7 +106360,7 @@ index 2d8db1f..d4fee07 100644
 init_read_utmp(sssd_t)
-@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +132,67 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 miscfiles_read_generic_certs(sssd_t)
@ -107573,10 +107732,10 @@ index 0000000..a6e216c
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 0000000..e187320
+index 0000000..0315421
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,81 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@ -107599,21 +107758,33 @@ index 0000000..e187320
 +# targetd local policy
 +#
 +
-+allow targetd_t self:capability { sys_admin };
+allow targetd_t self:capability { ipc_lock sys_admin sys_nice };
 +allow targetd_t self:fifo_file rw_fifo_file_perms;
 +allow targetd_t self:unix_stream_socket create_stream_socket_perms;
 +allow targetd_t self:unix_dgram_socket create_socket_perms;
 +allow targetd_t self:tcp_socket listen;
 +allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow targetd_t self:process setfscreate;
+allow targetd_t self:process { setfscreate setsched };
 +
 +manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
 +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
 +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
 +
 +fs_getattr_xattr_fs(targetd_t)
 +fs_manage_configfs_files(targetd_t)
 +fs_manage_configfs_lnk_files(targetd_t)
 +fs_manage_configfs_dirs(targetd_t)
 +fs_read_nfsd_files(targetd_t)
 +
 +kernel_rw_rpc_sysctls(targetd_t)
 +kernel_get_sysvipc_info(targetd_t)
 +kernel_read_system_state(targetd_t)
 +kernel_read_network_state(targetd_t)
 +
 +rpc_read_exports(targetd_t)
 +
 +storage_raw_rw_fixed_disk(targetd_t)
 +
 +auth_use_nsswitch(targetd_t)
 +
 +corecmd_exec_shell(targetd_t)
@ -107622,7 +107793,7 @@ index 0000000..e187320
 +corenet_tcp_bind_generic_node(targetd_t)
 +corenet_tcp_bind_lsm_plugin_port(targetd_t)
 +
-+dev_read_sysfs(targetd_t)
+dev_rw_sysfs(targetd_t)
 +dev_read_urand(targetd_t)
 +dev_rw_lvm_control(targetd_t)
 +dev_getattr_loop_control(targetd_t)
@ -107636,8 +107807,9 @@ index 0000000..e187320
 +
 +optional_policy(`
 +   lvm_read_config(targetd_t)
-+   lvm_read_metadata(targetd_t)
+   lvm_write_metadata(targetd_t)
 +   lvm_manage_lock(targetd_t)
 +   lvm_rw_pipes(targetd_t)
 +   lvm_stream_connect(targetd_t)
 +')
 +
@ -110850,10 +111022,10 @@ index 0000000..e5cec8f
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 0000000..71e14ac
+index 0000000..cc0c5fe
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,89 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@ -110912,6 +111084,7 @@ index 0000000..71e14ac
 +can_exec(tomcat_domain, tomcat_exec_t)
 +
 +kernel_read_network_state(tomcat_domain)
 +kernel_read_net_sysctls(tomcat_domain)
 +
 +corecmd_exec_bin(tomcat_domain)
 +corecmd_exec_shell(tomcat_domain)
@ -110925,6 +111098,8 @@ index 0000000..71e14ac
 +corenet_tcp_connect_ldap_port(tomcat_domain)
 +corenet_tcp_connect_mxi_port(tomcat_domain)
 +corenet_tcp_connect_http_cache_port(tomcat_domain)
 +corenet_tcp_connect_postgresql_port(tomcat_domain)
 +corenet_tcp_connect_amqp_port(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@ -113341,7 +113516,7 @@ index a4f20bc..9777de2 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..487857a 100644
+index facdee8..b5a815a 100644
 --- a/virt.if
 +++ b/virt.if
@@ -1,120 +1,111 @@
@ -113775,7 +113950,7 @@ index facdee8..487857a 100644
 -	allow svirt_lxc_domain $1:fd use;
 -	allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
 -	allow svirt_lxc_domain $1:process sigchld;
-+	allow $1 svirt_t:unix_stream_socket { read write };
+	allow $1 svirt_t:unix_stream_socket { setopt getopt read write };
 ')
 -#######################################
@ -115541,10 +115716,10 @@ index facdee8..487857a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..fee0027 100644
+index f03dcf5..6e0d11b 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,451 +1,413 @@
+@@ -1,451 +1,415 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
@ -116182,6 +116357,8 @@ index f03dcf5..fee0027 100644
 +
 +virt_dontaudit_read_state(svirt_t)
 +
 +storage_raw_read_fixed_disk(svirt_t)
 +
 +#######################################
 +#
 +# svirt_prot_exec local policy
@ -116268,7 +116445,7 @@ index f03dcf5..fee0027 100644
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +417,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +419,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -116315,27 +116492,27 @@ index f03dcf5..fee0027 100644
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +452,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +454,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-can_exec(virtd_t, virt_tmp_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +# libvirtd is permitted to talk to virtlogd
 +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
 +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 -can_exec(virtd_t, virt_tmp_t)
 -
 -kernel_read_crypto_sysctls(virtd_t)
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
@ -116349,7 +116526,7 @@ index f03dcf5..fee0027 100644
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -527,24 +477,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +479,16 @@ corecmd_exec_shell(virtd_t)
 corenet_all_recvfrom_netlabel(virtd_t)
 corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
