- Added iotop policy. Thanks William Brown

- Allow spamc to read .pyzor located in /var/spool/spampd - Allow spamc to create home content with correct labeling - Allow logwatch_mail_t to create dead.letter with correct labelign - Add labeling for min-cloud-agent - Allow geoclue to read unix in proc. - Add support for /usr/local/Brother labeling. We removed /usr/local equiv. - add support for min-cloud-agent - Allow ulogd to request the kernel to load a module - remove unconfined_domain for openwsman_t - Add openwsman_tmp_t rules - Allow openwsman to execute chkpwd and make this domain as unconfined for F20. - Allow nova-scheduler to read passwd file - Allow neutron execute arping in neutron_t - Dontaudit logrotate executing systemctl command attempting to net_admin - Allow mozilla plugins to use /dev/sr0 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file - Any app that executes systemctl will attempt a net_admin - Fix path to mmap_min_addr
2014-05-13 08:13:43 +02:00 · 2014-05-13 08:13:43 +02:00 · dbf4ab85b0
commit dbf4ab85b0
parent e929b7e20b
3 changed files with 470 additions and 267 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12652,14 +12652,15 @@ index 4a5b3d1..cd146bd 100644
 ')
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 0000000..d0501e3
+index 0000000..53f5265
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,19 @@
+@@ -0,0 +1,21 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +
 +/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/libexec/min-cloud-agent    --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
 +/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
 +
@ -12668,6 +12669,7 @@ index 0000000..d0501e3
 +/usr/lib/systemd/system/cloud-init.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
 +
 +/var/lib/cloud(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
 +/var/lib/min-cloud-agent(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
 +/var/log/cloud-init\.log.*  --  gen_context(system_u:object_r:cloud_log_t,s0)
 +/var/lib/iwhd(/.*)?             gen_context(system_u:object_r:iwhd_var_lib_t,s0)
 +
@ -18437,10 +18439,10 @@ index 001b502..3ceae52 100644
 optional_policy(`
 diff --git a/cups.fc b/cups.fc
-index 949011e..afe482b 100644
+index 949011e..9437dbe 100644
 --- a/cups.fc
 +++ b/cups.fc
-@@ -1,77 +1,87 @@
+@@ -1,77 +1,91 @@
 -/etc/alchemist/namespace/printconf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 -/etc/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
@ -18538,23 +18540,23 @@ index 949011e..afe482b 100644
 /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/lib/bjlib(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+
+ 
 -/var/lib/hp(/.*)?	gen_context(system_u:object_r:hplip_var_lib_t,s0)
 +/var/lib/hp(/.*)?		gen_context(system_u:object_r:cupsd_var_lib_t,s0)
 +/var/lib/iscan(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 -/var/lib/hp(/.*)?	gen_context(system_u:object_r:hplip_var_lib_t,s0)
 +/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
 +/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 -/var/log/cups(/.*)?	gen_context(system_u:object_r:cupsd_log_t,s0)
 -/var/log/turboprint.*	gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/hp(/.*)?       gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
 +/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 -/var/ccpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
 -/var/ekpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
 -/var/run/cups(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
 -/var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 -/var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 +/var/log/hp(/.*)?       gen_context(system_u:object_r:cupsd_log_t,s0)
 +
 +/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
 +/var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
 +/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
@ -18568,10 +18570,14 @@ index 949011e..afe482b 100644
 +/var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
 +/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
 +
 +/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 +/usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 +/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
@ -28271,10 +28277,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..75d7bc3
+index 0000000..781c76d
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@ -28393,6 +28399,7 @@ index 0000000..75d7bc3
 +')
 +
 +optional_policy(`
 +	openshift_manage_lib_dirs(gear_t)
 +	openshift_manage_lib_files(gear_t)
 +	openshift_relabelfrom_lib(gear_t)
 +')
@ -28572,10 +28579,10 @@ index 0000000..9e17d3e
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..7106428
+index 0000000..351f145
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,53 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@ -28608,6 +28615,8 @@ index 0000000..7106428
 +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
 +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
 +
 +kernel_read_network_state(geoclue_t)
 +
 +auth_read_passwd(geoclue_t)
 +
 +corenet_tcp_connect_http_port(geoclue_t)
@ -34333,6 +34342,108 @@ index d443fee..6cbbf7d 100644
 logging_send_syslog_msg(iodined_t)
 diff --git a/iotop.fc b/iotop.fc
 new file mode 100644
 index 0000000..c8d2dea
 --- /dev/null
 +++ b/iotop.fc
@@ -0,0 +1 @@
 +/usr/sbin/iotop		--	gen_context(system_u:object_r:iotop_exec_t,s0)
 diff --git a/iotop.if b/iotop.if
 new file mode 100644
 index 0000000..7fc3464
 --- /dev/null
 +++ b/iotop.if
@@ -0,0 +1,46 @@
 +## <summary>Simple top-like I/O monitor</summary>
 +
 +########################################
 +## <summary>
 +##	Allow execution of iotop in the iotop domain from the target domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition to iotop.
