[selinux-policy/f18] Add sandboxX policy
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 31 06:19:26 UTC 2012
commit 94e637523837c1fdfb4ce2cf41404976e4d55b32
Author: rhatdan <dwalsh at redhat.com>
Date: Fri Aug 31 02:18:29 2012 -0400
Add sandboxX policy
modules-targeted.conf | 9 +-
policy-rawhide.patch | 520 ++++++++++++++++++++++----------------
policy_contrib-rawhide.patch | 572 ++++++++++++++----------------------------
selinux-policy.spec | 10 +-
4 files changed, 507 insertions(+), 604 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 07d1d3c..446b627 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1556,10 +1556,17 @@ sambagui = module
# Layer: apps
# Module: sandbox
#
-# Experimental policy for running apps within a sandbox
+# Policy for running apps within a sandbox
#
sandbox = module
+# Layer: apps
+# Module: sandbox
+#
+# Policy for running apps within a X sandbox
+#
+sandboxX = module
+
# Layer: services
# Module: sanlock
#
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 5efd02f..cc65062 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -68262,7 +68262,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e43701b 100644
+index cf04cb5..b5b32d3 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -68287,7 +68287,7 @@ index cf04cb5..e43701b 100644
## <desc>
## <p>
-@@ -86,23 +101,39 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +101,41 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -68318,6 +68318,8 @@ index cf04cb5..e43701b 100644
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
++files_read_inherited_tmp_files(domain)
++files_append_inherited_tmp_files(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -68328,7 +68330,7 @@ index cf04cb5..e43701b 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +152,13 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +154,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -68342,7 +68344,7 @@ index cf04cb5..e43701b 100644
')
optional_policy(`
-@@ -133,6 +169,8 @@ optional_policy(`
+@@ -133,6 +171,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -68351,7 +68353,7 @@ index cf04cb5..e43701b 100644
')
########################################
-@@ -151,8 +189,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -151,8 +191,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -68366,7 +68368,7 @@ index cf04cb5..e43701b 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +209,259 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +211,259 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -68627,7 +68629,7 @@ index cf04cb5..e43701b 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..38dcaf6 100644
+index 8796ca3..6bd523f 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -68638,6 +68640,31 @@ index 8796ca3..38dcaf6 100644
')
ifdef(`distro_suse',`
+@@ -27,7 +28,7 @@ ifdef(`distro_suse',`
+ #
+ # /boot
+ #
+-/boot -d gen_context(system_u:object_r:boot_t,s0)
++/boot gen_context(system_u:object_r:boot_t,s0)
+ /boot/.* gen_context(system_u:object_r:boot_t,s0)
+ /boot/\.journal <<none>>
+ /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+@@ -38,13 +39,13 @@ ifdef(`distro_suse',`
+ #
+ # /emul
+ #
+-/emul -d gen_context(system_u:object_r:usr_t,s0)
++/emul gen_context(system_u:object_r:usr_t,s0)
+ /emul/.* gen_context(system_u:object_r:usr_t,s0)
+
+ #
+ # /etc
+ #
+-/etc -d gen_context(system_u:object_r:etc_t,s0)
++/etc gen_context(system_u:object_r:etc_t,s0)
+ /etc/.* gen_context(system_u:object_r:etc_t,s0)
+ /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -53,12 +54,16 @@ ifdef(`distro_suse',`
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -68671,7 +68698,18 @@ index 8796ca3..38dcaf6 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', `
+ /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+-ifdef(`distro_redhat',`
+-/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
+-')
+-
+ ifdef(`distro_suse',`
+ /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -68680,7 +68718,7 @@ index 8796ca3..38dcaf6 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -129,6 +137,8 @@ ifdef(`distro_debian',`
+@@ -129,6 +133,8 @@ ifdef(`distro_debian',`
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
@@ -68689,8 +68727,12 @@ index 8796ca3..38dcaf6 100644
#
# /misc
-@@ -153,7 +163,7 @@ ifdef(`distro_debian',`
- /opt -d gen_context(system_u:object_r:usr_t,s0)
+@@ -150,10 +156,10 @@ ifdef(`distro_debian',`
+ #
+ # /opt
+ #
