From ff3605a07823d4ca17f200a75ec0411b9018e724 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Thu, 10 Aug 2017 11:25:41 +0200
Subject: [PATCH] * Thu Aug 10 2017 Lukas Vrabec -
3.13.1-269 - Allow osad make executable an anonymous mapping or private file
mapping that is writable BZ(1425524) - After fix in kernel where LSM hooks
for dac_override and dac_search_read capability was swaped we need to fix it
also in policy - refpolicy: Define and allow map permission - init: Add
NoNewPerms support for systemd. - Add nnp_nosuid_transition policycap and
related class/perm definitions.
---
container-selinux.tgz | Bin 6903 -> 6904 bytes
policy-rawhide-base.patch | 524 ++++++++++++++++++++++++-----------
policy-rawhide-contrib.patch | 4 +-
selinux-policy.spec | 9 +-
4 files changed, 370 insertions(+), 167 deletions(-)
diff --git a/container-selinux.tgz b/container-selinux.tgz
index 6d087c8d6b40c937b3f99b6a28c85a641db5d0d0..b3dd705f507d4cd6b91127c8107a15126141629b 100644
GIT binary patch
delta 6893
zcmVyO+vlF!%aze2DBcqXvt<;0O5Nq_L+d;ER%
zhaWE0-|+MP!~3hNZ?4{7egFRQ`u*kAhi@+7k3anIO>p^K6;gi=O&iuh@J)7Chnpm_
z(v7|UC;eHyejWVS9P&J@AOG~XeG-&aQoL)*LmeeSSXEgXg>70EK_muBkQ6)keg5Nx
zU|Ru*-%qbJ_~YbXAClSUJ`>pJ=Ukk&xEIyq?{E2RaJr+sU9n1BS)N(#LXMbB17DVZsWk*h^za(Ky@~!F;2VVdy6^Osw4yV{cGst6*TZ9c&
zT~qaDjp_=t7Hi{(_BvLif2D3zzJAcks2ZCR&DGhy&Pk0ALtgKGH*@-D2Av=bzi
zAAEadqWK8z3^+dgb6q8M-T>n^&5}kG%&BRRFT5JOG*QzW{ePT-w&)DWw}iUri<`Rk
ziwl~R1GbQ=GfUjoF?vGa?6p~SNUYBw^JX8`$xD(tRmflNjNC)&S=zKXwrxV^K!!&?
zT{h006}Phy{5yQm-G8Q8k4th>B~iLfp@UdQqPda`R34QXvjKtpN7_rzs0WW5C>G5&
zL*xdb|3_GaJAZv4c^Pvor>Z@hZsYLBXg7f|HesGsOAdPQMfIL{&oTMQe)H%Z&S7}u
z-!m?ZWqai%8E0HLxWvrw8pi_l`K0>N%w9!j`AT=X%5q5lSvAd1U>)EVdGmLWcZ2?k
zQ0WRNrPm#g$a0^y`yd3uLkkja(sv+}Qtg#jb
ze01hgQ_3w_9ZV=_s6-^CDMc~fb(DooV=0Q>4a?djytsHudHDZVL0O^v!|ac*+WKH?
zB9dywZj!Xvc@=A(B4R!FcJLY}h|3$ROoDH(;lKCr-}lSzMSl7BpI^v2OBQ>T#?x%1
z`cPOD4u3#36E=SYWPG@|i=#>EyG4#L7V>jjd`yo`o8(cOP4(63?+!)UlK8uhV%Ra?
zREUCDZ>30HCs~ObQ;<{&yX|4({vJw3*D499FI`KYyw3K}Pv3Z?B;zBn|XK9x!Yn`w7z2
zg&72zH2c%CY9FUA;em#46=yKjU~3;qJ>p#G3suYzO|)@xSG8pK;!6}1{x-;0
z5PppI%+N&{LoJpOGX5~vNaqY;tFIz#{8v)6Q$&qF!;%~#Cx%I4?-pt-KVI`%VlVi2
zgMYI8TPUQz1mEcsBrA6gR%I=;Q0&V*(Z>K^6#1en4hk(xBa*xgUdeao!1wBGHcnhd
zxAQ?7;9d`Egiq(7fvKHU@y}!w4u-t
z6$sfw)GJ;Le^(W_v1_TqOq_urCL@
z&;ek$)Uax=!#Gb1wie-`r)~PM#Y!NZ%NKxlr0b_F3gO?7Mh7-N2m>(mAA+U@lYbLZUv5F5uN_
z%OiUS_9enQSRbHP0dF6ORby?(-HZ9N7T~yCwy){P#SA-dxu)(LBX$~1Ej8-Qzp{SVqWW$A^
z9A8-H#27#KNNW5jWe)(>8OSZHdC9-?V&}~_I0?tOm2ooeofCdGR0{(qn}2Zlud6ak
zqemLy!YRnTfFaC)Rs%`F07D|(k
z3`bXx29J-6(J^<_v7yS(q}PQMyu0J5=wt=q*mG8cvCZWCa%~=J{dBW?I18%m04mno
z81gcLbxhxP(Gbs1g84umEA5n=sZ6=$76s4W~)!SZ#y
z*$Jy)SUeiw`I^CG0VXFbX!T=NLUWm=nl{Vci&^;UN>|;v*D745AERT3cwI@XH7ur1NZ*@R6R^%qbfU%%zDs*`Q{
zV36l8^n!}PUhB~8@_&SZU*Q>qDo)0?7O#x*>~0O}eCk>W%DQiOND@&75S=2?nS6wv
zVN`!P?dsNTSnrZn(BxUO2EDQ4&S>pr)Zo}h#|#t}i^sS`@gR|P&HDsj(dzJ}FH--L
z{>UCZZY%NP{fsec>|Z-eXe>#Ot2vz4YV
zSePgCt^{>iw&m?qQ+f3|_&EWbni31ZnzJHR7AH-_Lu@J@T$5mk3REY!-zT64Yc-rC
zB=cDKiOHLrWx?Nm`X#8!x|K0F71xst9UIdgig2U0Rc_6|Tz?yE!>mcpv?}o$F{_>*
zBdVT$C_U$a-+#NhJXFCccT1gdE$vYYZj>>At{%3X3^X?laiJlr0(79$@a|I!W1J%L
z;xNfUJu{_!YADHd!I`W2=CJwu8Vt8+k1D-W`X)HZgzDUrLpn4})w9>mwYIHPLqc7|
zxZPk{Y&f+pYPJdQicfe!C2@dE<^nxLKG^%6>ik1o;kxf5cP9<3p8RiWy3y@#Jlg1EisKH3
zn28{zQ=Q9%HmD#!BGDsnPBkXS?9Z!#2Ea$MXW$PFvB&B}#skv|bXb&fjL|QpcTgtIBjm$VBf=0~#Ax=hyAV$n
zuGv1G4q1j^JYu7dC8H3T5b_ebjNB`y14e_OVO1T7m!93M&<|ZCE&Y9}v*22qZsTNo
z`ddP4-Wtq%+={&B5#hK1#K$Z{u-Cf`-UYa8V1Lrzr@K9@ytD!Dmz=SE|6&E>HbyOT
zvL)16G@w7iEMWE+ykb5w)56~*+4f@;R^cYi()KZU3Zi{^Uj(-)7(iS27v8XJk~WQl
z{I)3L0K0|`@aSKgw2<-l^q>yGrb*f@K;nY8#^5VT|Mcl*tQKI!hy(jN$-q9&@W6hA
zNq_8-{{e+YhZ=@XJI>QLI7g_rF@`0LlcAH5WE>2xns!c%`5lvRFaevH|Pyo}Uj8dq)$Bd%J9ns<=SV85aOY|A2
zuPiNY*SGwF;vu=i@PH#~CJ><`;xyc8P~z<@NLQ`o5{d(WG&F1ylRAyopuml0)|q6%
zfjf}};FG*-Gq15b!-Kg^bz)7PS~fiMRU|(!MQ}3M
z`;(uhBZQA)3bQN+ux_=0X;yrn*cQ4U;5JfCWB4tvyMEp6-QSzCIER<7Tn%_Ky6lEN
zfKS6{ir2xPyH+_x;k<-R;*F)tkd&S7~5a|!l?2>>|5
zbGZAI{Q|-pPlnFlAv_?RNXQg0Iz%)R0>kYzHkS7b{R=ibV#f6Cx$CSi=1u2`*psKX
zFMi)w={4CkXv?HOQs5)kP=AgVx-b4Qg7!8gbCxmL;GR;3&nluZk>RW?
