[selinux-policy/f17] * Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-12 - Allow jetty running as httpd_t to re
Miroslav Grepl
mgrepl at fedoraproject.org
Mon May 7 18:48:57 UTC 2012
commit 29e098beb5f5c429998d94355bdb84e60f783505
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon May 7 20:48:43 2012 +0200
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-12
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp port
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
policy-F16.patch | 399 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 10 ++-
2 files changed, 279 insertions(+), 130 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index abfd643..c5becb8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -63783,10 +63783,10 @@ index 4a2e63b..e964f12 100644
+ mta_send_mail(gitosis_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..a6bcf1f 100644
+index 00a19e3..4adbd9f 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,48 @@
+@@ -1,9 +1,51 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -63796,6 +63796,9 @@ index 00a19e3..a6bcf1f 100644
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
@@ -63838,7 +63841,7 @@ index 00a19e3..a6bcf1f 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..43a7a9e 100644
+index f5afe78..3bc7250 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,900 @@
@@ -64929,7 +64932,7 @@ index f5afe78..43a7a9e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1049,40 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1049,43 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -64960,6 +64963,9 @@ index f5afe78..43a7a9e 100644
+ type gstreamer_home_t;
+ ')
+
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
@@ -64974,7 +64980,7 @@ index f5afe78..43a7a9e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1090,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1093,301 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -66857,7 +66863,7 @@ index fbb5c5a..637eb37 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..306dcce 100644
+index 2e9318b..c028d5b 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67046,7 +67052,7 @@ index 2e9318b..306dcce 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,9 +367,17 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,9 +367,18 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -67057,6 +67063,7 @@ index 2e9318b..306dcce 100644
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
++corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
@@ -67064,7 +67071,7 @@ index 2e9318b..306dcce 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +386,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +387,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67072,7 +67079,7 @@ index 2e9318b..306dcce 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,6 +394,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,6 +395,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -67080,7 +67087,7 @@ index 2e9318b..306dcce 100644
fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos(mozilla_plugin_t)
-@@ -383,35 +416,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +417,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67127,7 +67134,7 @@ index 2e9318b..306dcce 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +445,19 @@ optional_policy(`
+@@ -421,11 +446,19 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67147,7 +67154,7 @@ index 2e9318b..306dcce 100644
')
optional_policy(`
-@@ -438,18 +470,103 @@ optional_policy(`
+@@ -438,18 +471,103 @@ optional_policy(`
')
optional_policy(`
@@ -73548,6 +73555,37 @@ index 4f3b542..0ebac89 100644
+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
+diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
+index 8e0f9cd..da3b374 100644
+--- a/policy/modules/kernel/corenetwork.if.m4
++++ b/policy/modules/kernel/corenetwork.if.m4
+@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to sbind to $1 port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_udp_bind_$1_port',`
++ gen_require(`
++ $3 $1_$2;
++ ')
++
++ dontaudit dollarsone $1_$2:udp_socket name_bind;
++ $4
++')
++
++########################################
++## <summary>
+ ## Make a TCP connection to the $1 port.
+ ## </summary>
+ ## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 99b71cb..60d4823 100644
--- a/policy/modules/kernel/corenetwork.te.in
@@ -75780,7 +75818,7 @@ index 6a1e4d1..ffaa90a 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..3bb079e 100644
+index fae1ab1..ebc9e26 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -75884,7 +75922,7 @@ index fae1ab1..3bb079e 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +201,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +201,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -76021,6 +76059,7 @@ index fae1ab1..3bb079e 100644
+')
+
+optional_policy(`
++ virt_filetrans_named_content(unconfined_domain_type)
+ virt_filetrans_home_content(unconfined_domain_type)
+')
+
@@ -76147,7 +76186,7 @@ index fae1ab1..3bb079e 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..04ef731 100644
+index c19518a..0da5005 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -76224,7 +76263,15 @@ index c19518a..04ef731 100644
#
# /run
#
-@@ -206,6 +222,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -190,6 +206,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+ /usr -d gen_context(system_u:object_r:usr_t,s0)
+ /usr/.* gen_context(system_u:object_r:usr_t,s0)
+ /usr/\.journal <<none>>
++/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+ /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+@@ -206,6 +223,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
@@ -76232,7 +76279,7 @@ index c19518a..04ef731 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -214,7 +232,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -76240,7 +76287,7 @@ index c19518a..04ef731 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +246,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +247,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -76262,14 +76309,14 @@ index c19518a..04ef731 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