+-/opt -d gen_context(system_u:object_r:usr_t,s0)
++/opt gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
@@ -68698,7 +68740,7 @@ index 8796ca3..38dcaf6 100644
#
# /proc
-@@ -161,6 +171,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +167,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -68711,15 +68753,35 @@ index 8796ca3..38dcaf6 100644
#
# /run
#
-@@ -197,6 +213,7 @@ ifdef(`distro_debian',`
- /usr -d gen_context(system_u:object_r:usr_t,s0)
+@@ -178,13 +190,13 @@ ifdef(`distro_debian',`
+ #
+ # /srv
+ #
+-/srv -d gen_context(system_u:object_r:var_t,s0)
++/srv gen_context(system_u:object_r:var_t,s0)
+ /srv/.* gen_context(system_u:object_r:var_t,s0)
+
+ #
+ # /tmp
+ #
+-/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+@@ -194,9 +206,10 @@ ifdef(`distro_debian',`
+ #
+ # /usr
+ #
+-/usr -d gen_context(system_u:object_r:usr_t,s0)
++/usr gen_context(system_u:object_r:usr_t,s0)
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
+/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +217,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -68736,7 +68798,7 @@ index 8796ca3..38dcaf6 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +227,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -68745,7 +68807,16 @@ index 8796ca3..38dcaf6 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -237,11 +246,14 @@ ifndef(`distro_redhat',`
+@@ -229,7 +234,7 @@ ifndef(`distro_redhat',`
+ #
+ # /var
+ #
+-/var -d gen_context(system_u:object_r:var_t,s0)
++/var gen_context(system_u:object_r:var_t,s0)
+ /var/.* gen_context(system_u:object_r:var_t,s0)
+ /var/\.journal <<none>>
+
+@@ -237,11 +242,14 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -68760,14 +68831,14 @@ index 8796ca3..38dcaf6 100644
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -264,3 +276,5 @@ ifndef(`distro_redhat',`
+@@ -264,3 +272,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..dc3148a 100644
+index e1e814d..833ba31 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -69017,7 +69088,15 @@ index e1e814d..dc3148a 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2652,7 +2829,7 @@ interface(`files_read_etc_files',`
+@@ -2644,6 +2821,7 @@ interface(`files_read_etc_files',`
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
++ files_read_etc_runtime_files($1)
+ ')
+
+ ########################################
+@@ -2652,7 +2830,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -69026,7 +69105,7 @@ index e1e814d..dc3148a 100644
## </summary>
## </param>
#
-@@ -2708,6 +2885,25 @@ interface(`files_manage_etc_files',`
+@@ -2708,6 +2886,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -69052,7 +69131,7 @@ index e1e814d..dc3148a 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2726,6 +2922,24 @@ interface(`files_delete_etc_files',`
+@@ -2726,6 +2923,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -69077,7 +69156,7 @@ index e1e814d..dc3148a 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2891,24 +3105,6 @@ interface(`files_delete_boot_flag',`
+@@ -2891,24 +3106,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -69102,7 +69181,7 @@ index e1e814d..dc3148a 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2949,6 +3145,42 @@ interface(`files_read_etc_runtime_files',`
+@@ -2949,6 +3146,42 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -69145,7 +69224,7 @@ index e1e814d..dc3148a 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2986,6 +3218,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2986,6 +3219,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -69153,7 +69232,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -3007,6 +3240,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3007,6 +3241,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -69161,7 +69240,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -3382,6 +3616,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3617,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -69187,7 +69266,7 @@ index e1e814d..dc3148a 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3723,20 +3976,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +3977,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -69231,7 +69310,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -4126,10 +4397,131 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,10 +4398,131 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -69366,7 +69445,7 @@ index e1e814d..dc3148a 100644