zA2;qpELZ7U)#W~Qny|L1X2rbb$jkwq!)(SZb0ub+J6Jq0Cl3w}%%$-r&vqB4PY-kA
ziH48wD3(=O#!@n0yL}ey?hfvA!e1|sZ@M@BJVhvXzMroEyr#W+-G9+^CG~Q3EN63#
zrKX!R@jWpoD?Lx#$%@Ytce*pm6L_)~9K-d|guT?=6E}gTj1m4-UeJIY%XKz)^m<`V
zH6lHM=M6It;90}Wh1-uS@E!&n(liWY+i5`f4C7&zCvEKBOFhFc(!%)07%BbnCmwCU
zk1F~>2gbH^kqE?y(SP)~HEuDY-mIT*LFh@wqrF*}6$O2p$yMqiY0*95OHMaUADgJn
zEL9Q2_lWF83Sw)beG>Z>j_2JLA#{<_Yl?>tqc**R`4n5q=kzhYJH(Vuj~Bw;G%lft
zSiN)??Xw=2lYVODW>jg%hv8_I^k~#Bz)ytry>ZSJMm75=Uw^Rk@Pf`Egbt>SIeO%*
zPu1*`Ec2lAb1WTkYS=r^6Kv^r2Gh*4v|yoykM{O$TX_~CSfVn|t1Nj~)0iCR?VWD=
zO3=vUcg8#WBz4A7^4Q5JTkdG8b9Kie$Sw2=dDI1CI*B_S*V7JoU2QVgXkq*$(~p?n
z@C|MASZVB`!GB9>IUfJ}K(cHPUd=lcJZ6akFP-tWNzo9+AzhmgSfZZZo(}C1FN^I>nu?o9(3r_$c1Pq7j
z&}vIeUX=U$IBY}5JR;j$Ogei7UI#;JN6$I-0*qHCK~}uaE2b~xX9F#hD><|&w_W38
z8y>Qj`F~j+Y$8!P*zmJKKQ_3;#N2KIT
zw>me^*lQ-5jf27tU@3JAlfTTGk-o7orxmjh=W*lLUhkM%^a^jH_+}Wd*+ayx!s6{M
z|4`+BJW+%(vlTqzi`Ae?;LXEmjqcMrjT8EVMSnGW;ZQ71(afpBwZdz!f^XRKQvhoV
z#ahc>IAZX3wM*kbY%T{WuYBVSK?TV8!hr2+he38Kih5&>)Fq{zy$@`Ca!
z5-SHLMeTF}2$`i#8dEgZ=oX!CRgPd7-JuUSeD>f2CV3_|iA$cijrkiG&v*e`cOkV8
zT><}599?Sm+M96u?X~qc=Na3_tDXthc0chT^OZo;zdi37Qab5~D+E+_!y|88ZGVv)
zt@Q)jc={2OlVuS<3@usv15C$k|Z%*{kjlOFFBqJ4s1ewfTdCL`WWxtdb`};RhHc6!YRxpaB_$)Cu+jH?+WDr`~N8
zq3;@aXy2~WJ!a;)q5&hXFWX!J9e+#RuH|3iQ%_EwcymDOBSdp?m)aIhc|XEuuPSNT
z*zmkdA-JSvhYy^GSRDuJxUL|Ftc*+|6m}|)UEL|k6_lyU7%8_(XfrNXJVS|e7Tl%K
zspLo9vP;yRDupMGI%tHB25OWn%*W{s);QdH;zTZCg>7P;C<~aAh*t2i=6`g?Jk`x%
z%D-_5yb1G7sEIsEy+ui+Ufn~K)1*!;<6T!
z9knsiyIU$)X!tM=C!rW=9;76|@k*QBe2Aft>$xqPo{-rg_nF2tNMmVdV(tvndqeOk
zyPCp|-)^)r`$1JEKqdDNoqyoB%J-x67D$J%Pjd}P80~D^rWcXH`jnX>b|&0nbzEXC
zXPZ1Tm&Jt}R&=~U9ppTO6_g_6#=Q<&O50VPDFgquIv6bMw9NBxA6oJ0dt8?KvNTA-
zFmMqui=#XCLQBQ6tT~g+`&l6-`W!@?7B=@8OQdKjd7IYBJ=@EC=``jbsuvvqAPo333(iq9i
zU%7drZ=H^wEtm|WuC%C2UntC?8OaV*wtl2h=&%I!!hBoA(4>FSFjHl9^k#I}poS0rpn&B2W
zC4fPuQoB*J!+%)q3h{Z4k^3Cu-xzVd8@<}G5WMp;#zJMd?qwWXg!_ty5Bm5u4a>(~
zM%4bXUwm3$Hs#b8cL?_7{r*jpm3PHbUI{FfACoD1E_Ti8#$`
zjG5&+=;sd%Zu(Oyt$#O6Dd8mQdHl)GuN_@U!Vz1e_lzcrzR_>>7-C~sFh4pjN_H@+
z<&0)tJAWPlE0Y)Uv)P_YR8SfRF%NrX*MFo_Lywqn1U5M0I$ZG_ntHNcg=h`8l30WK
zA-lsYj)ttiLK35{a`f?apAOZ_9~w83{>DWuf*}=Z)1@m@)FU^s$=}<+M*o(1ev{l3
zoi{8oR$?!2_yCqc%Ay&mE_lP#HhH32HTJ4T_kZtTjrgOXTTR)tJcFO}V?lRNw*N2llJN_;7p9Zal)-V@hnE
z=YLxXkdz6%mE@eR9231AfH+DUE;$}qB|MRa;?il<1@VamI|ux5jap^A_tC`m&A8p|
z;&J?AIiBtadQoNiVZAXbO*=@pD*0zP7WX|4pKuI5di?Ei?Cp2l?JE*KPhG~3Pip2d
z-YJ=)$FL^otv7Fj-@4Czt8vw~+kC!qBY$R++V~AYZ%kNeK^--omgwM;&N$D=1tAZE
zc1odsSAx7mL%Q2jE=23q7*6?Sm@|QPO!C$k+cPOPa{n8g9o^S2?ESy|kv)IDeYS7g
zxxfE+b@~1E5Bm52u0DMI{@-W$xj_5z;@5NbMIZV)C=Q9_q2-^jTOU61MXCPSsecKc
z!o0Zz{c>?=>WeJh;F^8Ga4ycjJ9+oc8%=D?`B!xi)db3ZEdvb}b%(bUVD=EbL%1c|
z4wx4URuSGs%Ty52B-MZY&&7X#$4(BG?VWe%^KRP3YRpmjcZZgSEy}wxJLJi`>7r0R
z;@3epB;-0Rml{>ifmcRpycAxe0)H+ui~8DQ@h(zISZ)$@(0pskf6r4{%4g>|deRD|
zdJ4+r>|aj2u_EzJ1`gY7qVWyI=7O0{%i|-y#?X7P(*jk^L)8Xk_o4LielBxY=
z?*5~cuv1fU%x6$o0@
n2B1%8sX)7VI6{+rX{XHBpRYe(f4=^FhM)ff?7a6)0LTCU)N+PN
delta 6892
zcmVyO+vlF!%aze2DBcqXvthU7srNJL3|N4+bhkrIv(9qF6|d9sG`2t1P)!FJqRA^m=Ez}#I+KV&2Y0p+zz=B=Lk(DmpX>VAs`FHKfq^>=&b*)xF
