* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287

- Allow init noatsecure httpd_t - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) - Allow unconfined_t domain to create new users with proper SELinux lables - Allow init noatsecure httpd_t - Label tcp port 3269 as ldap_port_t
2017-09-22 10:26:38 +02:00 · 2017-09-22 10:26:38 +02:00 · fc41f8a9df
parent 7c73871fb5
commit fc41f8a9df
4 changed files with 145 additions and 109 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -6162,7 +6162,7 @@ index 8e0f9cd14..2fe34db47 100644
 +create_ibendport_type_interfaces($*)
 +')
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055f9..15ec98f76 100644
+index b191055f9..12aecdf4e 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -6386,7 +6386,7 @@ index b191055f9..15ec98f76 100644
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 -network_port(l2tp, tcp,1701,s0, udp,1701,s0)
 -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
-+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0)
 network_port(lirc, tcp,8765,s0)
 -network_port(lmtp, tcp,24,s0, udp,24,s0)
 +network_port(luci, tcp,8084,s0)
@ -27377,10 +27377,10 @@ index 000000000..f73028658
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 000000000..883d9eaa3
+index 000000000..bdfe41b61
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,363 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -27418,6 +27418,7 @@ index 000000000..883d9eaa3
 +userdom_manage_tmp_role(unconfined_r, unconfined_t)
 +userdom_unpriv_type(unconfined_t)
 +userdom_login_userdomain(unconfined_t)
 +userdom_home_filetrans_user_home_dir(unconfined_t)
 +
 +type unconfined_exec_t;
 +application_domain(unconfined_t, unconfined_exec_t)
@ -37845,7 +37846,7 @@ index 79a45f62e..6ed0c399a 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..6c22a0a1f 100644
+index 17eda2480..7d76c87ce 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -38167,7 +38168,7 @@ index 17eda2480..6c22a0a1f 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -38208,6 +38209,7 @@ index 17eda2480..6c22a0a1f 100644
 +
 +optional_policy(`
 +    apache_delete_tmp(init_t)
 +    apache_noatsecure(init_t)
 +')
 +
 +optional_policy(`
@ -38469,7 +38471,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -216,7 +640,30 @@ optional_policy(`
+@@ -216,7 +641,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -38501,7 +38503,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 ########################################
-@@ -225,9 +672,9 @@ optional_policy(`
+@@ -225,9 +673,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38513,7 +38515,7 @@ index 17eda2480..6c22a0a1f 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38530,7 +38532,7 @@ index 17eda2480..6c22a0a1f 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38573,7 +38575,7 @@ index 17eda2480..6c22a0a1f 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -38585,7 +38587,7 @@ index 17eda2480..6c22a0a1f 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -38596,7 +38598,7 @@ index 17eda2480..6c22a0a1f 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38606,7 +38608,7 @@ index 17eda2480..6c22a0a1f 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -38614,7 +38616,7 @@ index 17eda2480..6c22a0a1f 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38622,7 +38624,7 @@ index 17eda2480..6c22a0a1f 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38640,7 +38642,7 @@ index 17eda2480..6c22a0a1f 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -38654,7 +38656,7 @@ index 17eda2480..6c22a0a1f 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -38668,7 +38670,7 @@ index 17eda2480..6c22a0a1f 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -38679,7 +38681,7 @@ index 17eda2480..6c22a0a1f 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -38687,7 +38689,7 @@ index 17eda2480..6c22a0a1f 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -38711,7 +38713,7 @@ index 17eda2480..6c22a0a1f 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -38719,7 +38721,7 @@ index 17eda2480..6c22a0a1f 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -38730,7 +38732,7 @@ index 17eda2480..6c22a0a1f 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +983,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +984,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -38739,7 +38741,7 @@ index 17eda2480..6c22a0a1f 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +998,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +999,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -38747,7 +38749,7 @@ index 17eda2480..6c22a0a1f 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -38755,7 +38757,7 @@ index 17eda2480..6c22a0a1f 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -38800,7 +38802,7 @@ index 17eda2480..6c22a0a1f 100644
 	')
 	optional_policy(`
-@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -38832,7 +38834,7 @@ index 17eda2480..6c22a0a1f 100644
 	')
 ')
-@@ -577,6 +1109,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1110,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -38872,7 +38874,7 @@ index 17eda2480..6c22a0a1f 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1154,8 @@ optional_policy(`
+@@ -589,6 +1155,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -38881,7 +38883,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -610,6 +1177,7 @@ optional_policy(`
+@@ -610,6 +1178,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -38889,7 +38891,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -626,6 +1194,17 @@ optional_policy(`
+@@ -626,6 +1195,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -38907,7 +38909,7 @@ index 17eda2480..6c22a0a1f 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1221,13 @@ optional_policy(`
