rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169

Browse Source 
- Allow openvswitch domain capability sys_rawio.
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
- Allow openvswitch to manage hugetlfs files and dirs.
- Allow NetworkManager create dhcpc pid files. BZ(1229755)
- Allow apcupsd to read kernel network state. BZ(1282003)
- Label /sys/kernel/debug/tracing filesystem
- Add fs_manage_hugetlbfs_files() interface.
- Add sysnet_filetrans_dhcpc_pid() interface.
This commit is contained in:
Lukas Vrabec 2016-02-03 10:57:06 +01:00
parent 4c488a69fa
commit edb36e0557
4 changed files with 318 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

253
policy-rawhide-base.patch
View File

@ -15451,7 +15451,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..843f849 100644
index 8416beb..1a164a7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -16373,11 +16373,16 @@ index 8416beb..843f849 100644
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
@@ -2062,7 +2579,43 @@ interface(`fs_list_hugetlbfs',`
@@ -2057,12 +2574,66 @@ interface(`fs_list_hugetlbfs',`
type hugetlbfs_t;
')
########################################
## <summary>
-## Manage hugetlbfs dirs.
- allow $1 hugetlbfs_t:dir list_dir_perms;
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage hugetlbfs dirs.
+## </summary>
+## <param name="domain">
@ -16415,21 +16420,40 @@ index 8416beb..843f849 100644
+########################################
+## <summary>
+## Read and write hugetlbfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
########################################
## <summary>
-## Manage hugetlbfs dirs.
+## Manage hugetlbfs files.
## </summary>
## <param name="domain">
## <summary>
@@ -2070,17 +2623,17 @@ interface(`fs_list_hugetlbfs',`
@@ -2070,17 +2641,17 @@ interface(`fs_list_hugetlbfs',`
## </summary>
## </param>
#
-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_manage_hugetlbfs_files',`
gen_require(`
type hugetlbfs_t;
')
- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
########################################
@ -16439,7 +16463,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2088,12 +2641,13 @@ interface(`fs_manage_hugetlbfs_dirs',`
@@ -2088,12 +2659,13 @@ interface(`fs_manage_hugetlbfs_dirs',`
## </summary>
## </param>
#
@ -16455,7 +16479,7 @@ index 8416beb..843f849 100644
')
########################################
@@ -2148,11 +2702,12 @@ interface(`fs_list_inotifyfs',`
@@ -2148,11 +2720,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@ -16469,7 +16493,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2297,14 +2852,332 @@ interface(`fs_getattr_iso9660_files',`
@@ -2297,14 +2870,332 @@ interface(`fs_getattr_iso9660_files',`
type iso9660_t;
')
@ -16806,7 +16830,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2312,16 +3185,15 @@ interface(`fs_getattr_iso9660_files',`
@@ -2312,16 +3203,15 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
@ -16827,7 +16851,7 @@ index 8416beb..843f849 100644
########################################
## <summary>
## Mount a NFS filesystem.
@@ -2398,6 +3270,24 @@ interface(`fs_getattr_nfs',`
@@ -2398,6 +3288,24 @@ interface(`fs_getattr_nfs',`
########################################
## <summary>
@ -16852,7 +16876,7 @@ index 8416beb..843f849 100644
## Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2485,6 +3375,7 @@ interface(`fs_read_nfs_files',`
@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@ -16860,7 +16884,7 @@ index 8416beb..843f849 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
@@ -2523,6 +3414,7 @@ interface(`fs_write_nfs_files',`
@@ -2523,6 +3432,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@ -16868,7 +16892,7 @@ index 8416beb..843f849 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
@@ -2549,6 +3441,44 @@ interface(`fs_exec_nfs_files',`
@@ -2549,6 +3459,44 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@ -16913,7 +16937,7 @@ index 8416beb..843f849 100644