## temporary directory (/tmp).
## </summary>
## <param name="file_type">
-@@ -4148,6 +4540,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4541,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -69393,7 +69472,7 @@ index e1e814d..dc3148a 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4573,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4574,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -69401,7 +69480,7 @@ index e1e814d..dc3148a 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4584,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4585,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -69410,7 +69489,7 @@ index e1e814d..dc3148a 100644
## </summary>
## </param>
#
-@@ -4198,6 +4611,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4612,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -69418,7 +69497,7 @@ index e1e814d..dc3148a 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4648,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4649,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -69426,7 +69505,7 @@ index e1e814d..dc3148a 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4658,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4659,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -69435,7 +69514,7 @@ index e1e814d..dc3148a 100644
## </summary>
## </param>
#
-@@ -4255,6 +4670,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4671,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -69461,7 +69540,7 @@ index e1e814d..dc3148a 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4704,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4705,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -69469,7 +69548,7 @@ index e1e814d..dc3148a 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4746,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4747,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -69502,7 +69581,7 @@ index e1e814d..dc3148a 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,6 +4826,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,6 +4827,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -69545,7 +69624,50 @@ index e1e814d..dc3148a 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4428,7 +4925,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4383,6 +4881,42 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read inherited tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++## <summary>
++## Allow caller to append inherited tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_append_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file append_inherited_file_perms };
++')
++
++########################################
++## <summary>
+ ## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4428,7 +4962,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -69554,7 +69676,7 @@ index e1e814d..dc3148a 100644
## </summary>
## </param>
#
-@@ -4488,7 +4985,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4488,7 +5022,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -69563,7 +69685,7 @@ index e1e814d..dc3148a 100644
## </summary>
## </param>
#
-@@ -4573,6 +5070,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5107,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -69580,7 +69702,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -5150,6 +5657,24 @@ interface(`files_list_var',`
+@@ -5150,6 +5694,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -69605,7 +69727,7 @@ index e1e814d..dc3148a 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6030,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6067,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -69631,7 +69753,7 @@ index e1e814d..dc3148a 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6094,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6131,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -69640,7 +69762,7 @@ index e1e814d..dc3148a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6102,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6139,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -69656,7 +69778,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -5581,6 +6126,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6163,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -69664,7 +69786,7 @@ index e1e814d..dc3148a 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6153,7 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6190,7 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -69673,7 +69795,7 @@ index e1e814d..dc3148a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6161,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6198,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -69690,7 +69812,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -5640,7 +6185,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6222,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -69699,7 +69821,7 @@ index e1e814d..dc3148a 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6218,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6255,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -69707,7 +69829,7 @@ index e1e814d..dc3148a 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6245,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6282,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -69717,7 +69839,7 @@ index e1e814d..dc3148a 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6261,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6298,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -69735,7 +69857,7 @@ index e1e814d..dc3148a 100644
')
########################################
-@@ -5743,8 +6285,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6322,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -69745,7 +69867,7 @@ index e1e814d..dc3148a 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6327,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6364,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -69755,7 +69877,7 @@ index e1e814d..dc3148a 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6349,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6386,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -69765,7 +69887,7 @@ index e1e814d..dc3148a 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6386,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6423,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -69775,7 +69897,7 @@ index e1e814d..dc3148a 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6449,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6486,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -69819,123 +69941,76 @@ index e1e814d..dc3148a 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6508,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,28 +6545,47 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
- ## </summary>
-@@ -6048,7 +6642,6 @@ interface(`files_pid_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
-
-@@ -6157,30 +6750,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
-
- ########################################
- ## <summary>
--## Read all process ID files.
-+## Relable all pid directories
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_read_all_pids',`
-+interface(`files_relabel_all_pid_dirs',`
+-interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
gen_require(`
- attribute pidfile;
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
-+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6188,43 +6776,213 @@ interface(`files_read_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_pid_sockets',`
- gen_require(`
-- attribute polymember;
+ attribute pidfile;
')
-- allow $1 polymember:dir mounton;
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
')
########################################
## <summary>
--## Delete all process IDs.
-+## Create all pid sockets
- ## </summary>
+-## Read generic process ID files.
+-## </summary>
++## List the contents of the runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Read generic process ID files.
++## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
-+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
+@@ -6048,7 +6679,6 @@ interface(`files_pid_filetrans',`
')
-- allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+ allow $1 pidfile:sock_file create_sock_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
')
+@@ -6157,6 +6787,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
########################################
## <summary>
--## Delete all process ID directories.