zU1o^^{x9%Yf`?I*G|d<)B1K_!F*I+Cn^s3DWaD1(SJGHqOc%J=PWyNLj5HPW0G%GmpJ$WSgAn#<#ss57MejGgWMu)
zsOp-kH)~W^ptV>VN3_?mBK<3Mqawd7-2^dIGiu8^O_~XV_jv@##~D=1N04`6jij9*
zsr=yED-+E}XlKCj;h*a&sq+RHw`rC%qF_!%$N-bn08B7fZJ3(3ovV>wmr*>oF+KSsL=jIjyxtXgu=gD`)Dv*J6#e
zFyNyzmzq*;$?9N2K|>`XDNQMg@vfsRY#K{Z^ln(zCgH`!Q_92tzY59<*RHt2CZw
zBh`n(qJMAzs+q9)BOv3$#a$dtQr|6dgt3sH+u~z-Y}zD`+H9(?PJeeO(w4;Ebri#n
z`KCe?#Cj`5@;b>%+?ax-QW#J4Cg4AUnRn~9WZ)GjmiriM!f*_}7o{d2@mC;6hV;IS
zaPbNSd;#Ns3hvM7qNHgY7IAQ2r>4zhp5(A{eSi5$eGf9qXL)-KJt1kJAM$`<3)xSQ
zrY_7N(4^U)mR0*WbqNnNe5*KviN_U(1_oRENa_*iLSLw2hG?RVle?-VyBA-gpzyar
zzJl;$v}cAc${1>~jF9n%xkfr?2wQy>VdKA&qMagY{27+y5IHeS5_`8$WBKu#*Ajcd
zzkeH)<=;Xf{U!KLpCDPebFeCFp@m{!=7~NA_@c-cU2#xoSsIb#ZSYFII|sg3XR~qQ
zGP<1)(g62*P$PUg2MtVp73W=)rO>_ekyzUnsL3qZFpM&qCt0lq4ab1tw*z~bhM^6G
zhNwWu9-?0HV)(nNz>Qr?6=vcL1Th)G(0`pXG2UgM?izJudD{O5r*${_x9RRYDejg;
z-Iq<kD>0G`5v?E+joOCEhy)bhPsl0!dl*FTX+Khh!PU@VRQkn
zR$Cs~JFqVi-og3+wF-Fq$c;ieD}RN8VeKX#Z$HfSF0IQVpR{Rtp6;T09_y{KI^IQ(
zy4^d&T?^Rh<`+BTb7szXx&cJU+Y@ZkYmi3Jq`M-_*n|x}-Ar@HKw-2xnF&S3+$S3@
z1m*a`Iw!{XxkpmtM=5&%u+BhkVa-eaofkWAzQIX2&aI4-aqpb)v!PlTIDgrM!+%|s
zSsFdk2p3L4?gb2C2DBpB;7oZx;xv4-w6k{|9@;$*^c;A6>E#Oxh^6{Y30o(Ip0-e$
zd}KJff;4!1T#SynqmB(#ekQ#xq~P5hM@1(q2*;kY8jNiw=a*~qQ0u3g-NRW>Wd~5P
z-o}uZ5v*hSzMDQ_485rzRDY3!aZ?_OxSV>6GIk&=;g1OG@2WWK3_@+;kP4Qs
zaEY-AG_Fl}wS68~~&b?OQGW{4GJH+csV!feM
zi#gr;G29)Pcr3%%hn&XnSfx7JYX_1sep0K8ACfVgutU;cOC&dxjDPYmBH>#{m4=}Z
ziq$yqlIpPx7P0qZ0W_h@myTNXPq1x9tC?3lXj53lV^^uewZrDmaiN&E-mbm*@wYMT
zSBaoB#bxoO*Jy0J&s`#N8;sl@BAP|w$r@U*8ahX2PK0fVM$RT|(x|_H3iJ8)!$XpYGJxn5iO%FB
z^bDi=%V}4)Zo_()w1OtjnlK00Qguvk3CC5i`$tZUvU_=;ACFMW~v
zpY%ue=y{twR~hd6|3Cb2`QiQG{{Q>0_y0f35A(FF^D+j-c7G~I!`tBc{QBzr@@%E)
z3l`?dyemOnmTh@E)l^=+4t`Dmr>4XLu;#2tmBmRD@erGe2iGJRq5{kL&wInha%jlZIxRyFxTG(+c0aAGp$OzM$D?`
z$B3$@A4<=8;D7h7E)P|3%H2|DTuXb@f*WNFpsR;%Cj-q*LtJRcssJ76G`#!N!WgHB
zyf{p9P|r+hpBhSXU2x{AzBz3Ez6QfB+M`PEl)ed0GNC&6W`Q78_2ji<)i1`yyt~2EC#>4Ttnz{o-`Xohj{79Dfx3IFZxd+u<0K?(BXQl`toM
zR|3Ul_JSKjl=^TYY)Kp-les_-kq`EMr#k--SGex`$lXZ;t0(`Pnr?La8;>^nnBusD
zA!Z^-=~U-3p$#g?k4W^$n^TR+G5hmspaJla>>2n&L+r6Sk@3KEfXxn)B|7|R$KN)#
zQAGo8IDe|lqttvpqM_=}u|D|FRc9?jCmj~09AorL=^d1b^9cFy)QB*I7crWB>@LKU
zg=@Btr$d$@7?0TKW63B)CWO3%E+hBK>44E7XjoMT;-zOdEA&GbNlSm9>MXdHrrS8#
zp8l55nzsh?9=9T|c|=-@jPFxQ$WE
zoNNho77gf+FbkMH2CtZp%(U<~Nw)nMg;lsov$TB-o`Ps!-WS1b3I@;?{)IOzo1{(S
zAipijIKZx<13dcICM{(AJw2#HuxXNZ3y`?rtugqD(m#E=8LI_YG2+0!PBO5MGd!>#
zVSf^PQ+(~k4>4bBnjZH!?_<7DV$q*+j+K`=_q&lWLuS~+NBhnL>W%C%8X
z-n`k-aVh-vMKi&+x0EKpm<2`Fg)Ohnh8Ych&T;*8kBfD3({39xrE{XAPo(h#H3E6H7IbSnRO;v
zaNtg40r^j5p^*v0xlW=x7Sx5??D3k-;i0N|(o2C&pqCqdH_J-fVrgD^GY{AAn}1Bd
z)<0rdFtc#@yue57VY#4M?1SYn>=190X{pm(zP+;--%c%p@?v1>f
z*JQRsH^t4(X|5ej^AUKpRiHg#TYo7^Klmi?+RSV0&hTJvQ=M3or#kpSd-wOIEY9KOD^~-aj4r#O
z58%@{ReDW!4cap4j}-XGHGh<&h3<=gjNtv-z#S9MS%|oG{+wk@Hn^vh;j@ZpOk_AK
z%g2rT5X)8iR&}{gohGbps#!6wIWluV=P;Ww%Up>W=MEMR%*lhp19NG-$+O*s>C?lU
zc%tFsJBnphma&w~*KVH$ySsz?obcDn0IzAUUVnEqT}i!M9n0BV
zW2x!pOngtw$x6=?ce3L1#GUSp@&ul&1;=oGG+{4w_ry)0DPx3xl@~N%$8w#`9lc(d
zQ;kSZ;CaK$19;XjbK&;m3cQB_hcpcX*>)NbKErsJ$92)5j)i