## Append files
## on a NFS filesystem.
## </summary>
@@ -2569,7 +3499,7 @@ interface(`fs_append_nfs_files',`
@@ -2569,7 +3517,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@ -16922,7 +16946,7 @@ index 8416beb..843f849 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2589,6 +3519,42 @@ interface(`fs_dontaudit_append_nfs_files',`
@@ -2589,6 +3537,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@ -16965,7 +16989,7 @@ index 8416beb..843f849 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
@@ -2603,7 +3569,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
@@ -2603,7 +3587,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@ -16974,7 +16998,7 @@ index 8416beb..843f849 100644
')
########################################
@@ -2627,7 +3593,7 @@ interface(`fs_read_nfs_symlinks',`
@@ -2627,7 +3611,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@ -16983,7 +17007,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2719,6 +3685,65 @@ interface(`fs_search_rpc',`
@@ -2719,6 +3703,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@ -17049,7 +17073,7 @@ index 8416beb..843f849 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
@@ -2741,7 +3766,7 @@ interface(`fs_search_removable',`
@@ -2741,7 +3784,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@ -17058,7 +17082,7 @@ index 8416beb..843f849 100644
## </summary>
## </param>
#
@@ -2777,7 +3802,7 @@ interface(`fs_read_removable_files',`
@@ -2777,7 +3820,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@ -17067,7 +17091,7 @@ index 8416beb..843f849 100644
## </summary>
## </param>
#
@@ -2970,6 +3995,7 @@ interface(`fs_manage_nfs_dirs',`
@@ -2970,6 +4013,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@ -17075,7 +17099,7 @@ index 8416beb..843f849 100644
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -3010,6 +4036,7 @@ interface(`fs_manage_nfs_files',`
@@ -3010,6 +4054,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@ -17083,7 +17107,7 @@ index 8416beb..843f849 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -3050,6 +4077,7 @@ interface(`fs_manage_nfs_symlinks',`
@@ -3050,6 +4095,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@ -17091,7 +17115,7 @@ index 8416beb..843f849 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3137,6 +4165,24 @@ interface(`fs_nfs_domtrans',`
@@ -3137,6 +4183,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@ -17116,7 +17140,7 @@ index 8416beb..843f849 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
@@ -3263,7 +4309,25 @@ interface(`fs_getattr_nfsd_files',`
@@ -3263,7 +4327,25 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@ -17143,7 +17167,7 @@ index 8416beb..843f849 100644
## <summary>
## Read and write NFS server files.
## </summary>
@@ -3281,6 +4345,42 @@ interface(`fs_rw_nfsd_fs',`
@@ -3281,6 +4363,42 @@ interface(`fs_rw_nfsd_fs',`
rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@ -17186,7 +17210,7 @@ index 8416beb..843f849 100644
########################################
## <summary>
## Allow the type to associate to ramfs filesystems.
@@ -3392,7 +4492,7 @@ interface(`fs_search_ramfs',`
@@ -3392,7 +4510,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@ -17195,7 +17219,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3429,7 +4529,7 @@ interface(`fs_manage_ramfs_dirs',`
@@ -3429,7 +4547,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@ -17204,7 +17228,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3447,7 +4547,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
@@ -3447,7 +4565,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@ -17213,7 +17237,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3779,6 +4879,24 @@ interface(`fs_mount_tmpfs',`
@@ -3779,6 +4897,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@ -17238,7 +17262,7 @@ index 8416beb..843f849 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
@@ -3815,6 +4933,24 @@ interface(`fs_unmount_tmpfs',`
@@ -3815,6 +4951,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@ -17263,7 +17287,7 @@ index 8416beb..843f849 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
@@ -3839,39 +4975,76 @@ interface(`fs_getattr_tmpfs',`
@@ -3839,39 +4993,76 @@ interface(`fs_getattr_tmpfs',`
## </summary>
## <param name="type">
## <summary>
@ -17349,7 +17373,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3879,36 +5052,35 @@ interface(`fs_relabelfrom_tmpfs',`
@@ -3879,36 +5070,35 @@ interface(`fs_relabelfrom_tmpfs',`
## </summary>
## </param>
#
@ -17393,7 +17417,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3916,35 +5088,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3916,35 +5106,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -17437,7 +17461,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3952,17 +5125,17 @@ interface(`fs_setattr_tmpfs_dirs',`
