* Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258

- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files. - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide - Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use - Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t. - Allow httpd_t to read realmd_var_lib_t files - Allow unconfined_t user all user namespace capabilties. - Add interface systemd_tmpfiles_exec() - Add interface libs_dontaudit_setattr_lib_files() - Dontaudit xdm_t domain to setattr on lib_t dirs - Allow sysadm_r role to jump into dirsrv_t
2017-06-19 10:01:33 +02:00 · 2017-06-19 10:01:33 +02:00 · fa95f253bf
parent 7ac1cbb003
commit fa95f253bf
4 changed files with 250 additions and 157 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -24358,10 +24358,10 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..020ae3f 100644
+index 2522ca6..e5d8ff8 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,101 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,102 @@ policy_module(sysadm, 2.6.1)
 # Declarations
 #
@ -24464,6 +24464,7 @@ index 2522ca6..020ae3f 100644
 +    dirsrv_manage_var_lib(sysadm_t)
 +    dirsrv_manage_var_run(sysadm_t)
 +    dirsrv_manage_config(sysadm_t)
 +    dirsrv_run(sysadm_t, sysadm_r)
 +')
 +
 +optional_policy(`
@ -24473,7 +24474,7 @@ index 2522ca6..020ae3f 100644
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,13 +117,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +118,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
@ -24488,7 +24489,7 @@ index 2522ca6..020ae3f 100644
 	domain_ptrace_all_domains(sysadm_t)
 ')
-@@ -71,9 +127,9 @@ optional_policy(`
+@@ -71,9 +128,9 @@ optional_policy(`
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -24499,7 +24500,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -87,6 +143,7 @@ optional_policy(`
+@@ -87,6 +144,7 @@ optional_policy(`
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
@ -24507,7 +24508,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -110,11 +167,17 @@ optional_policy(`
+@@ -110,11 +168,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -24525,7 +24526,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -122,11 +185,27 @@ optional_policy(`
+@@ -122,11 +186,27 @@ optional_policy(`
 ')
 optional_policy(`
@ -24555,7 +24556,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -140,6 +219,10 @@ optional_policy(`
+@@ -140,6 +220,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -24566,7 +24567,7 @@ index 2522ca6..020ae3f 100644
 	dmesg_exec(sysadm_t)
 ')
-@@ -156,6 +239,10 @@ optional_policy(`
+@@ -156,6 +240,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -24577,7 +24578,7 @@ index 2522ca6..020ae3f 100644
 	fstools_run(sysadm_t, sysadm_r)
 ')
-@@ -164,6 +251,11 @@ optional_policy(`
+@@ -164,6 +252,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -24589,7 +24590,7 @@ index 2522ca6..020ae3f 100644
 	hadoop_role(sysadm_r, sysadm_t)
 ')
-@@ -172,13 +264,31 @@ optional_policy(`
+@@ -172,13 +265,31 @@ optional_policy(`
 	# at things (e.g., ipsec auto --status)
 	# probably should create an ipsec_admin role for this kind of thing
 	ipsec_exec_mgmt(sysadm_t)
@ -24621,7 +24622,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -190,11 +300,12 @@ optional_policy(`
+@@ -190,11 +301,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -24636,7 +24637,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -210,22 +321,21 @@ optional_policy(`
+@@ -210,22 +322,21 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -24666,7 +24667,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -237,14 +347,32 @@ optional_policy(`
+@@ -237,14 +348,32 @@ optional_policy(`
 ')
 optional_policy(`
@ -24699,7 +24700,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -252,10 +380,20 @@ optional_policy(`
+@@ -252,10 +381,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -24720,7 +24721,7 @@ index 2522ca6..020ae3f 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +404,46 @@ optional_policy(`
+@@ -266,35 +405,46 @@ optional_policy(`
 ')
 optional_policy(`
@ -24774,7 +24775,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -308,6 +457,7 @@ optional_policy(`
+@@ -308,6 +458,7 @@ optional_policy(`
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
@ -24782,7 +24783,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -315,12 +465,20 @@ optional_policy(`