zGfPzj@jW7Yk%HKoXrIJ>h2wd*MF?G_^qS(~!>CQ~U_Ql`@;QBs?+!7g)8mD(H;qdu
zB33WmMf%V~!p<
z>r*xRB+ESL{2WV1oErAd^8{PEoxwD-EG<}Q;iJ8M+g6@M2$rbK^D0Xo)-)!^d3&du
zz7jMt`JM63K1rQ%lstAa%9cBt>RjEi2yzR(LLPO&m`>tO$Mv)WURRsUHCh-y$@C-U
zH+)0eJXRWeXn*ihT8_v6K9DTigIDto1^Hn#zqPHq(1paLPtoPhHgZbl_Zg|YhcKFc
zPdG}wUzY_-4$D);nA_5{WsN2r#xRije!w8Uw7Ip=)6qRHVnx&3r){)1)A95O`tX5`
zXrhk+t0wZA@9lh#Oh2VszR_D#m
zLfs<<8wpRYfZDeCPMb)X1{B(u{%>dx@b4J9E?~C^*K{DYjuKn@O{~JM-NF+<2m!;P
zI<(pnlNaUwJ`UT^F^|ah7L(3if!D#1+R<~4y#V8tNstxq^NQ&U`Po3rQ#5m`aINs#tKb{<{1m|2
zLb2BJ7mgVGUG3615Sz{
z6(@J<9>n5_Qiwosc-U@pa{(oFJ1n-A*?%HQ4jwew9j&=-T{^0UpG3e~IVrNTth}K7
zip0u+Nl`mp077PIlg1Q{HM<Ta_aiMtA4~4xc^vfJvUoP2!R#Ze#ui#xq_3*Ih{M
zLs!6m6i1huz4j*DetT{G&3VT5@v3LSwcSrV$b2Qx^l#6*hLlb^;tBzk-SEg8SASdN
zMr-}RHlBXOrPUVR&D;^AQ6%WB&+0!Q1}5x3B|lP6lg$3A$5ZNzzr=h*r|6L
zMd-T*9@@9-bdQ;Nu4ur>>&rG*K!3+lw`=*A_|%h=C*B;;`Uufn+@-cfQ{Ip8*{e!g
zHa0x(QV1?-+2I4{Ay&u1I<70oAuA)32!)->V^?=das_3oGDga+655Q*70*y2odtI(
zbSn8#x9k#ir%K_8qYfIOqk$SF3-fV$gEbDfo;Z<9SYex3C&~imB%&33tbaM3F;8`K
znDTF20&l{66KW!lQg2ZbsaN+9gs-C?9*IB5=J}Qw&_J=us&s`h@AriIOY#u6!-O5Ub*at|{m9)E4<8>>)pJ3q_&
ze~|lp+ku9Sv54?UrofX|Yu=Qz)oYcoyP`FzD4GhRr%Q~?adg9Gl!w)5q7+kctZX@D
zT?;c&i}*%gdSUYQ7-$e$xL#B8(Ci`N0Ntkp);;ZF_8E)3XEImwh&Gq3GB%1gQ>Zni
z+P0xW44_v+Jc{Da^*6K#?
zG)rH9k={HTQ|01IU7hl_=`~SLT}e9P)@P;DRui1D?}LnFIpe7`XC&NGIVYxACE_qq%##>
zt82U0!A~sTVfM(fUZm^;JFsYjIgQHr96v-D7;IOW#DBl5-x<$)!BTRn#j+=CaX{OX
ztg{>a@`RS)lcmuoKttN(-aR9J*TU;g(wrL?uKmSgK%+S#hm8>TK1>S+FG^o9SRzjI
z8e?X;4*K~6gPZ=8O6%VZQ%X3AdLDoB^J_;}l5oV<=slx}qHpwDJ%-pA7R-;1i;^9T
zYB{5s*ME*jz{=!>{A{-85*3ujLCnKm+4Udk)X*a)9DxmvxDHo5ho+vaS0P%%tt8f<
ze#q`Hi=!dyuaLy3s~mlN-KRtK@`uKaq`z@di(p8F+H~p46!pkWZ1VRuu+hI|p5G)l
zMduAmjFs5S8$N(#kg{k-stevQwN0L=R*k)?(SQ9rm}BjDBv;#y3^RnXwSJcw`LuCe
z+Mtta-y2}9|Gl8rKTl*kAwOh0;Wm@0wj*@T%VMp6{zubPotYu_xb(Ec6w6ZzH3kDu
z3b&n~Cw4}D*kkj;E|(8>sqp8a`Vx7%RW&B^byMzcFco+J_<{YZFh1O#vm1|a_Lvfz
z=YRQD0wiTZZzVaWE5}4{2Oy5phD(k|RtZm}p}2G!bwPY$!Oj6cT%%SQ?|n3}eKT%%
zyLcS`SdOPVf?iaaepqjeO4AO~txEnGj>UbC!zUbrj~;(}9DDm6cl(Nj&r_H2It0T2M!grzJYLq%+PlazV($
zpq)~v-<2RQ(U9);lnc>%HHK5Z8Rkr&9h1B@#`a8#jokkRXGiz-3w!@Be`L>}Z=dbk
zcJA;0U0r^E{bBI^zss-R|NAUI7id3T{Cdv5=tExz#UYVAwEPox>%&LBDAgZ3HGjcV
zm^YW8UoH+!eUYUbT(d72&c*q6C-2^Qqlt|<|Edn6nn2mFWuU>L?(miZ%pRh52)AV0
z0rO(PD#E*HnF=DBr24P_x%ltz*vY}Nz4H!z-c7q$jX5g+?$FY(MR`|dhdg;VT@=bk
z{5t4{gj}cPQlsiQ@X9ESm%?jQz<*_CQD1v3-bG3Y%T0m~nr}_{?|CXq`Rp7=Pg)ur2d+>P#{=Tmj`-oR$=;9sL*)OL$zBmXR$YU2qpbGPS?V
z-G7u4c4{h)`3wq6Ae;5p(Q3;Kzo_=I7qN^I6Zi}3G6B1|O4ERk*KA-K&9qax&?Z?=
z1d{}Frm_K#RqogGDvc+ZWJM!z=;{T$W*NM9{Fco!BIK(VvvZrNpo7RWMUMfnVzW)q
m0QBiB6=*jPM`)5S?UecY^Y!QJ&)1*N@biC*X8l$G$N&H&imN*S
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ce8d03c1..dcd7c995 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -896,10 +896,26 @@ index 3a45f23..ee7d7b3 100644
constrain socket_class_set { create relabelto relabelfrom }
(
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..7c61322 100644
+index a94b169..536babe 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -121,6 +121,60 @@ common x_device