@@ -3952,17 +5143,17 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -17458,7 +17482,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3970,31 +5143,30 @@ interface(`fs_search_tmpfs',`
@@ -3970,31 +5161,30 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@ -17496,7 +17520,7 @@ index 8416beb..843f849 100644
')
########################################
@@ -4105,7 +5277,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
@@ -4105,7 +5295,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@ -17505,7 +17529,7 @@ index 8416beb..843f849 100644
')
########################################
@@ -4165,6 +5337,24 @@ interface(`fs_rw_tmpfs_files',`
@@ -4165,6 +5355,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@ -17530,7 +17554,7 @@ index 8416beb..843f849 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
@@ -4202,7 +5392,7 @@ interface(`fs_rw_tmpfs_chr_files',`
@@ -4202,7 +5410,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@ -17539,7 +17563,7 @@ index 8416beb..843f849 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4221,6 +5411,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -4221,6 +5429,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@ -17600,7 +17624,7 @@ index 8416beb..843f849 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
@@ -4278,6 +5522,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
@@ -4278,6 +5540,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@ -17645,7 +17669,7 @@ index 8416beb..843f849 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
@@ -4297,6 +5579,25 @@ interface(`fs_manage_tmpfs_files',`
@@ -4297,6 +5597,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@ -17671,7 +17695,7 @@ index 8416beb..843f849 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
@@ -4407,6 +5708,25 @@ interface(`fs_search_xenfs',`
@@ -4407,6 +5726,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@ -17697,7 +17721,7 @@ index 8416beb..843f849 100644
########################################
## <summary>
## Create, read, write, and delete directories
@@ -4503,6 +5823,8 @@ interface(`fs_mount_all_fs',`
@@ -4503,6 +5841,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@ -17706,7 +17730,7 @@ index 8416beb..843f849 100644
')
########################################
@@ -4549,7 +5871,7 @@ interface(`fs_unmount_all_fs',`
@@ -4549,7 +5889,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@ -17715,7 +17739,7 @@ index 8416beb..843f849 100644
## Example attributes:
## </p>
## <ul>
@@ -4596,6 +5918,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
@@ -4596,6 +5936,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@ -17742,7 +17766,7 @@ index 8416beb..843f849 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
@@ -4671,6 +6013,25 @@ interface(`fs_getattr_all_dirs',`
@@ -4671,6 +6031,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@ -17768,7 +17792,7 @@ index 8416beb..843f849 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -4912,3 +6273,63 @@ interface(`fs_unconfined',`
@@ -4912,3 +6291,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -17833,7 +17857,7 @@ index 8416beb..843f849 100644
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d1738..235b730 100644
index e7d1738..b00be59 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@ -17937,7 +17961,7 @@ index e7d1738..235b730 100644
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
@@ -150,11 +179,6 @@ fs_type(spufs_t)
@@ -150,17 +179,16 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@ -17949,7 +17973,17 @@ index e7d1738..235b730 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
@@ -172,6 +196,8 @@ type vxfs_t;
genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
+type tracefs_t;
+fs_type(tracefs_t)
+genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
+
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
@@ -172,6 +200,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@ -17958,7 +17992,7 @@ index e7d1738..235b730 100644
#
# tmpfs_t is the type for tmpfs filesystems
@@ -182,6 +208,8 @@ fs_type(tmpfs_t)
@@ -182,6 +212,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@ -17967,7 +18001,7 @@ index e7d1738..235b730 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -261,6 +289,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
@@ -261,6 +293,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@ -17976,7 +18010,7 @@ index e7d1738..235b730 100644
files_mountpoint(removable_t)