 +## </summary>
 +## </param>
 +#
 +interface(`iotop_domtrans',`
 +	gen_require(`
 +		type iotop_t, iotop_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, iotop_exec_t, iotop_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute iotop in the iotop domain, and
 +##	allow the specified role to access the iotop domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed into the iotop domain.
 +##	</summary>
 +## </param>
 +#
 +interface(`iotop_run',`
 +	gen_require(`
 +		type iotop_t;
 +		attribute_role iotop_roles;
 +	')
 +
 +	iotop_domtrans($1)
 +	roleattribute $2 iotop_roles;
 +')
 diff --git a/iotop.te b/iotop.te
 new file mode 100644
 index 0000000..51d7e34
 --- /dev/null
 +++ b/iotop.te
@@ -0,0 +1,37 @@
 +policy_module(iotop, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +attribute_role iotop_roles;
 +roleattribute system_r iotop_roles;
 +
 +type iotop_t;
 +type iotop_exec_t;
 +application_domain(iotop_t, iotop_exec_t)
 +
 +role iotop_roles types iotop_t;
 +
 +########################################
 +#
 +# iotop local policy
 +#
 +
 +allow iotop_t self:capability net_admin;
 +allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
 +
 +kernel_read_system_state(iotop_t)
 +
 +auth_use_nsswitch(iotop_t)
 +
 +dev_read_urand(iotop_t)
 +
 +domain_getsched_all_domains(iotop_t)
 +domain_read_all_domains_state(iotop_t)
 +
 +corecmd_exec_bin(iotop_t)
 +
 +miscfiles_read_localization(iotop_t)
 +
 +userdom_use_user_terminals(iotop_t)
 diff --git a/ipa.fc b/ipa.fc
 new file mode 100644
 index 0000000..48d7322
@ -40137,7 +40248,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..1859690 100644
+index be0ab84..9321951 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -40183,7 +40294,7 @@ index be0ab84..1859690 100644
 -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 +# Change ownership on log files.
 +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
-+dontaudit logrotate_t self:capability sys_resource;
+dontaudit logrotate_t self:capability { sys_resource net_admin };
 +
 +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +
@ -40418,7 +40529,7 @@ index be0ab84..1859690 100644
 logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index ab65034..c76dbda 100644
+index ab65034..28f63b5 100644
 --- a/logwatch.te
 +++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@ -40503,11 +40614,13 @@ index ab65034..c76dbda 100644
 	rpc_search_nfs_state_data(logwatch_t)
 ')
-@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t)
 logging_read_all_logs(logwatch_mail_t)
 +mta_read_home(logwatch_mail_t)
 +mta_filetrans_home_content(logwatch_mail_t)
 +mta_filetrans_admin_home_content(logwatch_mail_t)
 +
 optional_policy(`
 	cron_use_system_job_fds(logwatch_mail_t)
@ -45601,7 +45714,7 @@ index 6194b80..cafb2b0 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..7bb38c6 100644
+index 11ac8e4..633063d 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@ -46039,7 +46152,7 @@ index 11ac8e4..7bb38c6 100644
 ')
 optional_policy(`
-@@ -300,259 +324,248 @@ optional_policy(`
+@@ -300,259 +324,252 @@ optional_policy(`
 ########################################
 #
@ -46272,14 +46385,17 @@ index 11ac8e4..7bb38c6 100644
 fs_getattr_all_fs(mozilla_plugin_t)
 -# fs_read_hugetlbfs_files(mozilla_plugin_t)
 -fs_search_auto_mountpoints(mozilla_plugin_t)
 -
 -term_getattr_all_ttys(mozilla_plugin_t)
 -term_getattr_all_ptys(mozilla_plugin_t)
 +fs_list_dos(mozilla_plugin_t)
 +fs_read_noxattr_fs_files(mozilla_plugin_t)
 +fs_read_hugetlbfs_files(mozilla_plugin_t)
 +fs_exec_hugetlbfs_files(mozilla_plugin_t)
 -term_getattr_all_ttys(mozilla_plugin_t)
 -term_getattr_all_ptys(mozilla_plugin_t)
 +storage_raw_read_removable_device(mozilla_plugin_t)
 +fs_read_removable_files(mozilla_plugin_t)
 +fs_read_removable_symlinks(mozilla_plugin_t)
 application_exec(mozilla_plugin_t)
 +application_dontaudit_signull(mozilla_plugin_t)
@ -46435,7 +46551,7 @@ index 11ac8e4..7bb38c6 100644
 ')
 optional_policy(`
-@@ -560,7 +573,11 @@ optional_policy(`