+@@ -315,12 +466,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -24804,7 +24805,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -345,30 +503,38 @@ optional_policy(`
+@@ -345,30 +504,38 @@ optional_policy(`
 ')
 optional_policy(`
@ -24852,7 +24853,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -380,10 +546,6 @@ optional_policy(`
+@@ -380,10 +547,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -24863,7 +24864,7 @@ index 2522ca6..020ae3f 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +553,9 @@ optional_policy(`
+@@ -391,6 +554,9 @@ optional_policy(`
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -24873,7 +24874,7 @@ index 2522ca6..020ae3f 100644
 ')
 optional_policy(`
-@@ -398,31 +563,34 @@ optional_policy(`
+@@ -398,31 +564,34 @@ optional_policy(`
 ')
 optional_policy(`
@ -24914,7 +24915,7 @@ index 2522ca6..020ae3f 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
-@@ -435,10 +603,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +604,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -24925,7 +24926,7 @@ index 2522ca6..020ae3f 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 		optional_policy(`
-@@ -459,15 +623,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +624,79 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -25820,10 +25821,10 @@ index 0000000..f730286
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..89f4076
+index 0000000..883d9ea
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,362 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -25888,6 +25889,8 @@ index 0000000..89f4076
 +
 +allow unconfined_t file_type:system module_load;
 +
 +allow unconfined_t self:cap_userns all_cap_userns_perms;
 +
 +kernel_rw_unlabeled_socket(unconfined_t)
 +kernel_rw_unlabeled_rawip_socket(unconfined_t)
 +
@ -30392,7 +30395,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4758042 100644
+index 8b40377..950a3dd 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -30993,7 +30996,7 @@ index 8b40377..4758042 100644
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +650,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +650,47 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -31025,6 +31028,7 @@ index 8b40377..4758042 100644
 libs_exec_lib_files(xdm_t)
 +libs_exec_ldconfig(xdm_t)
 +libs_dontaudit_setattr_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -31044,7 +31048,7 @@ index 8b40377..4758042 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +699,163 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -31214,7 +31218,7 @@ index 8b40377..4758042 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +868,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
@ -31246,7 +31250,7 @@ index 8b40377..4758042 100644
 ')
 optional_policy(`
-@@ -518,8 +902,36 @@ optional_policy(`
+@@ -518,8 +903,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -31284,7 +31288,7 @@ index 8b40377..4758042 100644
 	')
 ')
-@@ -530,6 +942,20 @@ optional_policy(`
+@@ -530,6 +943,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -31305,7 +31309,7 @@ index 8b40377..4758042 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +973,78 @@ optional_policy(`
+@@ -547,28 +974,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -31393,7 +31397,7 @@ index 8b40377..4758042 100644
 ')
 optional_policy(`
-@@ -580,6 +1056,14 @@ optional_policy(`
+@@ -580,6 +1057,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -31408,7 +31412,7 @@ index 8b40377..4758042 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1079,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -31417,7 +31421,7 @@ index 8b40377..4758042 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1089,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -31430,7 +31434,7 @@ index 8b40377..4758042 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1106,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -31446,7 +31450,7 @@ index 8b40377..4758042 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1122,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -31457,7 +31461,7 @@ index 8b40377..4758042 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1137,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -31499,7 +31503,7 @@ index 8b40377..4758042 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1188,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -31531,7 +31535,7 @@ index 8b40377..4758042 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1221,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -31546,7 +31550,7 @@ index 8b40377..4758042 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,20 +1241,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1242,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -31570,7 +31574,7 @@ index 8b40377..4758042 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1261,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -31579,7 +31583,7 @@ index 8b40377..4758042 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1304,54 @@ optional_policy(`