#
@@ -280,6 +310,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -280,6 +314,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -17984,7 +18018,7 @@ index e7d1738..235b730 100644
########################################
#
@@ -301,9 +332,10 @@ fs_associate_noxattr(noxattrfs)
@@ -301,9 +336,10 @@ fs_associate_noxattr(noxattrfs)
# Unconfined access to this module
#
@ -28137,7 +28171,7 @@ index 6bf0ecc..7d0c3c3 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..69be4cf 100644
index 8b40377..23560f0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -28496,7 +28530,7 @@ index 8b40377..69be4cf 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
@@ -300,64 +420,103 @@ optional_policy(`
@@ -300,64 +420,104 @@ optional_policy(`
# XDM Local policy
#
@ -28596,6 +28630,7 @@ index 8b40377..69be4cf 100644
-allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:process { signal signull };
allow xdm_t xserver_t:unix_stream_socket connectto;
+allow xdm_t xserver_t:unix_dgram_socket sendto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
@ -28613,7 +28648,7 @@ index 8b40377..69be4cf 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -366,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@ -28646,7 +28681,7 @@ index 8b40377..69be4cf 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@ -28700,7 +28735,7 @@ index 8b40377..69be4cf 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
@@ -431,9 +611,29 @@ files_list_mnt(xdm_t)
@@ -431,9 +612,29 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@ -28730,7 +28765,7 @@ index 8b40377..69be4cf 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
@@ -442,28 +642,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@ -28779,7 +28814,7 @@ index 8b40377..69be4cf 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -472,24 +688,163 @@ userdom_read_user_home_content_files(xdm_t)
@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -28949,7 +28984,7 @@ index 8b40377..69be4cf 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
@@ -502,12 +857,31 @@ tunable_policy(`xdm_sysadm_login',`
@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@ -28981,7 +29016,7 @@ index 8b40377..69be4cf 100644
')
optional_policy(`
@@ -518,8 +892,36 @@ optional_policy(`
@@ -518,8 +893,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@ -29019,7 +29054,7 @@ index 8b40377..69be4cf 100644
')
')
@@ -530,6 +932,20 @@ optional_policy(`
@@ -530,6 +933,20 @@ optional_policy(`
')
optional_policy(`
@ -29040,7 +29075,7 @@ index 8b40377..69be4cf 100644
hostname_exec(xdm_t)
')
@@ -547,28 +963,78 @@ optional_policy(`
@@ -547,28 +964,78 @@ optional_policy(`
')
optional_policy(`
@ -29128,7 +29163,7 @@ index 8b40377..69be4cf 100644
')
optional_policy(`
@@ -580,6 +1046,14 @@ optional_policy(`
@@ -580,6 +1047,14 @@ optional_policy(`
')
optional_policy(`
@ -29143,7 +29178,7 @@ index 8b40377..69be4cf 100644
xfs_stream_connect(xdm_t)
')
@@ -594,7 +1068,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -29152,7 +29187,7 @@ index 8b40377..69be4cf 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
@@ -604,8 +1078,11 @@ allow xserver_t input_xevent_t:x_event send;
@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -29165,7 +29200,7 @@ index 8b40377..69be4cf 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -618,8 +1095,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -29181,7 +29216,7 @@ index 8b40377..69be4cf 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -627,6 +1111,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -29192,7 +29227,7 @@ index 8b40377..69be4cf 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -638,25 +1126,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -29229,7 +29264,7 @@ index 8b40377..69be4cf 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
@@ -677,23 +1172,28 @@ dev_rw_apm_bios(xserver_t)
@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@ -29261,7 +29296,7 @@ index 8b40377..69be4cf 100644
# brought on by rhgb
files_search_mnt(xserver_t)
@@ -705,6 +1205,14 @@ fs_search_nfs(xserver_t)
@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -29276,7 +29311,7 @@ index 8b40377..69be4cf 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
@@ -718,20 +1226,18 @@ init_getpgid(xserver_t)
@@ -718,20 +1227,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@ -29300,7 +29335,7 @@ index 8b40377..69be4cf 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
@@ -739,8 +1245,6 @@ userdom_setattr_user_ttys(xserver_t)
@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@ -29309,7 +29344,7 @@ index 8b40377..69be4cf 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
@@ -785,17 +1289,54 @@ optional_policy(`