@ -116377,7 +116554,7 @@ index f03dcf5..fee0027 100644
 dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
-@@ -555,20 +497,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +499,26 @@ dev_rw_vhost(virtd_t)
 dev_setattr_generic_usb_dev(virtd_t)
 dev_relabel_generic_usb_dev(virtd_t)
@ -116408,7 +116585,7 @@ index f03dcf5..fee0027 100644
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_all_fs(virtd_t)
 fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +549,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +551,18 @@ term_use_ptmx(virtd_t)
 auth_use_nsswitch(virtd_t)
@ -116428,7 +116605,7 @@ index f03dcf5..fee0027 100644
 selinux_validate_context(virtd_t)
-@@ -620,18 +571,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +573,26 @@ seutil_read_file_contexts(virtd_t)
 sysnet_signull_ifconfig(virtd_t)
 sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
@ -116465,7 +116642,7 @@ index f03dcf5..fee0027 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +599,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +601,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 tunable_policy(`virt_use_samba',`
@ -116474,7 +116651,7 @@ index f03dcf5..fee0027 100644
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
-@@ -665,20 +624,12 @@ optional_policy(`
+@@ -665,20 +626,12 @@ optional_policy(`
 	')
 	optional_policy(`
@ -116496,7 +116673,7 @@ index f03dcf5..fee0027 100644
 ')
 optional_policy(`
-@@ -691,20 +642,26 @@ optional_policy(`
+@@ -691,20 +644,26 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
@ -116527,7 +116704,7 @@ index f03dcf5..fee0027 100644
 ')
 optional_policy(`
-@@ -712,11 +669,18 @@ optional_policy(`
+@@ -712,11 +671,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -116546,7 +116723,7 @@ index f03dcf5..fee0027 100644
 	policykit_domtrans_auth(virtd_t)
 	policykit_domtrans_resolve(virtd_t)
 	policykit_read_lib(virtd_t)
-@@ -727,10 +691,18 @@ optional_policy(`
+@@ -727,10 +693,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -116565,7 +116742,7 @@ index f03dcf5..fee0027 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +718,344 @@ optional_policy(`
+@@ -746,44 +720,344 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -116678,7 +116855,7 @@ index f03dcf5..fee0027 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
+ 
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
@ -116839,7 +117016,7 @@ index f03dcf5..fee0027 100644
 +	fs_read_nfs_symlinks(virt_domain)
 +	fs_getattr_nfs(virt_domain)
 +')
- 
+
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_dirs(virt_domain)
 +	fs_manage_cifs_files(virt_domain)
@ -116932,7 +117109,7 @@ index f03dcf5..fee0027 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1068,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -116959,7 +117136,7 @@ index f03dcf5..fee0027 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1088,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -116993,7 +117170,7 @@ index f03dcf5..fee0027 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1123,20 @@ optional_policy(`
+@@ -856,14 +1125,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -117015,7 +117192,7 @@ index f03dcf5..fee0027 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1161,66 @@ optional_policy(`
+@@ -888,49 +1163,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -117100,7 +117277,7 @@ index f03dcf5..fee0027 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1234,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -117120,7 +117297,7 @@ index f03dcf5..fee0027 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1255,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -117144,7 +117321,7 @@ index f03dcf5..fee0027 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1280,296 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -117588,7 +117765,7 @@ index f03dcf5..fee0027 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1582,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -117603,7 +117780,7 @@ index f03dcf5..fee0027 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1598,7 @@ optional_policy(`
+@@ -1192,7 +1600,7 @@ optional_policy(`
 ########################################
 #
@ -117612,7 +117789,7 @@ index f03dcf5..fee0027 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1609,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 253%{?dist}
+Release: 254%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -689,6 +689,21 @@ exit 0
 %endif
 %changelog
 * Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
 - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
 - ejabberd small fixes
 - Update targetd policy to accommodate changes in the service
 - Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
 - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
 - Allow glusterd_t domain start ganesha service
 - Made few cosmetic changes in sssd SELinux module
 - Merge pull request #11 from lslebodn/sssd_kcm
 - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.
 - Allow keepalived_t domain read usermodehelper_t
 - Allow radius domain stream connec to postgresql
 - Merge pull request #8 from bowlofeggs/142-rawhide
 - Add fs_manage_configfs_lnk_files() interface
 * Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
 - auth_use_nsswitch can call only domain not attribute
 - Dontaudit net_admin cap for winbind_t