+@@ -785,17 +1305,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -31636,7 +31640,7 @@ index 8b40377..4758042 100644
 ')
 optional_policy(`
-@@ -803,6 +1359,10 @@ optional_policy(`
+@@ -803,6 +1360,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -31647,7 +31651,7 @@ index 8b40377..4758042 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1379,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -31672,7 +31676,7 @@ index 8b40377..4758042 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1401,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1402,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -31707,7 +31711,7 @@ index 8b40377..4758042 100644
 ')
 optional_policy(`
-@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1467,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -31716,7 +31720,7 @@ index 8b40377..4758042 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1521,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -31748,7 +31752,7 @@ index 8b40377..4758042 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1567,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -38980,7 +38984,7 @@ index 73bb3c0..a70bee5 100644
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..57a68da 100644
+index 808ba93..baca326 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@ -39017,65 +39021,113 @@ index 808ba93..57a68da 100644
 	manage_files_pattern($1, lib_t, ld_so_t)
 ')
-@@ -205,8 +225,26 @@ interface(`libs_search_lib',`
+@@ -205,68 +225,87 @@ interface(`libs_search_lib',`
 		type lib_t;
 	')
 +	read_lnk_files_pattern($1, lib_t, lib_t)
 	allow $1 lib_t:dir search_dir_perms;
 ')
-+########################################
+-
 +## <summary>
 +##	dontaudit attempts to setattr on library files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`libs_dontaudit_setattr_lib_files',`
 +	gen_require(`
 +		type lib_t;
 +	')
 +
 +	dontaudit $1 lib_t:file setattr;
 +')
 ########################################
 ## <summary>
-@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',`
+-##	Do not audit attempts to write to library directories.
 +##	dontaudit attempts to setattr on library files
 ## </summary>
 -## <desc>
 -##	<p>
 -##	Do not audit attempts to write to library directories.
 -##	Typically this is used to quiet attempts to recompile
 -##	python byte code.
 -##	</p>
 -## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 -interface(`libs_dontaudit_write_lib_dirs',`
 +interface(`libs_dontaudit_setattr_lib_files',`
 	gen_require(`
 		type lib_t;
 	')
-+	read_lnk_files_pattern($1, lib_t, lib_t)
+-	dontaudit $1 lib_t:dir write;
- 	allow $1 lib_t:dir manage_dir_perms;
+	dontaudit $1 lib_t:file setattr;
 ')
 ########################################
 ## <summary>
 -##	Create, read, write, and delete library directories.
 +##	dontaudit attempts to setattr on library dirs
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 -interface(`libs_manage_lib_dirs',`
 +interface(`libs_dontaudit_setattr_lib_dirs',`
 	gen_require(`
 		type lib_t;
 	')
 -	allow $1 lib_t:dir manage_dir_perms;
 +	dontaudit $1 lib_t:dir setattr;
 ')
 ########################################
 ## <summary>
 -##	dontaudit attempts to setattr on library files
-## </summary>
+##	Do not audit attempts to write to library directories.
 -## <param name="domain">
 -##	<summary>
 -##	Domain to not audit.
 -##	</summary>
 -## </param>
 -#
 -interface(`libs_dontaudit_setattr_lib_files',`
 -	gen_require(`
 -		type lib_t;
 -	')
 -
 -	dontaudit $1 lib_t:file setattr;
 -')
 -
 -########################################
 -## <summary>
 ##	Read files in the library directories, such
 ##	as static libraries.
 ## </summary>
-@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',`
+## <desc>
 +##	<p>
 +##	Do not audit attempts to write to library directories.
 +##	Typically this is used to quiet attempts to recompile
 +##	python byte code.