@@ -785,17 +1290,54 @@ optional_policy(`
')
optional_policy(`
@ -29366,7 +29401,7 @@ index 8b40377..69be4cf 100644
')
optional_policy(`
@@ -803,6 +1344,10 @@ optional_policy(`
@@ -803,6 +1345,10 @@ optional_policy(`
')
optional_policy(`
@ -29377,7 +29412,7 @@ index 8b40377..69be4cf 100644
xfs_stream_connect(xserver_t)
')
@@ -818,18 +1363,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@ -29402,7 +29437,7 @@ index 8b40377..69be4cf 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@@ -842,26 +1386,21 @@ init_use_fds(xserver_t)
@@ -842,26 +1387,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -29437,7 +29472,7 @@ index 8b40377..69be4cf 100644
')
optional_policy(`
@@ -912,7 +1451,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -29446,7 +29481,7 @@ index 8b40377..69be4cf 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -966,11 +1505,31 @@ allow x_domain self:x_resource { read write };
@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -29478,7 +29513,7 @@ index 8b40377..69be4cf 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@@ -992,18 +1551,148 @@ tunable_policy(`! xserver_object_manager',`
@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@ -42386,7 +42421,7 @@ index 40edc18..95f4458 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692..57c9025 100644
index 2cea692..bf86a31 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -42631,7 +42666,7 @@ index 2cea692..57c9025 100644
')
')
@@ -501,11 +669,31 @@ interface(`sysnet_delete_dhcpc_pid',`
@@ -501,11 +669,55 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@ -42658,12 +42693,36 @@ index 2cea692..57c9025 100644
+ manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## pid directories with the dhcpc pid file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dhcpc_var_run_t, file, $2)
+')
+
+#######################################
+## <summary>
## Execute ifconfig in the ifconfig domain.
## </summary>
## <param name="domain">
@@ -610,6 +798,25 @@ interface(`sysnet_signull_ifconfig',`
@@ -610,6 +822,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@ -42689,7 +42748,7 @@ index 2cea692..57c9025 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
@@ -626,6 +833,7 @@ interface(`sysnet_read_dhcp_config',`
@@ -626,6 +857,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@ -42697,7 +42756,7 @@ index 2cea692..57c9025 100644
')
########################################
@@ -647,6 +855,26 @@ interface(`sysnet_search_dhcp_state',`
@@ -647,6 +879,26 @@ interface(`sysnet_search_dhcp_state',`
allow $1 dhcp_state_t:dir search_dir_perms;
')
@ -42724,7 +42783,7 @@ index 2cea692..57c9025 100644
########################################
## <summary>
## Create DHCP state data.
@@ -711,8 +939,6 @@ interface(`sysnet_dns_name_resolve',`
@@ -711,8 +963,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@ -42733,7 +42792,7 @@ index 2cea692..57c9025 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -720,8 +946,13 @@ interface(`sysnet_dns_name_resolve',`
@@ -720,8 +970,13 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@ -42747,7 +42806,7 @@ index 2cea692..57c9025 100644
sysnet_read_config($1)
optional_policy(`
@@ -750,8 +981,6 @@ interface(`sysnet_use_ldap',`
@@ -750,8 +1005,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@ -42756,7 +42815,7 @@ index 2cea692..57c9025 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
@@ -760,9 +989,14 @@ interface(`sysnet_use_ldap',`
@@ -760,9 +1013,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
@ -42771,7 +42830,7 @@ index 2cea692..57c9025 100644
')
########################################
@@ -784,7 +1018,6 @@ interface(`sysnet_use_portmap',`
@@ -784,7 +1042,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@ -42779,7 +42838,7 @@ index 2cea692..57c9025 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -796,3 +1029,125 @@ interface(`sysnet_use_portmap',`
@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')

268
policy-rawhide-contrib.patch
View File

@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb485..f1f976b 100644
index f6eb485..438bc20 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@ -4255,10 +4255,12 @@ index f6eb485..f1f976b 100644
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write httpd unix domain stream sockets.
+## Allow attempts to read and write Apache
+## unix domain stream sockets.
+## </summary>
@ -4274,12 +4276,10 @@ index f6eb485..f1f976b 100644
+ ')
+
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
')
########################################
## <summary>
-## Do not audit attempts to read and
-## write httpd unix domain stream sockets.
