[selinux-policy/f18] - Allow svirt to use netlink_route_socket which was a part of auth_use_ns - Add additional labeling
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Dec 14 23:46:58 UTC 2012
commit 617c9c8df8be84f9bfee73a38702ec5567b1b85f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Sat Dec 15 00:45:23 2012 +0100
- Allow svirt to use netlink_route_socket which was a part of auth_use_ns
- Add additional labeling for /var/www/openshift/broker
- Fix rhev policy
- Allow openshift_initrc domain to dbus chat with systemd_logind
- Allow httpd to getattr passenger log file if run_stickshift
- Allow consolehelper-gtk to connect to xserver
- Add labeling for the tmp-inst directory defined in pam_namespace.conf
- Add lvm_metadata_t labeling for /etc/multipath
policy-rawhide.patch | 40 +++--
policy_contrib-rawhide.patch | 378 ++++++++++++++++++++++++++++++------------
selinux-policy.spec | 12 ++-
3 files changed, 314 insertions(+), 116 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 336e460..0706dc0 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -117450,7 +117450,7 @@ index cf04cb5..09a61e6 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..c2055b3 100644
+index 8796ca3..cb02728 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -117583,7 +117583,7 @@ index 8796ca3..c2055b3 100644
#
# /selinux
#
-@@ -178,13 +190,13 @@ ifdef(`distro_debian',`
+@@ -178,13 +190,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -117596,10 +117596,11 @@ index 8796ca3..c2055b3 100644
#
-/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +206,10 @@ ifdef(`distro_debian',`
+@@ -194,9 +207,10 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -117611,7 +117612,7 @@ index 8796ca3..c2055b3 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +217,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +218,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -117628,7 +117629,7 @@ index 8796ca3..c2055b3 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +227,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +228,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -117637,7 +117638,7 @@ index 8796ca3..c2055b3 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +234,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +235,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -117646,7 +117647,7 @@ index 8796ca3..c2055b3 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +242,21 @@ ifndef(`distro_redhat',`
+@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -117668,7 +117669,15 @@ index 8796ca3..c2055b3 100644
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -264,3 +279,5 @@ ifndef(`distro_redhat',`
+@@ -256,6 +272,7 @@ ifndef(`distro_redhat',`
+
+ /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
++/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp/.* <<none>>
+ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/tmp/lost\+found/.* <<none>>
+@@ -264,3 +281,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -137342,10 +137351,17 @@ index 0034021..c62bd95 100644
+ kernel_dgram_send(syslog_client_type)
+')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..0b3cc40 100644
+index 879bb1e..c11d48b 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -28,23 +28,27 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+ /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+
++/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
++
+ #
+ # /lib
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -137374,7 +137390,7 @@ index 879bb1e..0b3cc40 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +92,69 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -137446,7 +137462,7 @@ index 879bb1e..0b3cc40 100644
#
# /var
-@@ -97,5 +162,7 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +164,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 69f8e07..efe0c0b 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2132,7 +2132,7 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..12398f6 100644
+index fd9fa07..cca43af 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,20 +1,37 @@
@@ -2289,7 +2289,7 @@ index fd9fa07..12398f6 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +155,26 @@ ifdef(`distro_debian', `
+@@ -109,3 +155,34 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -2307,6 +2307,14 @@ index fd9fa07..12398f6 100644
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
++/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
++/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++
+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -3139,7 +3147,7 @@ index 6480167..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..3d0cc42 100644