 +##	</p>
 +## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 -interface(`libs_dontaudit_setattr_lib_files',`
 +interface(`libs_dontaudit_write_lib_dirs',`
 	gen_require(`
 		type lib_t;
 	')
 -	dontaudit $1 lib_t:file setattr;
 +	dontaudit $1 lib_t:dir write;
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete library directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`libs_manage_lib_dirs',`
 +	gen_require(`
 +		type lib_t;
 +	')
 +
 +	read_lnk_files_pattern($1, lib_t, lib_t)
 +	allow $1 lib_t:dir manage_dir_perms;
 ')
 ########################################
@@ -345,6 +384,7 @@ interface(`libs_manage_lib_files',`
 		type lib_t;
 	')
@ -39083,7 +39135,7 @@ index 808ba93..57a68da 100644
 	manage_files_pattern($1, lib_t, lib_t)
 ')
-@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',`
+@@ -421,7 +461,8 @@ interface(`libs_manage_shared_libs',`
 		type lib_t, textrel_shlib_t;
 	')
@ -39093,7 +39145,7 @@ index 808ba93..57a68da 100644
 ')
 ########################################
-@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',`
+@@ -440,9 +481,10 @@ interface(`libs_use_shared_libs',`
 	')
 	files_search_usr($1)
@ -39107,7 +39159,7 @@ index 808ba93..57a68da 100644
 	allow $1 textrel_shlib_t:file execmod;
 ')
-@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -483,7 +525,7 @@ interface(`libs_relabel_shared_libs',`
 		type lib_t, textrel_shlib_t;
 	')
@ -39116,7 +39168,7 @@ index 808ba93..57a68da 100644
 ')
 ########################################
-@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +576,28 @@ interface(`lib_filetrans_shared_lib',`
 interface(`files_lib_filetrans_shared_lib',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -46101,10 +46153,10 @@ index 0000000..121b422
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..3303edd
+index 0000000..d1356af
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1823 @@
+@@ -0,0 +1,1842 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -46615,6 +46667,25 @@ index 0000000..3303edd
 +
 +#######################################
 +## <summary>
 +##  Allow a domain to execute systemd-sysctl in the caller domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##  Domain allowed access.
 +## </summary>
 +## </param>
 +#
 +interface(`systemd_tmpfiles_exec',`
 +    gen_require(`
 +        type systemd_tmpfiles_exec_t;
 +    ')
 +
 +    can_exec($1,systemd_tmpfiles_exec_t)
 +
 +')
 +
 +#######################################
 +## <summary>
 +##  Execute a domain transition to run systemd-tmpfiles.
 +## </summary>
 +## <param name="domain">
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5537,7 +5537,7 @@ index f6eb485..fe461a3 100644
 +		ps_process_pattern(httpd_t, $1)
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..24e7705 100644
+index 6649962..516985d 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6908,7 +6908,7 @@ index 6649962..24e7705 100644
 ')
 optional_policy(`
-@@ -842,20 +1072,44 @@ optional_policy(`
+@@ -842,20 +1072,48 @@ optional_policy(`
 ')
 optional_policy(`
@ -6943,23 +6943,27 @@ index 6649962..24e7705 100644
 +	pki_manage_apache_log_files(httpd_t)
 +	pki_manage_apache_run(httpd_t)
 +	pki_read_tomcat_cert(httpd_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	puppet_read_lib_files(httpd_t)
 +	puppet_read_lib(httpd_t)
 +')
 +
 +optional_policy(`
 +	pwauth_domtrans(httpd_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
-	puppet_read_lib_files(httpd_t)
+    realmd_read_var_lib(httpd_t)
 +')
 +
 +optional_policy(`
 +	rpm_dontaudit_read_db(httpd_t)
 ')
 optional_policy(`
-@@ -863,16 +1117,31 @@ optional_policy(`
+@@ -863,16 +1121,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -6979,21 +6983,21 @@ index 6649962..24e7705 100644
 optional_policy(`
 	smokeping_read_lib_files(httpd_t)
 +    smokeping_read_pid_files(httpd_t)
 +')
 +
 +optional_policy(`
 +	files_dontaudit_rw_usr_dirs(httpd_t)
 +    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 ')
 optional_policy(`
 -	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 -	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 +	files_dontaudit_rw_usr_dirs(httpd_t)
 +    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 +')