+@@ -560,7 +577,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -46448,7 +46564,7 @@ index 11ac8e4..7bb38c6 100644
 ')
 optional_policy(`
-@@ -568,108 +585,131 @@ optional_policy(`
+@@ -568,108 +589,131 @@ optional_policy(`
 ')
 optional_policy(`
@ -53019,10 +53135,10 @@ index 0000000..28936b4
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..f429163
+index 0000000..f691a30
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,311 @@
+@@ -0,0 +1,310 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@ -53302,7 +53418,6 @@ index 0000000..f429163
 +# nova vncproxy local policy
 +#
 +
 +
 +#######################################
 +#
 +# nova volume local policy
@ -59264,10 +59379,10 @@ index 0000000..42ed4ba
 +')
 diff --git a/openwsman.te b/openwsman.te
 new file mode 100644
-index 0000000..49dc5ef
+index 0000000..a0161d5
 --- /dev/null
 +++ b/openwsman.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,56 @@
 +policy_module(openwsman, 1.0.0)
 +
 +########################################
@ -59279,6 +59394,9 @@ index 0000000..49dc5ef
 +type openwsman_exec_t;
 +init_daemon_domain(openwsman_t, openwsman_exec_t)
 +
 +type openwsman_tmp_t;
 +files_tmp_file(openwsman_tmp_t)
 +
 +type openwsman_log_t;
 +logging_log_file(openwsman_log_t)
 +
@ -59292,10 +59410,17 @@ index 0000000..49dc5ef
 +#
 +# openwsman local policy
 +#
 +
 +allow openwsman_t self:capability setuid;
 +
 +allow openwsman_t self:process { fork };
 +allow openwsman_t self:fifo_file rw_fifo_file_perms;
 +allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
-+allow openwsman_t self:tcp_socket { create_socket_perms listen };
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
 +
 +manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
 +manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
 +files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
 +
 +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
 +logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
@ -59304,12 +59429,15 @@ index 0000000..49dc5ef
 +files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
 +
 +auth_use_nsswitch(openwsman_t)
 +auth_domtrans_chkpwd(openwsman_t)
 +
 +corenet_tcp_connect_pegasus_https_port(openwsman_t)
 +corenet_tcp_bind_vnc_port(openwsman_t)
 +
 +dev_read_urand(openwsman_t)
 +
 +logging_send_syslog_msg(openwsman_t)
 +logging_send_audit_msgs(openwsman_t)
 +
 diff --git a/oracleasm.fc b/oracleasm.fc
 new file mode 100644
@ -73504,10 +73632,10 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..d76fab5 100644
+index 8644d8b..9494e23 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,132 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0)
 # Declarations
 #
@ -73554,7 +73682,7 @@ index 8644d8b..d76fab5 100644
 -allow quantum_t self:unix_stream_socket { accept listen };
 +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
 +allow neutron_t self:capability2 block_suspend;
-+allow neutron_t self:process { setsched setrlimit signal_perms };
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
 +
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
@ -73562,46 +73690,45 @@ index 8644d8b..d76fab5 100644
 +allow neutron_t self:unix_stream_socket { accept listen };
 +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow neutron_t self:rawip_socket create_socket_perms;
 +allow neutron_t self:packet_socket create_socket_perms;
 +
 +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +logging_log_filetrans(neutron_t, neutron_log_t, dir)
 +
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
 -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -logging_log_filetrans(quantum_t, quantum_log_t, dir)
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
 -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
 -files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
 +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
 -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
 -files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
 +can_exec(neutron_t, neutron_tmp_t)
 -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