+index 0833afb..2864927 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3956,7 +3964,7 @@ index 0833afb..3d0cc42 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1033,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3980,6 +3988,7 @@ index 0833afb..3d0cc42 100644
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ passenger_manage_lib_files(httpd_t)
++ passenger_getattr_log_files(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_read_lib_files(httpd_t)
@@ -4000,7 +4009,7 @@ index 0833afb..3d0cc42 100644
########################################
#
-@@ -671,28 +1106,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -4044,7 +4053,7 @@ index 0833afb..3d0cc42 100644
')
########################################
-@@ -702,6 +1139,7 @@ optional_policy(`
+@@ -702,6 +1140,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -4052,7 +4061,7 @@ index 0833afb..3d0cc42 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1154,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4081,7 +4090,7 @@ index 0833afb..3d0cc42 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1184,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -4099,7 +4108,7 @@ index 0833afb..3d0cc42 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1202,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -4132,7 +4141,7 @@ index 0833afb..3d0cc42 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1249,25 @@ optional_policy(`
+@@ -786,6 +1250,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4158,7 +4167,7 @@ index 0833afb..3d0cc42 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1288,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -4176,7 +4185,7 @@ index 0833afb..3d0cc42 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1307,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4235,7 +4244,7 @@ index 0833afb..3d0cc42 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1358,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4276,7 +4285,7 @@ index 0833afb..3d0cc42 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1398,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
@@ -4303,7 +4312,7 @@ index 0833afb..3d0cc42 100644
')
########################################
-@@ -878,11 +1433,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4315,7 +4324,7 @@ index 0833afb..3d0cc42 100644
########################################
#
-@@ -908,11 +1461,138 @@ optional_policy(`
+@@ -908,11 +1462,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -19019,7 +19028,7 @@ index e1d7dc5..66d42bb 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..0022b87 100644
+index 2df7766..d4e008b 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
@@ -19068,7 +19077,7 @@ index 2df7766..0022b87 100644
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
-@@ -51,17 +53,36 @@ logging_log_file(dovecot_var_log_t)
+@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -19085,6 +19094,7 @@ index 2df7766..0022b87 100644
+kernel_read_all_sysctls(dovecot_domain)
+
+corecmd_exec_bin(dovecot_domain)
++corecmd_exec_shell(dovecot_domain)
+
+dev_read_sysfs(dovecot_domain)
+dev_read_rand(dovecot_domain)
@@ -19109,7 +19119,7 @@ index 2df7766..0022b87 100644
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-@@ -72,7 +93,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
@@ -19120,7 +19130,7 @@ index 2df7766..0022b87 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,15 +117,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -19139,7 +19149,7 @@ index 2df7766..0022b87 100644
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
-@@ -110,41 +131,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -19187,7 +19197,7 @@ index 2df7766..0022b87 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,10 +169,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
@@ -19213,7 +19223,7 @@ index 2df7766..0022b87 100644
')
optional_policy(`
-@@ -164,6 +193,11 @@ optional_policy(`
+@@ -164,6 +194,11 @@ optional_policy(`
')
optional_policy(`
@@ -19225,7 +19235,7 @@ index 2df7766..0022b87 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,16 +214,17 @@ optional_policy(`
+@@ -180,16 +215,17 @@ optional_policy(`
# dovecot auth local policy
#
@@ -19247,7 +19257,7 @@ index 2df7766..0022b87 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -198,31 +233,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
@@ -19284,7 +19294,7 @@ index 2df7766..0022b87 100644
optional_policy(`
kerberos_use(dovecot_auth_t)
-@@ -236,6 +264,8 @@ optional_policy(`
+@@ -236,6 +265,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -19293,7 +19303,7 @@ index 2df7766..0022b87 100644
')
optional_policy(`