 +
 +optional_policy(`
 +    thin_stream_connect(httpd_t)
 ')
 optional_policy(`
-@@ -883,65 +1152,189 @@ optional_policy(`
+@@ -883,65 +1156,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -7205,7 +7209,7 @@ index 6649962..24e7705 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
-@@ -950,123 +1343,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1347,75 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
@ -7359,7 +7363,7 @@ index 6649962..24e7705 100644
 	mysql_read_config(httpd_suexec_t)
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1428,107 @@ optional_policy(`
+@@ -1083,172 +1432,107 @@ optional_policy(`
 	')
 ')
@ -7381,14 +7385,14 @@ index 6649962..24e7705 100644
 -allow httpd_script_domains self:unix_stream_socket connectto;
 -
 -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-+allow httpd_sys_script_t self:process getsched;
+-
 -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
+allow httpd_sys_script_t self:process getsched;
 -corenet_all_recvfrom_unlabeled(httpd_script_domains)
 -corenet_all_recvfrom_netlabel(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@ -7532,8 +7536,7 @@ index 6649962..24e7705 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+-
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@ -7541,7 +7544,8 @@ index 6649962..24e7705 100644
 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
 -
 -kernel_read_kernel_sysctls(httpd_sys_script_t)
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 -fs_search_auto_mountpoints(httpd_sys_script_t)
 -
 -files_read_var_symlinks(httpd_sys_script_t)
@ -7597,7 +7601,7 @@ index 6649962..24e7705 100644
 ')
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1536,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1540,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 tunable_policy(`httpd_use_cifs',`
@ -7694,7 +7698,7 @@ index 6649962..24e7705 100644
 ########################################
 #
-@@ -1321,8 +1611,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1615,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 optional_policy(`
@ -7711,7 +7715,7 @@ index 6649962..24e7705 100644
 ')
 ########################################
-@@ -1330,49 +1627,41 @@ optional_policy(`
+@@ -1330,49 +1631,41 @@ optional_policy(`
 # User content local policy
 #
@ -7778,7 +7782,7 @@ index 6649962..24e7705 100644
 kernel_read_system_state(httpd_passwd_t)
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1675,109 @@ dev_read_urand(httpd_passwd_t)
 domain_use_interactive_fds(httpd_passwd_t)
@ -22324,7 +22328,7 @@ index dda905b..5587295 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..1287d08 100644
+index 62d22cb..01f6380 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -23169,8 +23173,7 @@ index 62d22cb..1287d08 100644
 -interface(`dbus_use_system_bus_fds',`
 +interface(`dbus_dontaudit_stream_connect_system_dbusd',`
 	gen_require(`
-		type system_dbusd_t;
+ 		type system_dbusd_t;
 +		attribute system_dbusd_t;
 	')
 -	allow $1 system_dbusd_t:fd use;
@ -92762,7 +92765,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
 ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..4ce4fb9 100644
+index 54de77c..8891c9d 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@ -92808,7 +92811,7 @@ index 54de77c..4ce4fb9 100644
 corenet_all_recvfrom_netlabel(rpcbind_t)
 corenet_tcp_sendrecv_generic_if(rpcbind_t)
 corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
+@@ -68,7 +77,15 @@ auth_use_nsswitch(rpcbind_t)
 logging_send_syslog_msg(rpcbind_t)
@ -92817,6 +92820,10 @@ index 54de77c..4ce4fb9 100644
 +
 +optional_policy(`
 +	nis_use_ypbind(rpcbind_t)
 +')
 +
 +optional_policy(`
 +    systemd_tmpfiles_exec(rpcbind_t)
 +')
 ifdef(`distro_debian',`
@ -115949,7 +115956,7 @@ index facdee8..b5a815a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..ac277da 100644
+index f03dcf5..49d4083 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,422 @@
@ -116986,7 +116993,7 @@ index f03dcf5..ac277da 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +727,353 @@ optional_policy(`
+@@ -746,44 +727,356 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -117051,7 +117058,7 @@ index f03dcf5..ac277da 100644