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
## </summary>
@ -4752,12 +4752,32 @@ index f6eb485..f1f976b 100644
')
-########################################
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
+## apache system content rw files.
+## apache system content rw dirs.
## </summary>
## <param name="domain">
## <summary>
@ -4767,32 +4787,12 @@ index f6eb485..f1f976b 100644
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_read_sys_content_rw_files',`
+interface(`apache_read_sys_content_rw_dirs',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@ -5146,7 +5146,7 @@ index f6eb485..f1f976b 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1500,160 @@ interface(`apache_admin',`
@@ -1224,9 +1500,182 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@ -5282,7 +5282,9 @@ index f6eb485..f1f976b 100644
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
+
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
@ -5305,11 +5307,31 @@ index f6eb485..f1f976b 100644
+ gen_require(`
+ type httpd_var_run_t;
+ ')
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+
+ files_search_pids($1)
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## httpd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dbus_chat',`
+ gen_require(`
+ type httpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 httpd_t:dbus send_msg;
+ allow httpd_t $1:dbus send_msg;
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
index 6649962..1862dfb 100644
@ -7819,7 +7841,7 @@ index f3c0aba..f6e25ed 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4d..5b4d973 100644
index 080bc4d..f46078f 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7849,7 +7871,12 @@ index 080bc4d..5b4d973 100644
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
@@ -50,11 +57,11 @@ manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
kernel_read_system_state(apcupsd_t)
+kernel_read_network_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
@ -7857,7 +7884,7 @@ index 080bc4d..5b4d973 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
@@ -67,26 +74,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7904,7 +7931,7 @@ index 080bc4d..5b4d973 100644
optional_policy(`
hostname_exec(apcupsd_t)
@@ -101,6 +122,11 @@ optional_policy(`
@@ -101,6 +123,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@ -7916,7 +7943,7 @@ index 080bc4d..5b4d973 100644
########################################
#
# CGI local policy
@@ -108,20 +134,20 @@ optional_policy(`
@@ -108,20 +135,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
@ -29909,10 +29936,10 @@ index 0000000..c4d2c2d
+')
diff --git a/fwupd.te b/fwupd.te
new file mode 100644
index 0000000..8937282
index 0000000..53ba6cd
--- /dev/null
+++ b/fwupd.te
@@ -0,0 +1,48 @@
@@ -0,0 +1,50 @@
+policy_module(fwupd, 1.0.0)
+
+########################################
@ -29956,6 +29983,8 @@ index 0000000..8937282
+dev_rw_sysfs(fwupd_t)
+dev_rw_generic_usb_dev(fwupd_t)
+
+fs_getattr_all_fs(fwupd_t)
+
+udev_read_pid_files(fwupd_t)
+
+optional_policy(`
@ -54538,7 +54567,7 @@ index b708708..f4c0e61 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 06f8666..c2c13aa 100644
index 06f8666..4599ab5 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,27 +1,46 @@
@ -54581,7 +54610,8 @@ index 06f8666..c2c13aa 100644
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mysqld(-max|-debug)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@ -54591,7 +54621,7 @@ index 06f8666..c2c13aa 100644
+#
+# /var
+#
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql(-files)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
@ -62609,7 +62639,7 @@ index c87bd2a..4c17c99 100644
+ ')
')
diff --git a/oddjob.te b/oddjob.te
index e403097..033911e 100644
index e403097..45d387d 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@ -62666,14 +62696,14 @@ index e403097..033911e 100644
locallogin_dontaudit_use_fds(oddjob_t)
@@ -65,28 +65,24 @@ optional_policy(`
dbus_connect_system_bus(oddjob_t)
@@ -66,27 +66,27 @@ optional_policy(`
')
-optional_policy(`
optional_policy(`
- unconfined_domtrans(oddjob_t)
-')
-
+ apache_dbus_chat(oddjob_t)
')
########################################
#
-# Mkhomedir local policy
@ -62699,7 +62729,7 @@ index e403097..033911e 100644
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
selinux_compute_access_vector(oddjob_mkhomedir_t)
@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t)
@@ -98,8 +98,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
@ -65525,7 +65555,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
index 44dbc99..fce33b0 100644
index 44dbc99..ede6e1c 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -65557,7 +65587,7 @@ index 44dbc99..fce33b0 100644