+@@ -642,9 +1222,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38921,7 +38923,7 @@ index 17eda2480..6c22a0a1f 100644
 	')
 	optional_policy(`
-@@ -657,15 +1240,11 @@ optional_policy(`
+@@ -657,15 +1241,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -38939,7 +38941,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -686,6 +1265,15 @@ optional_policy(`
+@@ -686,6 +1266,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -38955,7 +38957,7 @@ index 17eda2480..6c22a0a1f 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1314,7 @@ optional_policy(`
+@@ -726,6 +1315,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -38963,7 +38965,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -743,7 +1332,13 @@ optional_policy(`
+@@ -743,7 +1333,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -38978,7 +38980,7 @@ index 17eda2480..6c22a0a1f 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1361,10 @@ optional_policy(`
+@@ -766,6 +1362,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -38989,7 +38991,7 @@ index 17eda2480..6c22a0a1f 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1374,20 @@ optional_policy(`
+@@ -775,10 +1375,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -39010,7 +39012,7 @@ index 17eda2480..6c22a0a1f 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1396,10 @@ optional_policy(`
+@@ -787,6 +1397,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39021,7 +39023,7 @@ index 17eda2480..6c22a0a1f 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1421,6 @@ optional_policy(`
+@@ -808,8 +1422,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -39030,7 +39032,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -818,6 +1429,10 @@ optional_policy(`
+@@ -818,6 +1430,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39041,7 +39043,7 @@ index 17eda2480..6c22a0a1f 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1442,12 @@ optional_policy(`
+@@ -827,10 +1443,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -39054,7 +39056,7 @@ index 17eda2480..6c22a0a1f 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1474,62 @@ optional_policy(`
+@@ -857,21 +1475,62 @@ optional_policy(`
 ')
 optional_policy(`
@ -39118,7 +39120,7 @@ index 17eda2480..6c22a0a1f 100644
 ')
 optional_policy(`
-@@ -887,6 +1545,10 @@ optional_policy(`
+@@ -887,6 +1546,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39129,7 +39131,7 @@ index 17eda2480..6c22a0a1f 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1559,218 @@ optional_policy(`
+@@ -897,3 +1560,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb4851f..422f408d4 100644
+index f6eb4851f..3628a384f 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -4218,11 +4218,11 @@ index f6eb4851f..422f408d4 100644
 -	')
 +		# privileged users run the script:
 +		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
 +
 +		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 -	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 -		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
 +		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 +
 +		# apache runs the script:
 +		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
 +		allow httpd_t $1_script_t:unix_dgram_socket sendto;
@ -4499,12 +4499,10 @@ index f6eb4851f..422f408d4 100644
 -	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
 +	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Do not audit attempts to read and
 -##	write httpd unix domain stream sockets.
 +##	Allow attempts to read and write Apache
 +##	unix domain stream sockets.
 +## </summary>
@ -4520,10 +4518,12 @@ index f6eb4851f..422f408d4 100644
 +	')
 +
 +	allow $1 httpd_t:unix_stream_socket { getattr read write };
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Do not audit attempts to read and
 -##	write httpd unix domain stream sockets.
 +##	Do not audit attempts to read and write Apache
 +##	unix domain stream sockets.
 ## </summary>
@ -4996,32 +4996,12 @@ index f6eb4851f..422f408d4 100644
 ')
 -########################################
 +######################################
 +## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_files',`
 +	gen_require(`
 +		type httpd_sys_rw_content_t;
 +	')
 +
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	httpd system rw content.
 +##	Allow the specified domain to read
-+##	apache system content rw dirs.
+##	apache system content rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -5031,12 +5011,32 @@ index f6eb4851f..422f408d4 100644
 +## <rolecap/>
 #
 -interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_dirs',`
+interface(`apache_read_sys_content_rw_files',`
 	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 -	apache_search_sys_content($1)
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 +## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw dirs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_dirs',`
 +	gen_require(`
 +		type httpd_sys_rw_content_t;
 +	')
 +
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@ -5390,7 +5390,7 @@ index f6eb4851f..422f408d4 100644
 	admin_pattern($1, httpd_log_t)
 	admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,201 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,219 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
@ -5591,10 +5591,28 @@ index f6eb4851f..422f408d4 100644
 +	gen_require(`
 +		type httpd_tmp_t;
 +	')
 +
 +	allow $1 httpd_tmp_t:file unlink;
 +')
 +
 +########################################
 +## <summary>
 +##	Allow httpd noatsecure
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`apache_noatsecure',`
 +	gen_require(`
 +		type httpd_t;
 +	')
 -	apache_run_all_scripts($1, $2)
 -	apache_run_helper($1, $2)