-+## Create all pid named pipes
++## Relable all pid directories
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69943,17 +70018,17 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_pipes',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
++ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Delete all pid named pipes
++## Delete all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69961,18 +70036,17 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_pipes',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## manage all pidfile directories
-+## in the /var/run directory.
++## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69980,40 +70054,35 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ manage_dirs_pattern($1,pidfile,pidfile)
++ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
-+
+########################################
+## <summary>
-+## Read all process ID files.
++## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_read_all_pids',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
-+ type var_t;
+ ')
+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Relable all pid files
++## Delete all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -70021,17 +70090,18 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_files',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ relabel_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Execute generic programs in /var/run in the caller domain.
++## manage all pidfile directories
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -70039,18 +70109,37 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_exec_generic_pid_files',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
-+ type var_run_t;
++ attribute pidfile;
+ ')
+
-+ exec_files_pattern($1, var_run_t, var_run_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
++
+########################################
+## <summary>
-+## manage all pidfiles
-+## in the /var/run directory.
+ ## Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -6169,12 +6909,67 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
++ type var_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -70058,18 +70147,17 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pids',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ manage_files_pattern($1,pidfile,pidfile)
++ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Mount filesystems on all polyinstantiation
-+## member directories.
++## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -70077,47 +70165,35 @@ index e1e814d..dc3148a 100644
+## </summary>
+## </param>
+#
-+interface(`files_mounton_all_poly_members',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
-+ attribute polymember;
++ type var_run_t;
+ ')
+
-+ allow $1 polymember:dir mounton;
++ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## Delete all process IDs.
++## manage all pidfiles
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_delete_all_pids',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
-+ type var_t, var_run_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+## <summary>
-+## Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6245,6 +7003,90 @@ interface(`files_delete_all_pid_dirs',`
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+@@ -6245,6 +7040,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -70208,7 +70284,7 @@ index e1e814d..dc3148a 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6467,3 +7309,345 @@ interface(`files_unconfined',`
+@@ -6467,3 +7346,345 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -74213,7 +74289,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..681001d 100644
+index e5aee97..33b7a7f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,64 @@ policy_module(staff, 2.3.0)
@@ -74381,7 +74457,7 @@ index e5aee97..681001d 100644
')
optional_policy(`
-@@ -35,15 +174,27 @@ optional_policy(`
+@@ -35,15 +174,31 @@ optional_policy(`
')
optional_policy(`
@@ -74407,11 +74483,15 @@ index e5aee97..681001d 100644
optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
++ sandbox_x_transition(staff_t, staff_r)
++')
++
++optional_policy(`
+ screen_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-@@ -52,10 +203,59 @@ optional_policy(`
+@@ -52,10 +207,59 @@ optional_policy(`
')
optional_policy(`