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
+allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@ -65591,7 +65621,7 @@ index 44dbc99..fce33b0 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@ -65627,7 +65657,8 @@ index 44dbc99..fce33b0 100644
fs_getattr_all_fs(openvswitch_t)
fs_search_cgroup_dirs(openvswitch_t)
+fs_rw_hugetlbfs_files(openvswitch_t)
+fs_manage_hugetlbfs_files(openvswitch_t)
+fs_manage_hugetlbfs_dirs(openvswitch_t)
+
+auth_use_nsswitch(openvswitch_t)
@ -108851,7 +108882,7 @@ index a4f20bc..58f9c69 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index facdee8..19b6ffb 100644
index facdee8..65b5a0d 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@ -110497,7 +110528,7 @@ index facdee8..19b6ffb 100644
## </summary>
## <param name="domain">
## <summary>
@@ -935,117 +1266,133 @@ interface(`virt_read_log',`
@@ -935,117 +1266,134 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@ -110549,6 +110580,7 @@ index facdee8..19b6ffb 100644
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_system_state($1_t)
+ kernel_read_all_proc($1_t)
')
########################################
@ -110683,7 +110715,7 @@ index facdee8..19b6ffb 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1053,15 +1400,17 @@ interface(`virt_rw_all_image_chr_files',`
@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@ -110706,7 +110738,7 @@ index facdee8..19b6ffb 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1069,21 +1418,17 @@ interface(`virt_manage_svirt_cache',`
@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@ -110732,7 +110764,7 @@ index facdee8..19b6ffb 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1091,36 +1436,36 @@ interface(`virt_manage_virt_cache',`
@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@ -110789,7 +110821,7 @@ index facdee8..19b6ffb 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1136,50 +1481,76 @@ interface(`virt_manage_images',`
@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@ -110899,7 +110931,7 @@ index facdee8..19b6ffb 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..7056171 100644
index f03dcf5..f347621 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,248 @@
@ -111221,7 +111253,7 @@ index f03dcf5..7056171 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -153,299 +251,135 @@ ifdef(`enable_mls',`
@@ -153,299 +251,137 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@ -111486,24 +111518,25 @@ index f03dcf5..7056171 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+allow svirt_t self:process ptrace;
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
corenet_udp_bind_generic_node(svirt_t)
-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@ -111599,7 +111632,7 @@ index f03dcf5..7056171 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -455,42 +389,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
@@ -455,42 +391,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -111646,7 +111679,7 @@ index f03dcf5..7056171 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
@@ -503,23 +424,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
@@ -503,23 +426,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@ -111677,7 +111710,7 @@ index f03dcf5..7056171 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -527,24 +445,16 @@ corecmd_exec_shell(virtd_t)
@@ -527,24 +447,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@ -111705,7 +111738,7 @@ index f03dcf5..7056171 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
@@ -555,20 +465,26 @@ dev_rw_vhost(virtd_t)
@@ -555,20 +467,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@ -111736,7 +111769,7 @@ index f03dcf5..7056171 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
@@ -601,15 +517,18 @@ term_use_ptmx(virtd_t)
@@ -601,15 +519,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@ -111756,7 +111789,7 @@ index f03dcf5..7056171 100644
selinux_validate_context(virtd_t)
@@ -620,18 +539,26 @@ seutil_read_file_contexts(virtd_t)
@@ -620,18 +541,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@ -111793,7 +111826,7 @@ index f03dcf5..7056171 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -640,7 +567,7 @@ tunable_policy(`virt_use_nfs',`
@@ -640,7 +569,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@ -111802,7 +111835,7 @@ index f03dcf5..7056171 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
@@ -665,20 +592,12 @@ optional_policy(`
@@ -665,20 +594,12 @@ optional_policy(`
')
optional_policy(`
@ -111823,7 +111856,7 @@ index f03dcf5..7056171 100644
')
optional_policy(`
@@ -691,20 +610,26 @@ optional_policy(`