-@@ -243,6 +273,8 @@ optional_policy(`
+@@ -243,6 +274,8 @@ optional_policy(`
')
optional_policy(`
@@ -19302,7 +19312,7 @@ index 2df7766..0022b87 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,25 +282,32 @@ optional_policy(`
+@@ -250,25 +283,32 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -19345,7 +19355,7 @@ index 2df7766..0022b87 100644
dovecot_stream_connect_auth(dovecot_deliver_t)
-@@ -283,24 +322,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +323,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -21595,7 +21605,7 @@ index ebad8c4..640293e 100644
')
-
diff --git a/fprintd.te b/fprintd.te
-index 7df52c7..523df56 100644
+index 7df52c7..46499bd 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
@@ -21635,7 +21645,7 @@ index 7df52c7..523df56 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -50,8 +49,13 @@ optional_policy(`
+@@ -50,8 +49,17 @@ optional_policy(`
')
optional_policy(`
@@ -21648,6 +21658,10 @@ index 7df52c7..523df56 100644
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
++')
++
++optional_policy(`
++ xserver_read_state_xdm(fprintd_t)
')
diff --git a/ftp.fc b/ftp.fc
index 69dcd2a..4d97da7 100644
@@ -34524,7 +34538,7 @@ index b397fde..c7c031d 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..22603ee 100644
+index d4fcb75..72efe21 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34971,7 +34985,7 @@ index d4fcb75..22603ee 100644
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_config_t)
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
@@ -36849,7 +36863,7 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..4188970 100644
+index f17583b..dd96224 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -36940,7 +36954,13 @@ index f17583b..4188970 100644
mta_read_queue(munin_t)
')
-@@ -159,6 +170,7 @@ optional_policy(`
+@@ -155,10 +166,13 @@ optional_policy(`
+
+ optional_policy(`
+ netutils_domtrans_ping(munin_t)
++ netutils_signal_ping(munin_t)
++ netutils_kill_ping(munin_t)
+ ')
optional_policy(`
postfix_list_spool(munin_t)
@@ -36948,7 +36968,7 @@ index f17583b..4188970 100644
')
optional_policy(`
-@@ -182,6 +194,7 @@ optional_policy(`
+@@ -182,6 +196,7 @@ optional_policy(`
# local policy for disk plugins
#
@@ -36956,7 +36976,7 @@ index f17583b..4188970 100644
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +203,15 @@ corecmd_exec_shell(disk_munin_plugin_t)
+@@ -190,15 +205,15 @@ corecmd_exec_shell(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
@@ -36976,7 +36996,7 @@ index f17583b..4188970 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +234,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,30 +236,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -37030,7 +37050,7 @@ index f17583b..4188970 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +285,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +287,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -37045,7 +37065,7 @@ index f17583b..4188970 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +306,10 @@ optional_policy(`
+@@ -279,6 +308,10 @@ optional_policy(`
')
optional_policy(`
@@ -37056,7 +37076,7 @@ index f17583b..4188970 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +317,18 @@ optional_policy(`
+@@ -286,6 +319,18 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -37075,7 +37095,7 @@ index f17583b..4188970 100644
##################################
#
# local policy for system plugins
-@@ -295,12 +338,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +340,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -37091,7 +37111,7 @@ index f17583b..4188970 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +354,45 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +356,47 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -37116,6 +37136,8 @@ index f17583b..4188970 100644
+# local policy for munin plugin domains
+#
+
++allow munin_plugin_domain self:process signal;
++
+allow munin_plugin_domain munin_exec_t:file read_file_perms;
+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
+
@@ -42863,10 +42885,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..a33452e
+index 0000000..d97b009
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,379 @@
+@@ -0,0 +1,383 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -42938,6 +42960,7 @@ index 0000000..a33452e
+#
+# Template to create openshift_t and openshift_app_t
+#
++
+openshift_service_domain_template(openshift)
+
+########################################
@@ -42947,6 +42970,8 @@ index 0000000..a33452e
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
++systemd_dbus_chat_logind(openshift_initrc_t)
++
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