-@@ -257,3 +276,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +277,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..991c77e 100644
+index ff006ea..1ff8a9e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -77717,7 +77764,7 @@ index ff006ea..991c77e 100644
')
########################################
-@@ -6117,3 +6965,324 @@ interface(`files_unconfined',`
+@@ -6117,3 +6965,332 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -78037,10 +78084,18 @@ index ff006ea..991c77e 100644
+#
+interface(`files_filetrans_named_content',`
+ gen_require(`
-+ type var_run_t, mnt_t;
++ type mnt_t;
++ type usr_t;
++ type var_t;
+ ')
+
+ files_pid_filetrans($1, mnt_t, dir, "media")
++ files_root_filetrans($1, mnt_t, dir, "afs")
++ files_root_filetrans($1, mnt_t, dir, "misc")
++ files_root_filetrans($1, mnt_t, dir, "net")
++ files_root_filetrans($1, usr_t, dir, "export")
++ files_root_filetrans($1, usr_t, dir, "emul")
++ files_root_filetrans($1, var_t, dir, "nsr")
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 22821ff..4486d80 100644
@@ -81610,7 +81665,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..a07d439 100644
+index e14b961..34d3702 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,69 @@ policy_module(sysadm, 2.2.1)
@@ -81993,7 +82048,7 @@ index e14b961..a07d439 100644
')
optional_policy(`
-@@ -367,45 +459,45 @@ optional_policy(`
+@@ -367,45 +459,46 @@ optional_policy(`
')
optional_policy(`
@@ -82010,6 +82065,7 @@ index e14b961..a07d439 100644
- vmware_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
++ virt_manage_pid_dirs(sysadm_t)
')
optional_policy(`
@@ -82050,7 +82106,7 @@ index e14b961..a07d439 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +510,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +511,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -82061,7 +82117,7 @@ index e14b961..a07d439 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +527,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +528,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -82069,7 +82125,7 @@ index e14b961..a07d439 100644
')
optional_policy(`
-@@ -446,11 +535,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +536,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -84927,7 +84983,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..3a7cf29 100644
+index 9e39aa5..35b5872 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,39 +1,55 @@
@@ -84968,7 +85024,7 @@ index 9e39aa5..3a7cf29 100644
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/bin/jetty -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -85836,7 +85892,7 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..e83fcc4 100644
+index 3136c6a..37601ea 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -86316,12 +86372,13 @@ index 3136c6a..e83fcc4 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +556,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +556,13 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
++fs_read_hugetlbfs_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -86332,7 +86389,7 @@ index 3136c6a..e83fcc4 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +569,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +570,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -86340,7 +86397,7 @@ index 3136c6a..e83fcc4 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +581,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +582,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -86444,7 +86501,7 @@ index 3136c6a..e83fcc4 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +686,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +687,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -86508,7 +86565,7 @@ index 3136c6a..e83fcc4 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +750,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +751,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -86531,7 +86588,7 @@ index 3136c6a..e83fcc4 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +780,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +781,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -86552,7 +86609,7 @@ index 3136c6a..e83fcc4 100644
')
optional_policy(`
-@@ -513,7 +804,13 @@ optional_policy(`
+@@ -513,7 +805,13 @@ optional_policy(`
')
optional_policy(`
@@ -86567,7 +86624,7 @@ index 3136c6a..e83fcc4 100644
')
optional_policy(`
-@@ -528,7 +825,19 @@ optional_policy(`
+@@ -528,7 +826,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -86588,7 +86645,7 @@ index 3136c6a..e83fcc4 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,12 +846,21 @@ optional_policy(`
+@@ -537,12 +847,21 @@ optional_policy(`
')
optional_policy(`
@@ -86611,7 +86668,7 @@ index 3136c6a..e83fcc4 100644
kerberos_keytab_template(httpd, httpd_t)
')
-@@ -556,7 +874,21 @@ optional_policy(`
+@@ -556,7 +875,21 @@ optional_policy(`
')
optional_policy(`
@@ -86633,7 +86690,7 @@ index 3136c6a..e83fcc4 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +899,7 @@ optional_policy(`
+@@ -567,6 +900,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -86641,7 +86698,7 @@ index 3136c6a..e83fcc4 100644
')
optional_policy(`
-@@ -577,6 +910,29 @@ optional_policy(`
+@@ -577,6 +911,29 @@ optional_policy(`
')
optional_policy(`
@@ -86671,7 +86728,7 @@ index 3136c6a..e83fcc4 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +947,11 @@ optional_policy(`
+@@ -591,6 +948,11 @@ optional_policy(`
')
optional_policy(`
@@ -86683,7 +86740,7 @@ index 3136c6a..e83fcc4 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +964,12 @@ optional_policy(`
+@@ -603,6 +965,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -86696,7 +86753,7 @@ index 3136c6a..e83fcc4 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +983,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +984,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -86709,7 +86766,7 @@ index 3136c6a..e83fcc4 100644
########################################
#
-@@ -654,28 +1025,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1026,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -86753,7 +86810,7 @@ index 3136c6a..e83fcc4 100644
')
