From f2424e7390b96a45a46065bcec5d1ca8873d31f0 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec ?Iq0icrQ^#2)8V~olip<{%WRX_m4%t4ZlzR5;4|3{F`O^e
zN9p&!ssH>};*G=&{-|lZ;4xbWC>5L0Pd~Q}4
zp9%>n$<3k4REDoueK(*j6jRS5yfyLeqA?+7^Ho#I%ttm=p=K6Sp6rUT^U3x0e~N@+
z&ab+R@&dtidDi(d)@K)K@5ZSLg)p0}){w7$7SJWPWW0Y*G-J_VW2Rc5QvUXsSMl~5
zpCib=vgtgnz7C5`O)t9C(Br@{O7XV#8iokXDHH^d)P*`J4|{?PIpJDm-#Kuf_y+=F
zw9~Z6xWX4pgT}_`UY6bey%z7(tVW&YKdfiHO=i`lPI0
+## Allow confined virtual guests to use smartcards +##
+##+## Allow sandbox containers to send audit messages -+ + +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; +##
+##+## Allow sandbox containers to use netlink system calls +##
+##+## Allow sandbox containers to use sys_admin system calls, for example mount @@ -117455,27 +117465,21 @@ index f03dcf567..844aa6e9e 100644 +##
+##+## Allow sandbox containers to use all capabilities +##
+##+## Allow qemu-ga to read qemu-ga date. +##
+##
+## Allow qemu-ga to manage qemu-ga date.
@@ -117490,10 +117494,10 @@ index f03dcf567..844aa6e9e 100644
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
++
++type qemu_exec_t, virt_file_type;
-type virt_cache_t alias svirt_cache_t;
-+type qemu_exec_t, virt_file_type;
-+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -117862,10 +117866,10 @@ index f03dcf567..844aa6e9e 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
--filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_t self:process ptrace;
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
@@ -118041,20 +118045,20 @@ index f03dcf567..844aa6e9e 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--can_exec(virtd_t, virt_tmp_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -118214,7 +118218,7 @@ index f03dcf567..844aa6e9e 100644
')
optional_policy(`
-@@ -691,99 +653,441 @@ optional_policy(`
+@@ -691,99 +653,445 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -118540,6 +118544,10 @@ index f03dcf567..844aa6e9e 100644
+')
+
+optional_policy(`
++ unconfined_dontaudit_read_state(virt_domain)
++')
++
++optional_policy(`
+ xserver_rw_shm(virt_domain)
+')
+
@@ -118707,7 +118715,7 @@ index f03dcf567..844aa6e9e 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1098,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1102,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -118734,7 +118742,7 @@ index f03dcf567..844aa6e9e 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1118,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1122,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -118768,7 +118776,7 @@ index f03dcf567..844aa6e9e 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1155,20 @@ optional_policy(`
+@@ -856,14 +1159,20 @@ optional_policy(`
')
optional_policy(`
@@ -118790,7 +118798,7 @@ index f03dcf567..844aa6e9e 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1193,66 @@ optional_policy(`
+@@ -888,49 +1197,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -118875,7 +118883,7 @@ index f03dcf567..844aa6e9e 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1264,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1268,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -118895,7 +118903,7 @@ index f03dcf567..844aa6e9e 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,15 +1285,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,15 +1289,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -118914,7 +118922,7 @@ index f03dcf567..844aa6e9e 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -982,186 +1299,307 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -982,186 +1303,307 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -119351,7 +119359,7 @@ index f03dcf567..844aa6e9e 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1612,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -119366,7 +119374,7 @@ index f03dcf567..844aa6e9e 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1630,7 @@ optional_policy(`
+@@ -1192,7 +1634,7 @@ optional_policy(`
########################################
#
@@ -119375,7 +119383,7 @@ index f03dcf567..844aa6e9e 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1639,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1643,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c792e1e..0090d850 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 293%{?dist}
+Release: 294%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -678,6 +678,15 @@ exit 0
%endif
%changelog
+* Mon Oct 09 2017 Lukas Vrabec