@@ -43044,6 +43069,7 @@ index 0000000..a33452e
+
+dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
++dev_read_urand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
@@ -44194,10 +44220,10 @@ index 545518d..677ac68 100644
/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
-index f68b573..8fb9cd3 100644
+index f68b573..c050b37 100644
--- a/passenger.if
+++ b/passenger.if
-@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+@@ -18,6 +18,42 @@ interface(`passenger_domtrans',`
domtrans_pattern($1, passenger_exec_t, passenger_t)
')
@@ -44219,10 +44245,28 @@ index f68b573..8fb9cd3 100644
+ can_exec($1, passenger_exec_t)
+')
+
++#######################################
++## <summary>
++## Getattr passenger log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_getattr_log_files',`
++ gen_require(`
++ type passenger_log_t;
++ ')
++
++ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
++')
++
########################################
## <summary>
## Read passenger lib files
-@@ -37,3 +55,84 @@ interface(`passenger_read_lib_files',`
+@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
@@ -54252,10 +54296,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..9015745
+index 0000000..c994751
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,103 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -54355,6 +54399,10 @@ index 0000000..9015745
+ sssd_read_pid_files(realmd_t)
+ sssd_systemctl(realmd_t)
+')
++
++optional_policy(`
++ xserver_read_state_xdm(realmd_t)
++')
diff --git a/remotelogin.te b/remotelogin.te
index 0a76027..18f59a7 100644
--- a/remotelogin.te
@@ -55403,19 +55451,23 @@ index 93c896a..8aa7362 100644
+')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
-index 0000000..3edbd2e
+index 0000000..4b66adf
--- /dev/null
+++ b/rhev.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,13 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
++/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
++/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/rhev.if b/rhev.if
new file mode 100644
index 0000000..bf11e25
@@ -55500,10 +55552,10 @@ index 0000000..bf11e25
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
-index 0000000..e6c2344
+index 0000000..51b00c0
--- /dev/null
+++ b/rhev.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,117 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -55532,7 +55584,7 @@ index 0000000..e6c2344
+# rhev_agentd_t local policy
+#
+
-+allow rhev_agentd_t self:capability sys_nice;
++allow rhev_agentd_t self:capability { setuid setgid sys_nice };
+allow rhev_agentd_t self:process setsched;
+
+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
@@ -55544,6 +55596,8 @@ index 0000000..e6c2344
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
++logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
@@ -55585,10 +55639,12 @@ index 0000000..e6c2344
+optional_policy(`
+ dbus_system_bus_client(rhev_agentd_t)
+ dbus_connect_system_bus(rhev_agentd_t)
++ dbus_session_bus_client(rhev_agentd_t)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(rhev_agentd_t)
++ xserver_stream_connect(rhev_agentd_t)
+')
+
+######################################
@@ -55599,13 +55655,16 @@ index 0000000..e6c2344
+optional_policy(`
+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+
-+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append;
++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
++ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
+
+ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
+ kernel_read_system_state(rhev_agentd_consolehelper_t)
+
+ term_use_virtio_console(rhev_agentd_consolehelper_t)
+
++ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
++
+ optional_policy(`
+ dbus_session_bus_client(rhev_agentd_consolehelper_t)
+ ')
@@ -69944,7 +70003,7 @@ index 2124b6a..e55e393 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..fd143c4 100644
+index 6f0736b..d91242a 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -70495,14 +70554,14 @@ index 6f0736b..fd143c4 100644
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
-+ type svirt_t;
++ attribute virt_domain;
+ type virt_bridgehelper_t;
+ type svirt_image_t;
+ type svirt_socket_t;
+ ')
+
-+ allow $1 svirt_t:process transition;
-+ role $2 types svirt_t;
++ allow $1 virt_domain:process transition;
++ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
+ role $2 types svirt_socket_t;
+
@@ -70514,7 +70573,7 @@ index 6f0736b..fd143c4 100644
+ virt_signal_svirt($1)
+
+ optional_policy(`
-+ ptchown_run(svirt_t, $2)
++ ptchown_run(virt_domain, $2)
+ ')
+')
+