@@ -74471,7 +74551,7 @@ index e5aee97..681001d 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +265,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +269,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74482,7 +74562,7 @@ index e5aee97..681001d 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -93,18 +289,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +293,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74501,7 +74581,7 @@ index e5aee97..681001d 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +313,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +317,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74512,7 +74592,7 @@ index e5aee97..681001d 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +325,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +329,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74523,7 +74603,7 @@ index e5aee97..681001d 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +356,15 @@ ifndef(`distro_redhat',`
+@@ -176,3 +360,15 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -75772,10 +75852,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..f4b7823
+index 0000000..20bc285
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,380 @@
+@@ -0,0 +1,384 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -75953,6 +76033,10 @@ index 0000000..f4b7823
+ ')
+
+ optional_policy(`
++ sandbox_x_transition(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
+ shutdown_run(unconfined_t, unconfined_r)
+ ')
+
@@ -76167,7 +76251,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..7852ae3 100644
+index 9f6d4c3..3473a92 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -76183,7 +76267,7 @@ index 9f6d4c3..7852ae3 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,90 @@ role user_r;
+@@ -12,12 +19,94 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -76267,6 +76351,10 @@ index 9f6d4c3..7852ae3 100644
+')
+
+optional_policy(`
++ sandbox_x_transition(user_t, user_r)
++')
++
++optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+')
+
@@ -76275,7 +76363,7 @@ index 9f6d4c3..7852ae3 100644
')
optional_policy(`
-@@ -25,6 +110,18 @@ optional_policy(`
+@@ -25,6 +114,18 @@ optional_policy(`
')
optional_policy(`
@@ -76294,7 +76382,7 @@ index 9f6d4c3..7852ae3 100644
vlock_run(user_t, user_r)
')
-@@ -66,10 +163,6 @@ ifndef(`distro_redhat',`
+@@ -66,10 +167,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -76305,7 +76393,7 @@ index 9f6d4c3..7852ae3 100644
gpg_role(user_r, user_t)
')
-@@ -102,10 +195,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +199,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -76316,7 +76404,7 @@ index 9f6d4c3..7852ae3 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +217,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +221,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -76324,7 +76412,7 @@ index 9f6d4c3..7852ae3 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +249,10 @@ ifndef(`distro_redhat',`
+@@ -161,3 +253,10 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 0869c84..82c358b 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -39812,20 +39812,10 @@ index ceafba6..dbf1b71 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..35dbccb 100644
+index 3185114..e196595 100644
--- a/pegasus.te
+++ b/pegasus.te
-@@ -9,6 +9,9 @@ type pegasus_t;
- type pegasus_exec_t;
- init_daemon_domain(pegasus_t, pegasus_exec_t)
-
-+type pegasus_cache_t;
-+files_type(pegasus_cache_t)
-+
- type pegasus_data_t;
- files_type(pegasus_data_t)
-
-@@ -16,7 +19,7 @@ type pegasus_tmp_t;
+@@ -16,7 +16,7 @@ type pegasus_tmp_t;
files_tmp_file(pegasus_tmp_t)
type pegasus_conf_t;
@@ -39834,7 +39824,7 @@ index 3185114..35dbccb 100644
type pegasus_mof_t;
files_type(pegasus_mof_t)
-@@ -29,7 +32,7 @@ files_pid_file(pegasus_var_run_t)
+@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
@@ -39843,7 +39833,7 @@ index 3185114..35dbccb 100644
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
-@@ -38,9 +41,14 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+@@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
@@ -39851,15 +39841,8 @@ index 3185114..35dbccb 100644
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
-+manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
-+
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
- manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
- manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+@@ -56,17 +56,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
@@ -39883,7 +39866,7 @@ index 3185114..35dbccb 100644
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
-@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -95,11 +98,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -39896,7 +39879,7 @@ index 3185114..35dbccb 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-@@ -121,10 +132,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,10 +124,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
@@ -39927,7 +39910,7 @@ index 3185114..35dbccb 100644
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
-@@ -136,3 +167,14 @@ optional_policy(`
+@@ -136,3 +159,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -40769,254 +40752,6 @@ index 0000000..f29bf1d
+miscfiles_read_localization(piranha_domain)