+@@ -20,6 +20,7 @@ common file
+ relabelfrom
+ relabelto
+ append
++ map
+ unlink
+ link
+ rename
+@@ -47,6 +48,7 @@ common socket
+ relabelfrom
+ relabelto
+ append
++ map
+ # socket-specific
+ bind
+ connect
+@@ -121,6 +123,60 @@ common x_device
}
#
@@ -960,7 +976,19 @@ index a94b169..7c61322 100644
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
-@@ -379,6 +433,7 @@ class security
+@@ -331,6 +387,11 @@ class process
+ setsockcreate
+ }
+
++class process2
++{
++ nnp_transition
++ nosuid_transition
++}
+
+ #
+ # Define the access vector interpretation for ipc-related objects
+@@ -379,6 +440,7 @@ class security
setsecparam
setcheckreqprot
read_policy
@@ -968,7 +996,7 @@ index a94b169..7c61322 100644
}
-@@ -393,62 +448,32 @@ class system
+@@ -393,62 +455,32 @@ class system
syslog_mod
syslog_console
module_request
@@ -1048,7 +1076,7 @@ index a94b169..7c61322 100644
#
# Define the access vector interpretation for controlling
# changes to passwd information.
-@@ -690,6 +715,8 @@ class nscd
+@@ -690,6 +722,8 @@ class nscd
shmemhost
getserv
shmemserv
@@ -1057,7 +1085,7 @@ index a94b169..7c61322 100644
}
# Define the access vector interpretation for controlling
-@@ -831,6 +858,38 @@ inherits socket
+@@ -831,6 +865,38 @@ inherits socket
attach_queue
}
@@ -1096,7 +1124,7 @@ index a94b169..7c61322 100644
class x_pointer
inherits x_device
-@@ -865,3 +924,28 @@ inherits database
+@@ -865,3 +931,28 @@ inherits database
implement
execute
}
@@ -1126,7 +1154,7 @@ index a94b169..7c61322 100644
+class cap2_userns
+inherits cap2
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..6e16f5e 100644
+index 14a4799..3bd5d69 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -121,6 +121,18 @@ class kernel_service
@@ -1148,7 +1176,7 @@ index 14a4799..6e16f5e 100644
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
-@@ -131,4 +143,15 @@ class db_view # userspace
+@@ -131,4 +143,17 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
@@ -1162,6 +1190,8 @@ index 14a4799..6e16f5e 100644
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
++
++class process2
+
# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
@@ -6700,7 +6730,7 @@ index b31c054..3ad1127 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..519431d 100644
+index 76f285e..732931f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7143,10 +7173,15 @@ index 76f285e..519431d 100644
#######################################
##
## Set the attributes of the dlm control devices.
-@@ -1883,6 +2105,25 @@ interface(`dev_rw_dri',`
+@@ -1879,6 +2101,26 @@ interface(`dev_rw_dri',`
+ ')
- ########################################
- ##
+ rw_chr_files_pattern($1, device_t, dri_device_t)
++ allow $1 dri_device_t:chr_file map;
++')
++
++########################################
++##
+## Read and write the dri devices.
+##
+##
@@ -7162,14 +7197,10 @@ index 76f285e..519431d 100644
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Dontaudit read and write on the dri devices.
- ##
- ##
-@@ -2017,7 +2258,7 @@ interface(`dev_rw_input_dev',`
+ ')
+
+ ########################################
+@@ -2017,7 +2259,7 @@ interface(`dev_rw_input_dev',`
########################################
##
@@ -7178,7 +7209,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',`
+@@ -2025,17 +2267,18 @@ interface(`dev_rw_input_dev',`
##
##
#
@@ -7201,7 +7232,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2043,7 +2285,180 @@ interface(`dev_getattr_framebuffer_dev',`
+@@ -2043,7 +2286,180 @@ interface(`dev_getattr_framebuffer_dev',`
##
##
#
@@ -7383,7 +7414,7 @@ index 76f285e..519431d 100644
gen_require(`
type device_t, framebuf_device_t;
')
-@@ -2402,7 +2817,97 @@ interface(`dev_filetrans_lirc',`
+@@ -2402,7 +2818,97 @@ interface(`dev_filetrans_lirc',`
########################################
##
@@ -7482,7 +7513,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2532,6 +3037,24 @@ interface(`dev_read_raw_memory',`
+@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',`
########################################
##
@@ -7507,7 +7538,7 @@ index 76f285e..519431d 100644
## Do not audit attempts to read raw memory devices
## (e.g. /dev/mem).
##
-@@ -2573,6 +3096,24 @@ interface(`dev_write_raw_memory',`
+@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',`
########################################
##
@@ -7532,7 +7563,25 @@ index 76f285e..519431d 100644
## Read and execute raw memory devices (e.g. /dev/mem).
##
##
-@@ -2725,7 +3266,7 @@ interface(`dev_write_misc',`
+@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',`
+ ')
+
+ dev_read_raw_memory($1)
+- allow $1 memory_device_t:chr_file execute;
++ allow $1 memory_device_t:chr_file { map execute };
+ ')
+
+ ########################################
+@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',`
+ ')
+
+ dev_write_raw_memory($1)
+- allow $1 memory_device_t:chr_file execute;
++ allow $1 memory_device_t:chr_file { map execute };
+ ')
+
+ ########################################
+@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -7541,7 +7590,7 @@ index 76f285e..519431d 100644
##
##
#
-@@ -2811,7 +3352,7 @@ interface(`dev_rw_modem',`
+@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',`
########################################
##
@@ -7550,7 +7599,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2819,17 +3360,17 @@ interface(`dev_rw_modem',`
+@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',`
##
##
#
@@ -7572,7 +7621,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2837,17 +3378,17 @@ interface(`dev_getattr_mouse_dev',`
+@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',`
##
##
#
@@ -7594,7 +7643,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2855,12 +3396,84 @@ interface(`dev_setattr_mouse_dev',`
+@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',`
##
##
#
@@ -7682,7 +7731,7 @@ index 76f285e..519431d 100644
')
########################################
-@@ -2903,20 +3516,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
##
@@ -7707,7 +7756,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -2925,43 +3538,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',`
##
##
#
@@ -7763,7 +7812,7 @@ index 76f285e..519431d 100644
## range registers (MTRR).
##
##
-@@ -2970,13 +3574,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',`
##
##
#
@@ -7799,7 +7848,7 @@ index 76f285e..519431d 100644
')
########################################
-@@ -3144,6 +3767,80 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',`
########################################
##
@@ -7880,7 +7929,7 @@ index 76f285e..519431d 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
-@@ -3163,6 +3860,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
##
@@ -7905,7 +7954,7 @@ index 76f285e..519431d 100644
## Read and write BIOS non-volatile RAM.
##
##
-@@ -3254,7 +3969,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',`
########################################
##
@@ -7932,7 +7981,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -3262,12 +3995,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',`
##
##
#
@@ -7949,7 +7998,7 @@ index 76f285e..519431d 100644
')
########################################
-@@ -3399,7 +4133,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
##
@@ -7958,7 +8007,7 @@ index 76f285e..519431d 100644
## number generator devices (e.g., /dev/random)
##
##
-@@ -3413,7 +4147,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -7967,7 +8016,15 @@ index 76f285e..519431d 100644
')
########################################
-@@ -3855,7 +4589,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3669,6 +4404,7 @@ interface(`dev_read_sound_mixer',`
+ ')
+
+ read_chr_files_pattern($1, device_t, sound_device_t)
++ allow $1 sound_device_t:chr_file map;
+ ')
+
+ ########################################
+@@ -3855,7 +4591,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -7976,7 +8033,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -3863,91 +4597,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4599,89 @@ interface(`dev_getattr_sysfs_dirs',`
##
##
#
@@ -8087,7 +8144,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -3955,60 +4687,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,60 +4689,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
@@ -8324,7 +8381,7 @@ index 76f285e..519431d 100644
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
-@@ -4016,6 +4903,81 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4905,81 @@ interface(`dev_rw_sysfs',`