 -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
 -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
 +can_exec(neutron_t, neutron_tmp_t)
 -can_exec(quantum_t, quantum_tmp_t)
 +kernel_rw_kernel_sysctl(neutron_t)
 +kernel_rw_net_sysctls(neutron_t)
 +kernel_read_system_state(neutron_t)
 +kernel_read_network_state(neutron_t)
 +kernel_request_load_module(neutron_t)
-kernel_read_kernel_sysctls(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
 -kernel_read_system_state(quantum_t)
 +corecmd_exec_shell(neutron_t)
 +corecmd_exec_bin(neutron_t)
-corecmd_exec_shell(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
-corecmd_exec_bin(quantum_t)
+-kernel_read_system_state(quantum_t)
 +corenet_all_recvfrom_unlabeled(neutron_t)
 +corenet_all_recvfrom_netlabel(neutron_t)
 +corenet_tcp_sendrecv_generic_if(neutron_t)
@ -73609,83 +73736,88 @@ index 8644d8b..d76fab5 100644
 +corenet_tcp_sendrecv_all_ports(neutron_t)
 +corenet_tcp_bind_generic_node(neutron_t)
-corenet_all_recvfrom_unlabeled(quantum_t)
+-corecmd_exec_shell(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
+-corecmd_exec_bin(quantum_t)
 -corenet_tcp_sendrecv_generic_if(quantum_t)
 -corenet_tcp_sendrecv_generic_node(quantum_t)
 -corenet_tcp_sendrecv_all_ports(quantum_t)
 -corenet_tcp_bind_generic_node(quantum_t)
 +corenet_tcp_bind_neutron_port(neutron_t)
 +corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
 +corenet_tcp_connect_osapi_compute_port(neutron_t)
-dev_list_sysfs(quantum_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
-dev_read_urand(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
 -corenet_tcp_sendrecv_generic_if(quantum_t)
 -corenet_tcp_sendrecv_generic_node(quantum_t)
 -corenet_tcp_sendrecv_all_ports(quantum_t)
 -corenet_tcp_bind_generic_node(quantum_t)
 +domain_read_all_domains_state(neutron_t)
 +domain_named_filetrans(neutron_t)
-files_read_usr_files(quantum_t)
+-dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
 +dev_read_sysfs(neutron_t)
 +dev_read_urand(neutron_t)
 +dev_mounton_sysfs(neutron_t)
 +dev_mount_sysfs_fs(neutron_t)
 +dev_unmount_sysfs_fs(neutron_t)
-auth_use_nsswitch(quantum_t)
+-files_read_usr_files(quantum_t)
 +files_mounton_non_security(neutron_t)
-libs_exec_ldconfig(quantum_t)
+-auth_use_nsswitch(quantum_t)
 +auth_use_nsswitch(neutron_t)
 -libs_exec_ldconfig(quantum_t)
 +libs_exec_ldconfig(neutron_t)
 -logging_send_audit_msgs(quantum_t)
 -logging_send_syslog_msg(quantum_t)
 +libs_exec_ldconfig(neutron_t)
 -miscfiles_read_localization(quantum_t)
 +logging_send_audit_msgs(neutron_t)
 +logging_send_syslog_msg(neutron_t)
 -miscfiles_read_localization(quantum_t)
 +netutils_exec(neutron_t)
 -sysnet_domtrans_ifconfig(quantum_t)
 +# need to stay in neutron
 +sysnet_exec_ifconfig(neutron_t)
 +sysnet_manage_ifconfig_run(neutron_t)
 +sysnet_filetrans_named_content_ifconfig(neutron_t)
 +
 +optional_policy(`
 +	brctl_domtrans(neutron_t)
 +')
 optional_policy(`
 -	brctl_domtrans(quantum_t)
-+    dnsmasq_domtrans(neutron_t)
+	brctl_domtrans(neutron_t)
 +    dnsmasq_signal(neutron_t)
 +    dnsmasq_read_state(neutron_t)
 ')
 optional_policy(`
 -	mysql_stream_connect(quantum_t)
 -	mysql_read_config(quantum_t)
-+    iptables_domtrans(neutron_t)
+    dnsmasq_domtrans(neutron_t)
 +    dnsmasq_signal(neutron_t)
 +    dnsmasq_read_state(neutron_t)
 +')
 -	mysql_tcp_connect(quantum_t)
 +optional_policy(`
-+	mysql_stream_connect(neutron_t)
+    iptables_domtrans(neutron_t)
 +    mysql_read_db_lnk_files(neutron_t)
 +	mysql_read_config(neutron_t)
 +	mysql_tcp_connect(neutron_t)
 ')
 optional_policy(`
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
 +	mysql_stream_connect(neutron_t)
 +    mysql_read_db_lnk_files(neutron_t)
 +	mysql_read_config(neutron_t)
 +	mysql_tcp_connect(neutron_t)
 +')
 -	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
 +	postgresql_stream_connect(neutron_t)
 +	postgresql_unpriv_client(neutron_t)
 +	postgresql_tcp_connect(neutron_t)
 +')
- 
+
 -	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
 +    openvswitch_domtrans(neutron_t)
 +    openvswitch_stream_connect(neutron_t)