 +allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
 +
 +dev_read_sysfs(virtlogd_t)
-+
+ 
 +logging_send_syslog_msg(virtlogd_t)
 +
 +auth_use_nsswitch(virtlogd_t)
@ -117187,7 +117194,7 @@ index f03dcf5..ac277da 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
- 
+
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +miscfiles_read_generic_certs(virt_domain)
@ -117228,7 +117235,10 @@ index f03dcf5..ac277da 100644
 +optional_policy(`
 +	sssd_dontaudit_stream_connect(virt_domain)
 +	sssd_dontaudit_read_lib(virt_domain)
-+	sssd_dontaudit_read_public_files(virt_domain)
+')
 +
 +optional_policy(`
 +	sssd_read_public_files(virt_domain)
 +')
 +
 +optional_policy(`
@ -117362,7 +117372,7 @@ index f03dcf5..ac277da 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1084,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -117389,7 +117399,7 @@ index f03dcf5..ac277da 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1104,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -117406,10 +117416,10 @@ index f03dcf5..ac277da 100644
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
 +
 +auth_read_passwd(virsh_t)
 -miscfiles_read_localization(virsh_t)
 +auth_read_passwd(virsh_t)
 +
 +logging_send_syslog_msg(virsh_t)
 sysnet_dns_name_resolve(virsh_t)
@ -117423,7 +117433,7 @@ index f03dcf5..ac277da 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1141,20 @@ optional_policy(`
+@@ -856,14 +1144,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -117445,7 +117455,7 @@ index f03dcf5..ac277da 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1179,66 @@ optional_policy(`
+@@ -888,49 +1182,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -117530,7 +117540,7 @@ index f03dcf5..ac277da 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1250,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -117550,7 +117560,7 @@ index f03dcf5..ac277da 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1271,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -117574,7 +117584,7 @@ index f03dcf5..ac277da 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1296,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -117748,10 +117758,6 @@ index f03dcf5..ac277da 100644
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -117836,11 +117842,15 @@ index f03dcf5..ac277da 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	udev_read_pid_files(svirt_sandbox_domain)
+	ssh_use_ptys(svirt_sandbox_domain)
 +')
 optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
 +')
 +
@ -117990,10 +118000,10 @@ index f03dcf5..ac277da 100644
 +fs_manage_cgroup_files(svirt_qemu_net_t)
 +
 +term_pty(container_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
 -allow svirt_prot_exec_t self:process { execmem execstack };
 +auth_use_nsswitch(svirt_qemu_net_t)
 +
 +rpm_read_db(svirt_qemu_net_t)
 +
 +logging_send_syslog_msg(svirt_qemu_net_t)
@ -118018,7 +118028,7 @@ index f03dcf5..ac277da 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -118033,7 +118043,7 @@ index f03dcf5..ac277da 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1616,7 @@ optional_policy(`
+@@ -1192,7 +1619,7 @@ optional_policy(`
 ########################################
 #
@ -118042,7 +118052,7 @@ index f03dcf5..ac277da 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1625,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 258%{?dist}
+Release: 259%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -689,6 +689,18 @@ exit 0
 %endif
 %changelog
 * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
 - Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
 - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
 - Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
 - Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.
 - Allow httpd_t to read realmd_var_lib_t files
 - Allow unconfined_t user all user namespace capabilties.
 - Add interface systemd_tmpfiles_exec()
 - Add interface libs_dontaudit_setattr_lib_files()
 - Dontaudit xdm_t domain to setattr on lib_t dirs
 - Allow sysadm_r role to jump into dirsrv_t
 * Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
 - Merge pull request #10 from mscherer/fix_tor_dac
 - Merge pull request #9 from rhatdan/rawhide