+
+sysnet_read_config(piranha_domain)
-diff --git a/pkcsslotd.fc b/pkcsslotd.fc
-new file mode 100644
-index 0000000..dd1b8f2
---- /dev/null
-+++ b/pkcsslotd.fc
-@@ -0,0 +1,5 @@
-+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
-+
-+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
-+
-+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
-diff --git a/pkcsslotd.if b/pkcsslotd.if
-new file mode 100644
-index 0000000..db15de4
---- /dev/null
-+++ b/pkcsslotd.if
-@@ -0,0 +1,162 @@
-+
-+## <summary>policy for pkcsslotd</summary>
-+
-+########################################
-+## <summary>
-+## Transition to pkcsslotd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_domtrans',`
-+ gen_require(`
-+ type pkcsslotd_t, pkcsslotd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search pkcsslotd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_search_lib',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ allow $1 pkcsslotd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read pkcsslotd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_read_lib_files',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage pkcsslotd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_manage_lib_files',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage pkcsslotd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_manage_lib_dirs',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute pkcsslotd server in the pkcsslotd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_systemctl',`
-+ gen_require(`
-+ type pkcsslotd_t;
-+ type pkcsslotd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
-+ allow $1 pkcsslotd_unit_file_t:file read_file_perms;
-+ allow $1 pkcsslotd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, pkcsslotd_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an pkcsslotd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`pkcsslotd_admin',`
-+ gen_require(`
-+ type pkcsslotd_t;
-+ type pkcsslotd_var_lib_t;
-+ type pkcsslotd_unit_file_t;
-+ ')
-+
-+ allow $1 pkcsslotd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, pkcsslotd_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, pkcsslotd_var_lib_t)
-+
-+ pkcsslotd_systemctl($1)
-+ admin_pattern($1, pkcsslotd_unit_file_t)
-+ allow $1 pkcsslotd_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/pkcsslotd.te b/pkcsslotd.te
-new file mode 100644
-index 0000000..25e0365
---- /dev/null
-+++ b/pkcsslotd.te
-@@ -0,0 +1,63 @@
-+policy_module(pkcsslotd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pkcsslotd_t;
-+type pkcsslotd_exec_t;
-+init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t)
-+
-+type pkcsslotd_var_lib_t;
-+files_type(pkcsslotd_var_lib_t)
-+
-+type pkcsslotd_unit_file_t;
-+systemd_unit_file(pkcsslotd_unit_file_t)
-+
-+type pkcsslotd_tmp_t;
-+files_tmp_file(pkcsslotd_tmp_t)
-+
-+type pkcsslotd_tmpfs_t;
-+files_tmpfs_file(pkcsslotd_tmpfs_t)
-+
-+type pkcsslotd_var_run_t;
-+files_pid_file(pkcsslotd_var_run_t)
-+
-+########################################
-+#
-+# pkcsslotd local policy
-+#
-+
-+allow pkcsslotd_t self:capability { kill };
-+allow pkcsslotd_t self:process { fork };
-+
-+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
-+allow pkcsslotd_t self:sem create_sem_perms;
-+allow pkcsslotd_t self:shm create_shm_perms;
-+allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
-+files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
-+fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file })
-+
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
-+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file dir })
-+
-+domain_use_interactive_fds(pkcsslotd_t)
-+
-+files_read_etc_files(pkcsslotd_t)
-+
-+logging_send_syslog_msg(pkcsslotd_t)
-+
-+miscfiles_read_localization(pkcsslotd_t)
diff --git a/plymouthd.fc b/plymouthd.fc
index 5702ca4..498d856 100644
--- a/plymouthd.fc
@@ -48390,10 +48125,10 @@ index 0000000..48ea717
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..5b97fd2
+index 0000000..3f5f701
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,45 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -48421,8 +48156,6 @@ index 0000000..5b97fd2
+
+miscfiles_read_localization(realmd_t)
+
-+sysnet_read_config(realmd_t)
-+
+optional_policy(`
+ dbus_system_domain(realmd_t, realmd_exec_t)
+')
@@ -48561,24 +48294,19 @@ index d457736..eabdd78 100644
+ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
')
diff --git a/rgmanager.fc b/rgmanager.fc
-index 3c97ef0..9c7d1e3 100644
+index 3c97ef0..d3de440 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
-@@ -1,7 +1,13 @@
-+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+@@ -1,6 +1,8 @@
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+
-+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