@ -91614,7 +91746,7 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..4f35a1b 100644
+index cc58e35..de9c4d9 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@ -91918,7 +92050,7 @@ index cc58e35..4f35a1b 100644
 ')
 ########################################
-@@ -167,72 +248,85 @@ optional_policy(`
+@@ -167,72 +248,90 @@ optional_policy(`
 # Client local policy
 #
@ -91958,6 +92090,8 @@ index cc58e35..4f35a1b 100644
 +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 +userdom_append_user_home_content_files(spamc_t)
 +spamassassin_filetrans_home_content(spamc_t)
 +spamassassin_filetrans_admin_home_content(spamc_t)
 +# for /root/.pyzor
 +allow spamc_t self:capability dac_override;
@ -91965,6 +92099,9 @@ index cc58e35..4f35a1b 100644
 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 -stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
 +read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
 +list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
 +
 +# Allow connecting to a local spamd
 +allow spamc_t spamd_t:unix_stream_socket connectto;
 +allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@ -92035,7 +92172,7 @@ index cc58e35..4f35a1b 100644
 optional_policy(`
 	abrt_stream_connect(spamc_t)
-@@ -243,6 +337,7 @@ optional_policy(`
+@@ -243,6 +342,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -92043,7 +92180,7 @@ index cc58e35..4f35a1b 100644
 	evolution_stream_connect(spamc_t)
 ')
-@@ -251,10 +346,16 @@ optional_policy(`
+@@ -251,10 +351,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -92061,7 +92198,7 @@ index cc58e35..4f35a1b 100644
 	sendmail_stub(spamc_t)
 ')
-@@ -267,36 +368,38 @@ optional_policy(`
+@@ -267,36 +373,38 @@ optional_policy(`
 ########################################
 #
@ -92088,17 +92225,17 @@ index cc58e35..4f35a1b 100644
 allow spamd_t self:unix_dgram_socket sendto;
 -allow spamd_t self:unix_stream_socket { accept connectto listen };
 -allow spamd_t self:tcp_socket { accept listen };
-+allow spamd_t self:unix_stream_socket connectto;
+-
 +allow spamd_t self:tcp_socket create_stream_socket_perms;
 +allow spamd_t self:udp_socket create_socket_perms;
 -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-
+allow spamd_t self:unix_stream_socket connectto;
 +allow spamd_t self:tcp_socket create_stream_socket_perms;
 +allow spamd_t self:udp_socket create_socket_perms;
 -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@ -92117,7 +92254,7 @@ index cc58e35..4f35a1b 100644
 logging_log_filetrans(spamd_t, spamd_log_t, file)
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@ -92127,7 +92264,7 @@ index cc58e35..4f35a1b 100644
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@ -92143,7 +92280,7 @@ index cc58e35..4f35a1b 100644
 corenet_all_recvfrom_netlabel(spamd_t)
 corenet_tcp_sendrecv_generic_if(spamd_t)
 corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
 corenet_tcp_sendrecv_all_ports(spamd_t)
 corenet_udp_sendrecv_all_ports(spamd_t)
 corenet_tcp_bind_generic_node(spamd_t)
@ -92247,7 +92384,7 @@ index cc58e35..4f35a1b 100644
 ')
 optional_policy(`
-@@ -421,21 +507,13 @@ optional_policy(`
+@@ -421,21 +512,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -92271,7 +92408,7 @@ index cc58e35..4f35a1b 100644
 ')
 optional_policy(`
-@@ -443,8 +521,8 @@ optional_policy(`
+@@ -443,8 +526,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -92281,7 +92418,7 @@ index cc58e35..4f35a1b 100644
 ')
 optional_policy(`
-@@ -455,7 +533,17 @@ optional_policy(`
+@@ -455,7 +538,17 @@ optional_policy(`
 optional_policy(`
 	razor_domtrans(spamd_t)
 	razor_read_lib_files(spamd_t)
@ -92300,7 +92437,7 @@ index cc58e35..4f35a1b 100644
 ')
 optional_policy(`
-@@ -463,9 +551,9 @@ optional_policy(`
+@@ -463,9 +556,9 @@ optional_policy(`
 ')
 optional_policy(`
@ -92311,7 +92448,7 @@ index cc58e35..4f35a1b 100644
 ')
 optional_policy(`
-@@ -474,32 +562,32 @@ optional_policy(`
+@@ -474,32 +567,32 @@ optional_policy(`
 ########################################
 #
@ -92354,7 +92491,7 @@ index cc58e35..4f35a1b 100644