@@ -691,20 +612,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@ -111834,11 +111867,12 @@ index f03dcf5..7056171 100644
')
optional_policy(`
- iptables_domtrans(virtd_t)
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
iptables_domtrans(virtd_t)
+ iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
@ -111854,7 +111888,7 @@ index f03dcf5..7056171 100644
')
optional_policy(`
@@ -712,11 +637,18 @@ optional_policy(`
@@ -712,11 +639,18 @@ optional_policy(`
')
optional_policy(`
@ -111873,7 +111907,7 @@ index f03dcf5..7056171 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
@@ -727,10 +659,18 @@ optional_policy(`
@@ -727,10 +661,18 @@ optional_policy(`
')
optional_policy(`
@ -111892,7 +111926,7 @@ index f03dcf5..7056171 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -746,44 +686,278 @@ optional_policy(`
@@ -746,44 +688,278 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@ -111930,13 +111964,7 @@ index f03dcf5..7056171 100644
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@ -111946,15 +111974,17 @@ index f03dcf5..7056171 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@ -111987,14 +112017,18 @@ index f03dcf5..7056171 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-allow virsh_t svirt_lxc_domain:process transition;
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-can_exec(virsh_t, virsh_exec_t)
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
-can_exec(virsh_t, virsh_exec_t)
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@ -112074,7 +112108,7 @@ index f03dcf5..7056171 100644
+ sssd_dontaudit_read_lib(virt_domain)
+ sssd_dontaudit_read_public_files(virt_domain)
+')
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
@ -112139,7 +112173,7 @@ index f03dcf5..7056171 100644
+ xserver_stream_connect(virt_domain)
+ ')
+')
+
+########################################
+#
+# xm local policy
@ -112193,7 +112227,7 @@ index f03dcf5..7056171 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +968,18 @@ kernel_write_xen_state(virsh_t)
@@ -794,25 +970,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@ -112220,7 +112254,7 @@ index f03dcf5..7056171 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +988,25 @@ fs_search_auto_mountpoints(virsh_t)
@@ -821,23 +990,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@ -112254,7 +112288,7 @@ index f03dcf5..7056171 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +1025,20 @@ optional_policy(`
@@ -856,14 +1027,20 @@ optional_policy(`
')
optional_policy(`
@ -112276,7 +112310,7 @@ index f03dcf5..7056171 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
@@ -888,49 +1063,65 @@ optional_policy(`
@@ -888,49 +1065,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@ -112360,7 +112394,7 @@ index f03dcf5..7056171 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1133,16 @@ dev_read_urand(virtd_lxc_t)
@@ -942,17 +1135,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@ -112380,7 +112414,7 @@ index f03dcf5..7056171 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,8 +1154,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
@@ -964,8 +1156,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -112404,7 +112438,7 @@ index f03dcf5..7056171 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1179,343 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1181,343 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -112889,7 +112923,7 @@ index f03dcf5..7056171 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1530,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -112904,7 +112938,7 @@ index f03dcf5..7056171 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,7 +1546,7 @@ optional_policy(`
@@ -1192,7 +1548,7 @@ optional_policy(`
########################################
#
@ -112913,7 +112947,7 @@ index f03dcf5..7056171 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1201,11 +1557,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;

12
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 168%{?dist}
Release: 169%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -664,6 +664,16 @@ exit 0
%endif
%changelog
* Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
- Allow openvswitch domain capability sys_rawio.
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
- Allow openvswitch to manage hugetlfs files and dirs.
- Allow NetworkManager create dhcpc pid files. BZ(1229755)
- Allow apcupsd to read kernel network state. BZ(1282003)
- Label /sys/kernel/debug/tracing filesystem
- Add fs_manage_hugetlbfs_files() interface.
- Add sysnet_filetrans_dhcpc_pid() interface.
* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
- Allow iptables to read nsfs files. BZ(1296826)