- /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
index 7dc38d1..808f9c6 100644
--- a/rgmanager.if
@@ -53015,18 +52743,17 @@ index acd1700..778d18b 100644
#
diff --git a/sandbox.fc b/sandbox.fc
new file mode 100644
-index 0000000..6caef63
+index 0000000..b7db254
--- /dev/null
+++ b/sandbox.fc
-@@ -0,0 +1,2 @@
-+
-+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
+@@ -0,0 +1 @@
++# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..7a474f6
+index 0000000..ad91dbe
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,363 @@
+@@ -0,0 +1,56 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -53048,11 +52775,7 @@ index 0000000..7a474f6
+#
+interface(`sandbox_transition',`
+ gen_require(`
-+ type sandbox_xserver_t;
-+ type sandbox_file_t;
+ attribute sandbox_domain;
-+ attribute sandbox_x_domain;
-+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_domain:process transition;
@@ -53060,12 +52783,149 @@ index 0000000..7a474f6
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit sandbox_domain $1:process signal;
++')
++
++########################################
++## <summary>
++## Creates types and rules for a basic
++## sandbox process domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`sandbox_domain_template',`
++
++ gen_require(`
++ attribute sandbox_domain;
++ attribute sandbox_type;
++ ')
++ type $1_t, sandbox_domain, sandbox_type;
++
++ application_type($1_t)
++
++ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
++')
+diff --git a/sandbox.te b/sandbox.te
+new file mode 100644
+index 0000000..8c8db69
+--- /dev/null
++++ b/sandbox.te
+@@ -0,0 +1,65 @@
++policy_module(sandbox,1.0.0)
++
++attribute sandbox_domain;
++
++########################################
++#
++# Declarations
++#
++sandbox_domain_template(sandbox)
++
++########################################
++#
++# sandbox local policy
++#
++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_domain self:process execmem;
++')
++
++allow sandbox_domain self:fifo_file manage_file_perms;
++allow sandbox_domain self:sem create_sem_perms;
++allow sandbox_domain self:shm create_shm_perms;
++allow sandbox_domain self:msgq create_msgq_perms;
++allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
++dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++dev_rw_all_inherited_chr_files(sandbox_domain)
++dev_rw_all_inherited_blk_files(sandbox_domain)
++
++can_exec(sandbox_domain, sandbox_file_t)
++allow sandbox_domain sandbox_file_t:filesystem getattr;
++manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_domain sandbox_file_t:dir mounton;
++
++gen_require(`
++ type usr_t, lib_t, locale_t, device_t;
++ type var_t, var_run_t, rpm_log_t, locale_t;
++ attribute exec_type, configfile;
++')
++
++kernel_dontaudit_read_system_state(sandbox_domain)
++
++corecmd_exec_all_executables(sandbox_domain)
++
++files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
++files_entrypoint_all_files(sandbox_domain)
++
++files_read_config_files(sandbox_domain)
++files_read_usr_files(sandbox_domain)
++files_read_var_files(sandbox_domain)
++files_dontaudit_search_all_dirs(sandbox_domain)
++
++miscfiles_read_localization(sandbox_domain)
++
++userdom_dontaudit_use_user_terminals(sandbox_domain)
++
++mta_dontaudit_read_spool_symlinks(sandbox_domain)
++
++sandbox_manage_tmpfs_files(sandbox_domain)
++sandbox_manage_content(sandbox_domain)
+diff --git a/sandboxX.fc b/sandboxX.fc
+new file mode 100644
+index 0000000..6caef63
+--- /dev/null
++++ b/sandboxX.fc
+@@ -0,0 +1,2 @@
++
++/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
+diff --git a/sandboxX.if b/sandboxX.if
+new file mode 100644
+index 0000000..7ff4d37
+--- /dev/null
++++ b/sandboxX.if
+@@ -0,0 +1,353 @@
++
++## <summary>policy for sandboxX </summary>
++
++########################################
++## <summary>
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++#
++interface(`sandbox_x_transition',`
++ gen_require(`
++ type sandbox_xserver_t;
++ type sandbox_file_t;
++ attribute sandbox_x_domain;
++ attribute sandbox_tmpfs_type;
++ ')
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
-+ dontaudit sandbox_domain $1:process signal;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
@@ -53109,37 +52969,12 @@ index 0000000..7a474f6
+## </summary>
+## </param>
+#
-+template(`sandbox_domain_template',`
-+
-+ gen_require(`
-+ attribute sandbox_domain;
-+ attribute sandbox_type;
-+ ')
-+ type $1_t, sandbox_domain, sandbox_type;
-+
-+ application_type($1_t)
-+
-+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
-+')
-+
-+########################################
-+## <summary>
-+## Creates types and rules for a basic
-+## sandbox process domain.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## Prefix for the domain.