########################################
##
@@ -8406,7 +8463,7 @@ index 76f285e..519431d 100644
## Read and write the TPM device.
##
##
-@@ -4113,6 +5075,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +5077,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -8432,7 +8489,7 @@ index 76f285e..519431d 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +5104,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5106,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -8441,7 +8498,7 @@ index 76f285e..519431d 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5390,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5392,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -8453,7 +8510,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -4419,17 +5400,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5402,17 @@ interface(`dev_rw_usbfs',`
##
##
#
@@ -8476,7 +8533,7 @@ index 76f285e..519431d 100644
##
##
##
-@@ -4437,12 +5418,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5420,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
@@ -8492,7 +8549,7 @@ index 76f285e..519431d 100644
')
########################################
-@@ -4539,6 +5520,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5522,134 @@ interface(`dev_write_video_dev',`
########################################
##
@@ -8627,7 +8684,7 @@ index 76f285e..519431d 100644
## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5666,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5668,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -8652,7 +8709,16 @@ index 76f285e..519431d 100644
## Read and write VMWare devices.
##
##
-@@ -4630,6 +5757,24 @@ interface(`dev_write_watchdog',`
+@@ -4589,7 +5718,7 @@ interface(`dev_rwx_vmware',`
+ ')
+
+ dev_rw_vmware($1)
+- allow $1 vmware_device_t:chr_file execute;
++ allow $1 vmware_device_t:chr_file { map execute };
+ ')
+
+ ########################################
+@@ -4630,6 +5759,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8677,7 +8743,7 @@ index 76f285e..519431d 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5907,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5909,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8722,7 +8788,16 @@ index 76f285e..519431d 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +6034,1042 @@ interface(`dev_unconfined',`
+@@ -4794,7 +5979,7 @@ interface(`dev_rwx_zero',`
+ ')
+
+ dev_rw_zero($1)
+- allow $1 zero_device_t:chr_file execute;
++ allow $1 zero_device_t:chr_file { map execute };
+ ')
+
+ ########################################
+@@ -4851,3 +6036,1042 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -34399,7 +34474,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..054b9f7 100644
+index 79a45f6..6ed0c39 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -34424,16 +34499,19 @@ index 79a45f6..054b9f7 100644
########################################
##
## Create a file type used for init scripts.
-@@ -106,6 +122,8 @@ interface(`init_domain',`
+@@ -106,7 +122,11 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
++ allow init_t $1:process2 { nnp_transition nosuid_transition };
++
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -192,50 +210,43 @@ interface(`init_ranged_domain',`
+ # fds open from the initrd
+@@ -192,50 +212,43 @@ interface(`init_ranged_domain',`
interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -34506,7 +34584,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -283,17 +294,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +296,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -34528,7 +34606,7 @@ index 79a45f6..054b9f7 100644
')
')
-@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,23 +352,19 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -34559,7 +34637,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -401,20 +411,41 @@ interface(`init_system_domain',`
+@@ -401,20 +413,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -34601,7 +34679,7 @@ index 79a45f6..054b9f7 100644
########################################
##
## Mark the file type as a daemon run dir, allowing initrc_t
-@@ -460,6 +491,25 @@ interface(`init_domtrans',`
+@@ -460,6 +493,25 @@ interface(`init_domtrans',`
domtrans_pattern($1, init_exec_t, init_t)
')
@@ -34627,7 +34705,7 @@ index 79a45f6..054b9f7 100644
########################################
##
## Execute the init program in the caller domain.
-@@ -469,7 +519,6 @@ interface(`init_domtrans',`
+@@ -469,7 +521,6 @@ interface(`init_domtrans',`
## Domain allowed access.
##
##
@@ -34635,7 +34713,7 @@ index 79a45f6..054b9f7 100644
#
interface(`init_exec',`
gen_require(`
-@@ -478,6 +527,48 @@ interface(`init_exec',`
+@@ -478,6 +529,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -34684,7 +34762,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -566,6 +657,58 @@ interface(`init_sigchld',`
+@@ -566,6 +659,58 @@ interface(`init_sigchld',`
########################################
##
@@ -34743,7 +34821,7 @@ index 79a45f6..054b9f7 100644
## Connect to init with a unix socket.
##
##
-@@ -576,12 +719,87 @@ interface(`init_sigchld',`
+@@ -576,12 +721,87 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -34831,7 +34909,7 @@ index 79a45f6..054b9f7 100644
########################################
##
## Inherit and use file descriptors from init.
-@@ -743,22 +961,24 @@ interface(`init_write_initctl',`
+@@ -743,22 +963,24 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -34865,7 +34943,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -787,7 +1007,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +1009,7 @@ interface(`init_rw_initctl',`
##
##
##
@@ -34874,7 +34952,7 @@ index 79a45f6..054b9f7 100644
##
##
#
-@@ -830,11 +1050,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1052,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -34889,7 +34967,7 @@ index 79a45f6..054b9f7 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1066,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1068,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -34903,7 +34981,7 @@ index 79a45f6..054b9f7 100644
')
')
-@@ -865,19 +1086,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1088,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -34949,7 +35027,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -933,9 +1176,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1178,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -34964,7 +35042,7 @@ index 79a45f6..054b9f7 100644
files_search_etc($1)
')
-@@ -992,7 +1240,7 @@ interface(`init_run_daemon',`
+@@ -992,7 +1242,7 @@ interface(`init_run_daemon',`
########################################
##
@@ -34973,7 +35051,7 @@ index 79a45f6..054b9f7 100644
##
##
##
-@@ -1000,38 +1248,37 @@ interface(`init_run_daemon',`
+@@ -1000,38 +1250,37 @@ interface(`init_run_daemon',`
##
##
#
@@ -35021,7 +35099,7 @@ index 79a45f6..054b9f7 100644
##
##
##
-@@ -1039,17 +1286,19 @@ interface(`init_ptrace',`
+@@ -1039,17 +1288,19 @@ interface(`init_ptrace',`
##
##
#
@@ -35045,7 +35123,7 @@ index 79a45f6..054b9f7 100644
##
##
##
-@@ -1057,18 +1306,17 @@ interface(`init_write_script_pipes',`
+@@ -1057,18 +1308,17 @@ interface(`init_write_script_pipes',`
##
##
#
@@ -35068,7 +35146,7 @@ index 79a45f6..054b9f7 100644
##
##
##
-@@ -1076,37 +1324,38 @@ interface(`init_getattr_script_files',`
+@@ -1076,37 +1326,38 @@ interface(`init_getattr_script_files',`
##
##
#
@@ -35117,7 +35195,7 @@ index 79a45f6..054b9f7 100644
##
##
##
-@@ -1114,7 +1363,82 @@ interface(`init_exec_script_files',`
+@@ -1114,7 +1365,82 @@ interface(`init_exec_script_files',`
##
##
#
@@ -35201,7 +35279,7 @@ index 79a45f6..054b9f7 100644
gen_require(`
attribute init_script_file_type;
')
-@@ -1125,6 +1449,63 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1451,63 @@ interface(`init_getattr_all_script_files',`
########################################
##
@@ -35265,7 +35343,7 @@ index 79a45f6..054b9f7 100644
## Read all init script files.
##
##
-@@ -1144,6 +1525,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1527,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -35290,7 +35368,7 @@ index 79a45f6..054b9f7 100644
## Dontaudit read all init script files.
##
##
-@@ -1195,12 +1594,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1596,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -35304,7 +35382,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -1314,6 +1708,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1710,24 @@ interface(`init_signal_script',`
########################################
##
@@ -35329,7 +35407,7 @@ index 79a45f6..054b9f7 100644
## Send null signals to init scripts.
##
##
-@@ -1440,6 +1852,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1854,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -35357,7 +35435,7 @@ index 79a45f6..054b9f7 100644