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t)
 domain_use_interactive_fds(spamd_update_t)
@ -97873,7 +98010,7 @@ index 9b95c3e..a892845 100644
 	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/ulogd.te b/ulogd.te
-index de35e5f..436d24c 100644
+index de35e5f..51f2763 100644
 --- a/ulogd.te
 +++ b/ulogd.te
@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
@ -97894,8 +98031,9 @@ index de35e5f..436d24c 100644
 -files_read_etc_files(ulogd_t)
 -files_read_usr_files(ulogd_t)
- 
+-
 -miscfiles_read_localization(ulogd_t)
 +kernel_request_load_module(ulogd_t)
 sysnet_dns_name_resolve(ulogd_t)
@ -101214,7 +101352,7 @@ index facdee8..88dcafb 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..a26950d 100644
+index f03dcf5..0b4a6fa 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,212 @@
@ -102678,7 +102816,7 @@ index f03dcf5..a26950d 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -102912,21 +103050,25 @@ index f03dcf5..a26950d 100644
 +')
 +
 +optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+	gear_read_pid_files(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	udev_read_pid_files(svirt_sandbox_domain)
+	ssh_use_ptys(svirt_sandbox_domain)
 ')
 optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
 +')
 +
@ -102991,12 +103133,12 @@ index f03dcf5..a26950d 100644
 +', `
 +	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
 +')
 +
 +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
 +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
 +
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
 +dev_read_sysfs(svirt_lxc_net_t)
@ -103073,7 +103215,8 @@ index f03dcf5..a26950d 100644
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 +
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+ 
 -allow svirt_prot_exec_t self:process { execmem execstack };
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
@ -103085,8 +103228,7 @@ index f03dcf5..a26950d 100644
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
 +fs_manage_cgroup_files(svirt_qemu_net_t)
- 
+
 -allow svirt_prot_exec_t self:process { execmem execstack };
 +term_pty(svirt_sandbox_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
@ -103115,7 +103257,7 @@ index f03dcf5..a26950d 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -103130,7 +103272,7 @@ index f03dcf5..a26950d 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,9 +1456,8 @@ optional_policy(`
+@@ -1192,9 +1460,8 @@ optional_policy(`
 ########################################
 #
@ -103141,7 +103283,7 @@ index f03dcf5..a26950d 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -103360,8 +103502,6 @@ index f03dcf5..a26950d 100644
 +optional_policy(`
 +	systemd_dbus_chat_logind(sandbox_net_domain)
 +')
 +
 +
 diff --git a/vlock.te b/vlock.te
 index 6b72968..de409cc 100644
 --- a/vlock.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -590,6 +590,25 @@ SELinux Reference policy mls base module.
 %changelog
 * Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-52
 - More rules for gears and openshift
 - Added iotop policy. Thanks William Brown
 - Allow spamc to read .pyzor located in /var/spool/spampd
 - Allow spamc to create home content with correct labeling
 - Allow logwatch_mail_t to create dead.letter with correct labelign
 - Add labeling for min-cloud-agent
 - Allow geoclue to read unix in proc.
 - Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
 - add support for min-cloud-agent
 - Allow ulogd to request the kernel to load a module
 - remove unconfined_domain for openwsman_t
 - Add openwsman_tmp_t rules
 - Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
 - Allow nova-scheduler to read passwd file
 - Allow neutron execute arping in neutron_t
 - Dontaudit logrotate executing systemctl command attempting to net_admin
 - Allow mozilla plugins to use /dev/sr0
 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
 - Any app that executes systemctl will attempt a net_admin
 - Fix path to mmap_min_addr
 * Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
 - Add gear fixes from dwalsh