@@ -70770,7 +70829,7 @@ index 6f0736b..fd143c4 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..9154fef 100644
+index 947bbc6..ce27313 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -70947,7 +71006,7 @@ index 947bbc6..9154fef 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -100,29 +167,50 @@ ifdef(`enable_mls',`
+@@ -100,28 +167,53 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -70981,40 +71040,41 @@ index 947bbc6..9154fef 100644
+attribute svirt_lxc_domain;
-allow svirt_t self:udp_socket create_socket_perms;
--
--manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
--manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
--files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
--
--read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+type virtd_lxc_t;
+type virtd_lxc_exec_t;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
--allow svirt_t svirt_image_t:dir search_dir_perms;
--manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
--manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
--fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+-files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+type virt_lxc_var_run_t;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
--list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
--read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--dontaudit svirt_t virt_content_t:file write_file_perms;
--dontaudit svirt_t virt_content_t:dir write;
+-read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+# virt lxc container files
+type svirt_lxc_file_t;
+files_mountpoint(svirt_lxc_file_t)
+-allow svirt_t svirt_image_t:dir search_dir_perms;
+-manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+-manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+-fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+########################################
+#
+# svirt local policy
+#
+
+-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+-dontaudit svirt_t virt_content_t:file write_file_perms;
+-dontaudit svirt_t virt_content_t:dir write;
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -131,67 +219,65 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +223,65 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
@@ -71123,7 +71183,7 @@ index 947bbc6..9154fef 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +288,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +292,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71158,7 +71218,7 @@ index 947bbc6..9154fef 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +320,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +324,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71182,7 +71242,7 @@ index 947bbc6..9154fef 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71216,7 +71276,7 @@ index 947bbc6..9154fef 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71235,7 +71295,7 @@ index 947bbc6..9154fef 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +406,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71245,7 +71305,7 @@ index 947bbc6..9154fef 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +416,33 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +420,33 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71279,7 +71339,7 @@ index 947bbc6..9154fef 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +461,10 @@ optional_policy(`
+@@ -322,6 +465,10 @@ optional_policy(`
')
optional_policy(`
@@ -71290,7 +71350,7 @@ index 947bbc6..9154fef 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +478,34 @@ optional_policy(`
+@@ -335,19 +482,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71326,7 +71386,7 @@ index 947bbc6..9154fef 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +520,12 @@ optional_policy(`
+@@ -362,6 +524,12 @@ optional_policy(`
')
optional_policy(`
@@ -71339,7 +71399,7 @@ index 947bbc6..9154fef 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +533,11 @@ optional_policy(`
+@@ -369,11 +537,11 @@ optional_policy(`
')
optional_policy(`
@@ -71356,7 +71416,7 @@ index 947bbc6..9154fef 100644
')
optional_policy(`
-@@ -384,6 +548,7 @@ optional_policy(`
+@@ -384,6 +552,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71364,7 +71424,7 @@ index 947bbc6..9154fef 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +567,85 @@ optional_policy(`
+@@ -402,35 +571,85 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71459,7 +71519,7 @@ index 947bbc6..9154fef 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +653,599 @@ dev_write_sound(virt_domain)
+@@ -438,34 +657,601 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -71481,12 +71541,14 @@ index 947bbc6..9154fef 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