## init scripts over dbus.
##
##
-@@ -1547,6 +1980,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1982,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -35383,7 +35461,7 @@ index 79a45f6..054b9f7 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1605,6 +2057,42 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2059,42 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -35426,7 +35504,7 @@ index 79a45f6..054b9f7 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1677,6 +2165,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2167,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -35470,7 +35548,7 @@ index 79a45f6..054b9f7 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1765,7 +2290,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2292,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -35479,7 +35557,7 @@ index 79a45f6..054b9f7 100644
')
########################################
-@@ -1806,27 +2331,154 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,27 +2333,154 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -35646,7 +35724,7 @@ index 79a45f6..054b9f7 100644
##
##
##
-@@ -1840,3 +2492,583 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2494,583 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -39065,7 +39143,7 @@ index 73bb3c0..a70bee5 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..baca326 100644
+index 808ba93..b717d97 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -39094,6 +39172,15 @@ index 808ba93..baca326 100644
## Use the dynamic link/loader for automatic loading
## of shared libraries.
##
+@@ -86,7 +105,7 @@ interface(`libs_use_ld_so',`
+ read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
+ mmap_files_pattern($1, lib_t, ld_so_t)
+
+- allow $1 ld_so_cache_t:file read_file_perms;
++ allow $1 ld_so_cache_t:file { map read_file_perms };
+ ')
+
+ ########################################
@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',`
type lib_t, ld_so_t;
')
@@ -39787,7 +39874,7 @@ index b50c5fe..9eacd9b 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..0690edf 100644
+index 4e94884..e82be7a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -39883,11 +39970,18 @@ index 4e94884..0690edf 100644
gen_require(`
- type syslogd_t, devlog_t;
+ attribute syslog_client_type;
-+ ')
-+
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
+ typeattribute $1 syslog_client_type;
+')
-+
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+##
+## Connect to the syslog control unix stream socket.
@@ -39902,7 +39996,11 @@ index 4e94884..0690edf 100644
+ gen_require(`
+ type devlog_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, lnk_file, "log")
@@ -39923,19 +40021,12 @@ index 4e94884..0690edf 100644
+interface(`logging_relabel_devlog_dev',`
+ gen_require(`
+ type devlog_t;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+##
+## Allow domain to read the syslog pid files.
@@ -39950,11 +40041,7 @@ index 4e94884..0690edf 100644
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
@@ -40111,7 +40198,7 @@ index 4e94884..0690edf 100644
')
########################################
-@@ -885,6 +1107,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1107,63 @@ interface(`logging_read_generic_logs',`
########################################
##
@@ -40152,11 +40239,30 @@ index 4e94884..0690edf 100644
+')
+
+########################################
++##
++## Map generic log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_mmap_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file map;
++')
++
++########################################
+##
## Write generic log files.
##
##
-@@ -905,6 +1165,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1184,24 @@ interface(`logging_write_generic_logs',`
########################################
##
@@ -40181,7 +40287,7 @@ index 4e94884..0690edf 100644
## Dontaudit Write generic log files.
##
##
-@@ -984,11 +1262,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1281,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -40199,7 +40305,7 @@ index 4e94884..0690edf 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1287,55 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1306,55 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -40255,7 +40361,7 @@ index 4e94884..0690edf 100644
')
########################################
-@@ -1032,10 +1364,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1383,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -40273,7 +40379,7 @@ index 4e94884..0690edf 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1394,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1413,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -40282,7 +40388,7 @@ index 4e94884..0690edf 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1424,90 @@ interface(`logging_admin',`
+@@ -1085,3 +1443,107 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -40373,8 +40479,26 @@ index 4e94884..0690edf 100644
+ files_search_pids($1)
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
++
++#######################################
++##
++## Map files in /run/log/journal/ directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_mmap_journal',`
++ gen_require(`
++ type syslogd_var_run_t;
++ ')
++
++ allow $1 syslogd_var_run_t:file map;
+\ No newline at end of file
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..0114ad2 100644
+index 59b04c1..2ad89c5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -40636,7 +40760,7 @@ index 59b04c1..0114ad2 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +431,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,15 +431,20 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -40653,7 +40777,12 @@ index 59b04c1..0114ad2 100644
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
-@@ -389,30 +455,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, var_log_t, var_log_t)
++allow syslogd_t var_log_t:file map;
+ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+ files_search_spool(syslogd_t)
+
+@@ -389,30 +456,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -40704,7 +40833,7 @@ index 59b04c1..0114ad2 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +505,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +506,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -40713,7 +40842,7 @@ index 59b04c1..0114ad2 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +517,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +518,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -40747,7 +40876,7 @@ index 59b04c1..0114ad2 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +556,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +557,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -40765,7 +40894,7 @@ index 59b04c1..0114ad2 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +578,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +579,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -40781,7 +40910,7 @@ index 59b04c1..0114ad2 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +610,7 @@ optional_policy(`
+@@ -497,6 +611,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -40789,7 +40918,7 @@ index 59b04c1..0114ad2 100644
')
optional_policy(`
-@@ -507,15 +621,44 @@ optional_policy(`
+@@ -507,15 +622,44 @@ optional_policy(`
')
optional_policy(`
@@ -40834,7 +40963,7 @@ index 59b04c1..0114ad2 100644
')
optional_policy(`
-@@ -526,3 +669,29 @@ optional_policy(`
+@@ -526,3 +670,29 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -41670,7 +41799,7 @@ index 9fe8e01..c62c761 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..3be6892 100644
+index fc28bc3..e4b9a3b 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -41762,7 +41891,23 @@ index fc28bc3..3be6892 100644
## Manage SSL certificates.
##
##
-@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',`
+@@ -191,6 +250,7 @@ interface(`miscfiles_read_fonts',`
+
+ allow $1 fonts_t:dir list_dir_perms;
+ read_files_pattern($1, fonts_t, fonts_t)
++ allow $1 fonts_t:file map;
+ read_lnk_files_pattern($1, fonts_t, fonts_t)
+
+ allow $1 fonts_cache_t:dir list_dir_perms;
+@@ -414,6 +474,7 @@ interface(`miscfiles_read_localization',`
+ allow $1 locale_t:dir list_dir_perms;
+ read_files_pattern($1, locale_t, locale_t)
+ read_lnk_files_pattern($1, locale_t, locale_t)
++ allow $1 locale_t:file map;
+ ')
+
+ ########################################
+@@ -434,6 +495,7 @@ interface(`miscfiles_rw_localization',`
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
@@ -41770,7 +41915,7 @@ index fc28bc3..3be6892 100644
')
########################################
-@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +515,7 @@ interface(`miscfiles_relabel_localization',`
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
@@ -41778,7 +41923,7 @@ index fc28bc3..3be6892 100644
')
########################################
-@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +533,6 @@ interface(`miscfiles_legacy_read_localization',`
type locale_t;
')
@@ -41786,7 +41931,7 @@ index fc28bc3..3be6892 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +593,10 @@ interface(`miscfiles_read_man_pages',`
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -41797,7 +41942,7 @@ index fc28bc3..3be6892 100644
')
########################################
-@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +620,29 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -41827,7 +41972,7 @@ index fc28bc3..3be6892 100644
')
########################################
-@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +711,30 @@ interface(`miscfiles_manage_man_cache',`