-+	allow $1 httpd_tmp_t:file unlink;
+    allow $1 httpd_t:process { noatsecure };
 ')
 diff --git a/apache.te b/apache.te
 index 6649962b6..1a0189a44 100644
@ -58089,7 +58107,7 @@ index 687af38bb..5381f1b39 100644
 +	mysql_stream_connect($1)
 ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe7c..a89f6d665 100644
+index 7584bbe7c..9c33fb9ac 100644
 --- a/mysql.te
 +++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@ -58140,7 +58158,7 @@ index 7584bbe7c..a89f6d665 100644
 type mysqld_initrc_exec_t;
 init_script_file(mysqld_initrc_exec_t)
-@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t)
 # Local policy
 #
@ -58161,6 +58179,7 @@ index 7584bbe7c..a89f6d665 100644
 +manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
 +allow mysqld_t mysqld_db_t:file map;
 -filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
 -
@ -58177,7 +58196,7 @@ index 7584bbe7c..a89f6d665 100644
 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@ -58262,7 +58281,7 @@ index 7584bbe7c..a89f6d665 100644
 ')
 optional_policy(`
-@@ -146,6 +167,10 @@ optional_policy(`
+@@ -146,6 +168,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -58273,7 +58292,7 @@ index 7584bbe7c..a89f6d665 100644
 	seutil_sigchld_newrole(mysqld_t)
 ')
-@@ -155,21 +180,20 @@ optional_policy(`
+@@ -155,21 +181,20 @@ optional_policy(`
 #######################################
 #
@ -58301,7 +58320,7 @@ index 7584bbe7c..a89f6d665 100644
 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@ -58312,7 +58331,7 @@ index 7584bbe7c..a89f6d665 100644
 kernel_read_system_state(mysqld_safe_t)
 kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
@ -58348,7 +58367,7 @@ index 7584bbe7c..a89f6d665 100644
 optional_policy(`
 	hostname_exec(mysqld_safe_t)
-@@ -209,20 +239,21 @@ optional_policy(`
+@@ -209,20 +240,21 @@ optional_policy(`
 ########################################
 #
@ -58377,7 +58396,7 @@ index 7584bbe7c..a89f6d665 100644
 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@ -112229,10 +112248,10 @@ index 000000000..e5cec8fda
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 000000000..9c3b00220
+index 000000000..31baf3bb8
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,124 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@ -112292,8 +112311,7 @@ index 000000000..9c3b00220
 +
 +allow tomcat_t self:capability { dac_override setuid kill };
 +
-+allow tomcat_t self:process execmem;
+allow tomcat_t self:process { execmem setcap setsched signal signull };
 +allow tomcat_t self:process { setcap signal signull };
 +
 +allow tomcat_t self:tcp_socket { accept listen };
 +allow tomcat_domain self:fifo_file rw_fifo_file_perms;
@ -112333,6 +112351,8 @@ index 000000000..9c3b00220
 +
 +domain_use_interactive_fds(tomcat_domain)
 +
 +libs_exec_ldconfig(tomcat_domain)
 +
 +fs_getattr_all_fs(tomcat_domain)
 +fs_read_hugetlbfs_files(tomcat_domain)
 +
@ -112343,6 +112363,12 @@ index 000000000..9c3b00220
 +')
 +
 +optional_policy(`
 +	# needed by FreeIPA
 +	ldap_stream_connect(tomcat_domain)
 +	ldap_read_certs(tomcat_domain)
 +')
 +
 +optional_policy(`
 +	tomcat_search_lib(tomcat_domain)
 +')
 +
@ -117037,7 +117063,7 @@ index facdee8b3..2a619ba9e 100644
 +	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf567..529ae6612 100644
+index f03dcf567..cf9950e36 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,424 @@
@ -118002,7 +118028,7 @@ index f03dcf567..529ae6612 100644
 ')
 optional_policy(`
-@@ -691,99 +653,432 @@ optional_policy(`
+@@ -691,99 +653,433 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
@ -118247,6 +118273,7 @@ index f03dcf567..529ae6612 100644
 +dev_rw_inherited_vhost(virt_domain)
 +dev_rw_infiniband_dev(virt_domain)
 +dev_rw_dri(virt_domain)
 +dev_rw_tpm(virt_domain)
 +
 +domain_use_interactive_fds(virt_domain)
 +
@ -118484,7 +118511,7 @@ index f03dcf567..529ae6612 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -118511,7 +118538,7 @@ index f03dcf567..529ae6612 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -118545,7 +118572,7 @@ index f03dcf567..529ae6612 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1146,20 @@ optional_policy(`
+@@ -856,14 +1147,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -118567,7 +118594,7 @@ index f03dcf567..529ae6612 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1184,66 @@ optional_policy(`
+@@ -888,49 +1185,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -118652,7 +118679,7 @@ index f03dcf567..529ae6612 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -118672,7 +118699,7 @@ index f03dcf567..529ae6612 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -118696,7 +118723,7 @@ index f03dcf567..529ae6612 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -119140,7 +119167,7 @@ index f03dcf567..529ae6612 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -119155,7 +119182,7 @@ index f03dcf567..529ae6612 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1621,7 @@ optional_policy(`
+@@ -1192,7 +1622,7 @@ optional_policy(`
 ########################################
 #
@ -119164,7 +119191,7 @@ index f03dcf567..529ae6612 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 286%{?dist}
+Release: 287%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -682,6 +682,13 @@ exit 0
 %endif
 %changelog
 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
 - Allow init noatsecure httpd_t
 - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
 - Allow unconfined_t domain to create new users with proper SELinux lables
 -  Allow init noatsecure httpd_t
 - Label tcp port 3269 as ldap_port_t
 * Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
 - Add new boolean tomcat_read_rpm_db()
 - Allow tomcat to connect on mysqld tcp ports