+
++sysnet_read_config(virt_domain)
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -71525,7 +71587,7 @@ index 947bbc6..9154fef 100644
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
-+')
+ ')
+
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
@@ -71670,7 +71732,7 @@ index 947bbc6..9154fef 100644
+ fs_manage_nfs_dirs(virsh_t)
+ fs_manage_nfs_files(virsh_t)
+ fs_read_nfs_symlinks(virsh_t)
- ')
++')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(virsh_t)
@@ -72897,22 +72959,132 @@ index fc0adf8..cf479f3 100644
# Manual transition from userhelper
optional_policy(`
diff --git a/wm.if b/wm.if
-index b3efef7..efa6002 100644
+index b3efef7..c1be6ab 100644
--- a/wm.if
+++ b/wm.if
-@@ -75,7 +75,11 @@ template(`wm_role_template',`
- application_signull($1_wm_t)
+@@ -31,17 +31,14 @@ template(`wm_role_template',`
+ gen_require(`
+ type wm_exec_t;
+ class dbus send_msg;
++ attribute wm_domain;
+ ')
- miscfiles_read_fonts($1_wm_t)
-- miscfiles_read_localization($1_wm_t)
-+
+- type $1_wm_t;
++ type $1_wm_t, wm_domain;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t, wm_exec_t)
+ role $2 types $1_wm_t;
+
+- allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+- allow $1_wm_t self:process getsched;
+- allow $1_wm_t self:shm create_shm_perms;
+-
+ allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process { signal sigchld signull };
+@@ -50,42 +47,18 @@ template(`wm_role_template',`
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
+
+- domtrans_pattern($3, wm_exec_t, $1_wm_t)
+ userdom_manage_home_role($2, $1_wm_t)
+ userdom_manage_tmpfs_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
+ userdom_exec_user_tmp_files($1_wm_t)
+- kernel_read_system_state($1_wm_t)
++ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+ corecmd_bin_domtrans($1_wm_t, $3)
+ corecmd_shell_domtrans($1_wm_t, $3)
+
+- dev_read_urand($1_wm_t)
+-
+- files_read_etc_files($1_wm_t)
+- files_read_usr_files($1_wm_t)
+-
+- fs_getattr_tmpfs($1_wm_t)
+-
+- mls_file_read_all_levels($1_wm_t)
+- mls_file_write_all_levels($1_wm_t)
+- mls_xwin_read_all_levels($1_wm_t)
+- mls_xwin_write_all_levels($1_wm_t)
+- mls_fd_use_all_levels($1_wm_t)
+-
+ auth_use_nsswitch($1_wm_t)
+
+- application_signull($1_wm_t)
+-
+- miscfiles_read_fonts($1_wm_t)
+- miscfiles_read_localization($1_wm_t)
+-
+- optional_policy(`
+- dbus_system_bus_client($1_wm_t)
+- dbus_session_bus_client($1_wm_t)
+- ')
+-
+- optional_policy(`
+- pulseaudio_stream_connect($1_wm_t)
+- ')
+-
optional_policy(`
- dbus_system_bus_client($1_wm_t)
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+diff --git a/wm.te b/wm.te
+index 19d447e..9c0a1c2 100644
+--- a/wm.te
++++ b/wm.te
+@@ -1,5 +1,7 @@
+ policy_module(wm, 1.2.0)
+
++attribute wm_domain;
++
+ ########################################
+ #
+ # Declarations
+@@ -7,3 +9,42 @@ policy_module(wm, 1.2.0)
+
+ type wm_exec_t;
+ corecmd_executable_file(wm_exec_t)
++
++allow wm_domain self:fifo_file rw_fifo_file_perms;
++allow wm_domain self:process getsched;
++allow wm_domain self:shm create_shm_perms;
++allow wm_domain self:unix_dgram_socket create_socket_perms;
++
++kernel_read_system_state(wm_domain)
++
++dev_read_urand(wm_domain)
++
++files_read_etc_files(wm_domain)
++files_read_usr_files(wm_domain)
++
++fs_getattr_tmpfs(wm_domain)
++
++mls_file_read_all_levels(wm_domain)
++mls_file_write_all_levels(wm_domain)
++mls_xwin_read_all_levels(wm_domain)
++mls_xwin_write_all_levels(wm_domain)
++mls_fd_use_all_levels(wm_domain)
++
++application_signull(wm_domain)
++
++miscfiles_read_fonts(wm_domain)
++
++optional_policy(`
++ dbus_system_bus_client(wm_domain)
++ dbus_session_bus_client(wm_domain)
++')
++
++optional_policy(`
++ pulseaudio_stream_connect(wm_domain)
++')
++
++optional_policy(`
++ xserver_manage_core_devices(wm_domain)
++')
++
++
diff --git a/xen.fc b/xen.fc
index 1a1b374..574794d 100644
--- a/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2f39a40..131a886 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Sat Dec 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-65
+- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch
+- Add additional labeling for /var/www/openshift/broker
+- Fix rhev policy
+- Allow openshift_initrc domain to dbus chat with systemd_logind
+- Allow httpd to getattr passenger log file if run_stickshift
+- Allow consolehelper-gtk to connect to xserver
+- Add labeling for the tmp-inst directory defined in pam_namespace.conf
+- Add lvm_metadata_t labeling for /etc/multipath
+
* Fri Dec 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-64
- consoletype is no longer used
More information about the scm-commits
mailing list