########################################
##
@@ -41858,7 +42003,7 @@ index fc28bc3..3be6892 100644
## Read public files used for file
## transfer services.
##
-@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +897,11 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -41872,7 +42017,7 @@ index fc28bc3..3be6892 100644
')
########################################
-@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +925,61 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -43422,7 +43567,7 @@ index d43f3b1..c5053db 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..d358162 100644
+index 3822072..0395f48 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -43903,25 +44048,51 @@ index 3822072..d358162 100644
########################################
##
## Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1146,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1146,10 @@ interface(`seutil_read_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ list_dirs_pattern($1, file_context_t, file_context_t)
read_files_pattern($1, file_context_t, file_context_t)
+ read_lnk_files_pattern($1, file_context_t, file_context_t)
++ allow $1 file_context_t:file map;
')
########################################
-@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',`
+@@ -805,6 +1170,7 @@ interface(`seutil_dontaudit_read_file_contexts',`
+
+ dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
+ dontaudit $1 file_context_t:file read_file_perms;
++ dontaudit $1 file_context_t:file map;
+ ')
+
+ ########################################
+@@ -825,6 +1191,7 @@ interface(`seutil_rw_file_contexts',`
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ rw_files_pattern($1, file_context_t, file_context_t)
++ allow $1 file_context_t:file map;
+ ')
+
+ ########################################
+@@ -846,6 +1213,8 @@ interface(`seutil_manage_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
manage_files_pattern($1, file_context_t, file_context_t)
+ manage_dirs_pattern($1, file_context_t, file_context_t)
++ allow $1 file_context_t:file map;
')
########################################
-@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -866,6 +1235,7 @@ interface(`seutil_read_bin_policy',`
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ read_files_pattern($1, policy_config_t, policy_config_t)
++ allow $1 policy_config_t:file map;
+ ')
+
+ ########################################
+@@ -999,6 +1369,26 @@ interface(`seutil_domtrans_semanage',`
########################################
##
@@ -43948,7 +44119,7 @@ index 3822072..d358162 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1407,105 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -44056,7 +44227,7 @@ index 3822072..d358162 100644
')
########################################
-@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',`
+@@ -1041,9 +1525,15 @@ interface(`seutil_manage_module_store',`
')
files_search_etc($1)
@@ -44072,7 +44243,7 @@ index 3822072..d358162 100644
')
#######################################
-@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1557,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
##
@@ -44097,7 +44268,7 @@ index 3822072..d358162 100644
## Get trans lock on module store
##
##
-@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1645,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -44220,7 +44391,7 @@ index 3822072..d358162 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..1a0d4fb 100644
+index dc46420..27d8d49 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -44386,7 +44557,7 @@ index dc46420..1a0d4fb 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -165,7 +188,7 @@ ifdef(`distro_ubuntu',`
+@@ -165,10 +188,11 @@ ifdef(`distro_ubuntu',`
# Load_policy local policy
#
@@ -44395,7 +44566,11 @@ index dc46420..1a0d4fb 100644
# only allow read of policy config files
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
-@@ -188,13 +211,13 @@ term_list_ptys(load_policy_t)
++allow load_policy_t policy_config_t:file map;
+
+ domain_use_interactive_fds(load_policy_t)
+
+@@ -188,13 +212,13 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -44412,7 +44587,7 @@ index dc46420..1a0d4fb 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -205,6 +228,7 @@ ifdef(`distro_ubuntu',`
+@@ -205,6 +229,7 @@ ifdef(`distro_ubuntu',`
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
@@ -44420,7 +44595,7 @@ index dc46420..1a0d4fb 100644
optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +239,21 @@ optional_policy(`
+@@ -215,12 +240,21 @@ optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
')
@@ -44443,7 +44618,7 @@ index dc46420..1a0d4fb 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +266,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -44452,7 +44627,7 @@ index dc46420..1a0d4fb 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +283,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -44460,7 +44635,7 @@ index dc46420..1a0d4fb 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +311,34 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -44502,7 +44677,7 @@ index dc46420..1a0d4fb 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -309,7 +352,7 @@ if(secure_mode) {
+@@ -309,7 +353,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@@ -44511,7 +44686,7 @@ index dc46420..1a0d4fb 100644
files_polyinstantiate_all(newrole_t)
')
-@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -44526,7 +44701,7 @@ index dc46420..1a0d4fb 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
-@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +389,17 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@@ -44546,7 +44721,7 @@ index dc46420..1a0d4fb 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -366,21 +414,24 @@ optional_policy(`
+@@ -366,21 +415,24 @@ optional_policy(`
# Run_init local policy
#
@@ -44573,7 +44748,7 @@ index dc46420..1a0d4fb 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +450,30 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -44609,7 +44784,7 @@ index dc46420..1a0d4fb 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -44629,7 +44804,7 @@ index dc46420..1a0d4fb 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +511,85 @@ optional_policy(`
+@@ -440,81 +512,85 @@ optional_policy(`
# semodule local policy
#
@@ -44771,7 +44946,7 @@ index dc46420..1a0d4fb 100644
')
########################################
-@@ -522,111 +597,203 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +598,204 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -44842,6 +45017,7 @@ index dc46420..1a0d4fb 100644
+
+# needs to be able to read symlinks to make restorecon on symlink working
+files_read_all_symlinks(setfiles_t)
++allow setfiles_t file_context_t:file map;
logging_send_audit_msgs(setfiles_t)
logging_send_syslog_msg(setfiles_t)
@@ -56191,6 +56367,24 @@ index f4ac38d..1589d60 100644
+ ssh_delete_tmp(confined_admindomain)
+ ssh_signal(confined_admindomain)
+')
+diff --git a/policy/policy_capabilities b/policy/policy_capabilities
+index db3cbca..e677b81 100644
+--- a/policy/policy_capabilities
++++ b/policy/policy_capabilities
+@@ -31,3 +31,12 @@ policycap network_peer_controls;
+ # blk_file: open
+ #
+ policycap open_perms;
++
++
++# Enable NoNewPrivileges support. Requires libsepol 2.7+
++# and kernel 4.14 (estimated).
++#
++# Checks enabled;
++# process2: nnp_transition, nosuid_transition
++#
++#policycap nnp_nosuid_transition;
+\ No newline at end of file
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
@@ -56223,7 +56417,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..b80ffcb 100644
+index 6e91317..dc1c884 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -56250,13 +56444,15 @@ index 6e91317..b80ffcb 100644
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
-+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
-+define(`read_file_perms',`{ open read_inherited_file_perms }')
- define(`mmap_file_perms',`{ getattr open read execute ioctl }')
- define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+-define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
-define(`append_file_perms',`{ getattr open append lock ioctl }')
-define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
++define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
++define(`read_file_perms',`{ open read_inherited_file_perms }')
++define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
++define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
+define(`append_inherited_file_perms',`{ getattr append }')
+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9b20fd09..c14c291d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -69486,7 +69486,7 @@ index 0000000..05648bd
+')
diff --git a/osad.te b/osad.te
new file mode 100644
-index 0000000..6c2f264
+index 0000000..b372f68
--- /dev/null
+++ b/osad.te
@@ -0,0 +1,56 @@
@@ -69515,7 +69515,7 @@ index 0000000..6c2f264
+# osad local policy
+#
+
-+allow osad_t self:process setpgid;
++allow osad_t self:process { execmem setpgid };
+
+manage_files_pattern(osad_t, osad_log_t, osad_log_t)
+logging_log_filetrans(osad_t, osad_log_t, file)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 91ad49e1..0410f4b2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 268%{?dist}
+Release: 269%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -683,6 +683,13 @@ exit 0
%endif
%changelog
+* Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269
+- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
+- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
+- refpolicy: Define and allow map permission
+- init: Add NoNewPerms support for systemd.
+- Add nnp_nosuid_transition policycap and related class/perm definitions.
+
* Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268
- Update for SELinux userspace release 20170804 / 2.7
- Omit precompiled regular expressions from file_contexts.bin files