-+## </summary>
-+## </param>
-+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ type sandbox_exec_t;
-+ attribute sandbox_domain, sandbox_x_domain;
++ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ ')
@@ -53266,6 +53101,29 @@ index 0000000..7a474f6
+
+########################################
+## <summary>
++## Manage sandbox content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_manage_content',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ allow $1 sandbox_file_t:filesystem getattr;
++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
++')
++
++########################################
++## <summary>
+## Delete sandbox symbolic links
+## </summary>
+## <param name="domain">
@@ -53390,16 +53248,15 @@ index 0000000..7a474f6
+
+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
+')
-diff --git a/sandbox.te b/sandbox.te
+diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..964fd55
+index 0000000..d091645
--- /dev/null
-+++ b/sandbox.te
-@@ -0,0 +1,506 @@
-+policy_module(sandbox,1.0.0)
++++ b/sandboxX.te
+@@ -0,0 +1,449 @@
++policy_module(sandboxX,1.0.0)
+
+dbus_stub()
-+attribute sandbox_domain;
+attribute sandbox_x_domain;
+attribute sandbox_web_type;
+attribute sandbox_file_type;
@@ -53417,8 +53274,6 @@ index 0000000..964fd55
+#
+# Declarations
+#
-+
-+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
@@ -53520,60 +53375,6 @@ index 0000000..964fd55
+
+########################################
+#
-+# sandbox local policy
-+#
-+
-+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
-+tunable_policy(`deny_execmem',`',`
-+ allow sandbox_domain self:process execmem;
-+')
-+
-+allow sandbox_domain self:fifo_file manage_file_perms;
-+allow sandbox_domain self:sem create_sem_perms;
-+allow sandbox_domain self:shm create_shm_perms;
-+allow sandbox_domain self:msgq create_msgq_perms;
-+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
-+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+
-+dev_rw_all_inherited_chr_files(sandbox_domain)
-+dev_rw_all_inherited_blk_files(sandbox_domain)
-+
-+can_exec(sandbox_domain, sandbox_file_t)
-+allow sandbox_domain sandbox_file_t:filesystem getattr;
-+manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+dontaudit sandbox_domain sandbox_file_t:dir mounton;
-+
-+gen_require(`
-+ type usr_t, lib_t, locale_t;
-+ type var_t, var_run_t, rpm_log_t, locale_t;
-+ attribute exec_type, configfile;
-+')
-+
-+kernel_dontaudit_read_system_state(sandbox_domain)
-+
-+corecmd_exec_all_executables(sandbox_domain)
-+
-+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
-+files_entrypoint_all_files(sandbox_domain)
-+
-+files_read_config_files(sandbox_domain)
-+files_read_usr_files(sandbox_domain)
-+files_read_var_files(sandbox_domain)
-+files_dontaudit_search_all_dirs(sandbox_domain)
-+
-+miscfiles_read_localization(sandbox_domain)
-+
-+userdom_dontaudit_use_user_terminals(sandbox_domain)
-+
-+mta_dontaudit_read_spool_symlinks(sandbox_domain)
-+
-+########################################
-+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
@@ -61898,7 +61699,7 @@ index 32a3c13..759f08c 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..1b23633 100644
+index 2124b6a..b52dc56 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,6 +1,14 @@
@@ -61918,7 +61719,7 @@ index 2124b6a..1b23633 100644
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,53 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +20,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -61930,7 +61731,6 @@ index 2124b6a..1b23633 100644
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7f1e0e4..bb6c498 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -139,6 +139,7 @@ bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_syscon
rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
@@ -239,6 +240,8 @@ if [ -e /etc/selinux/%2/.rebuild ]; then \
fi \
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp /etc/selinux/%2/modules/active/modules/razor.pp /etc/selinux/%2/modules/active/modules/pyzord.pp \
/usr/sbin/semodule -B -n -s %2; \
+else \
+ touch /etc/selinux/%2/modules/active/modules/sandbox.disabled
fi; \
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
if [ %1 -eq 1 ]; then \
@@ -491,6 +494,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Aug 31 2012 Dan Walsh <dwalsh at redhat.com> 3.11.1-15
+- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs
+- Allow domains that can read etc_t to read etc_runtime_t
+- Allow all domains to use inherited tmpfiles
+
* Wed Aug 29 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-14
- Allow realmd to read resolv.conf
- Add pegasus_cache_t type
More information about the scm-commits
mailing list