########################################
-@@ -685,6 +1058,8 @@ optional_policy(`
+@@ -685,6 +1059,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -86762,7 +86819,7 @@ index 3136c6a..e83fcc4 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1074,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1075,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -86788,7 +86845,7 @@ index 3136c6a..e83fcc4 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1120,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1121,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -86821,7 +86878,7 @@ index 3136c6a..e83fcc4 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1167,25 @@ optional_policy(`
+@@ -769,6 +1168,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -86847,7 +86904,7 @@ index 3136c6a..e83fcc4 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1206,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1207,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -86865,7 +86922,7 @@ index 3136c6a..e83fcc4 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1225,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1226,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -86922,7 +86979,7 @@ index 3136c6a..e83fcc4 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1276,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1277,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -86963,7 +87020,7 @@ index 3136c6a..e83fcc4 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1321,20 @@ optional_policy(`
+@@ -842,10 +1322,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -86984,7 +87041,7 @@ index 3136c6a..e83fcc4 100644
')
########################################
-@@ -891,11 +1380,142 @@ optional_policy(`
+@@ -891,11 +1381,142 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -105287,7 +105344,7 @@ index 0000000..1725b7e
+
diff --git a/policy/modules/services/jetty.if b/policy/modules/services/jetty.if
new file mode 100644
-index 0000000..eb95780
+index 0000000..9f09101
--- /dev/null
+++ b/policy/modules/services/jetty.if
@@ -0,0 +1,273 @@
@@ -105329,7 +105386,7 @@ index 0000000..eb95780
+ ')
+
+ files_search_var($1)
-+ read_files_pattern($1, jetty_cache_t jetty_cache_t)
++ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
@@ -123462,10 +123519,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..5653d39
+index 0000000..cff25a9
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,69 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -123497,6 +123554,9 @@ index 0000000..5653d39
+# rhsmcertd local policy
+#
+
++allow rhsmcertd_t self:capability sys_nice;
++allow rhsmcertd_t self:process setsched;
++
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -131366,7 +131426,7 @@ index 32a3c13..803eea6 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..9fdf440 100644
+index 2124b6a..a2c76c2 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -131378,7 +131438,7 @@ index 2124b6a..9fdf440 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,48 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,49 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -131406,7 +131466,8 @@ index 2124b6a..9fdf440 100644
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
++/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
@@ -131431,7 +131492,7 @@ index 2124b6a..9fdf440 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..a0da632 100644
+index 7c5d8d8..85b7d8b 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -131647,10 +131708,49 @@ index 7c5d8d8..a0da632 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +335,36 @@ interface(`virt_manage_pid_files',`
+@@ -250,6 +316,28 @@ interface(`virt_read_pid_files',`
########################################
## <summary>
++## Manage virt pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_manage_pid_dirs',`
++ gen_require(`
++ type virt_var_run_t;
++ type virt_lxc_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ virt_filetrans_named_content($1)
++')
++
++########################################
++## <summary>
+ ## Manage virt pid files.
+ ## </summary>
+ ## <param name="domain">
+@@ -261,10 +349,42 @@ interface(`virt_read_pid_files',`
+ interface(`virt_manage_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
++ type virt_lxc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++')
++
++########################################
++## <summary>
+## Create objects in the pid directory
+## with a private type with a type transition.
+## </summary>
@@ -131677,14 +131777,10 @@ index 7c5d8d8..a0da632 100644
+ ')
+
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
- ## Search virt lib directories.
- ## </summary>
- ## <param name="domain">
-@@ -308,6 +404,24 @@ interface(`virt_read_lib_files',`
+ ')
+
+ ########################################
+@@ -308,6 +428,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -131709,7 +131805,7 @@ index 7c5d8d8..a0da632 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +466,9 @@ interface(`virt_read_log',`
+@@ -352,9 +490,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -131721,7 +131817,7 @@ index 7c5d8d8..a0da632 100644
## </param>
#
interface(`virt_append_log',`
-@@ -388,6 +502,25 @@ interface(`virt_manage_log',`
+@@ -388,6 +526,25 @@ interface(`virt_manage_log',`
########################################
## <summary>
@@ -131747,7 +131843,7 @@ index 7c5d8d8..a0da632 100644
## Allow domain to read virt image files
## </summary>
## <param name="domain">
-@@ -408,6 +541,7 @@ interface(`virt_read_images',`
+@@ -408,6 +565,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -131755,7 +131851,7 @@ index 7c5d8d8..a0da632 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +558,24 @@ interface(`virt_read_images',`
+@@ -424,6 +582,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -131780,7 +131876,7 @@ index 7c5d8d8..a0da632 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +585,15 @@ interface(`virt_read_images',`
+@@ -433,15 +609,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -131801,7 +131897,7 @@ index 7c5d8d8..a0da632 100644
')
########################################
-@@ -466,6 +618,7 @@ interface(`virt_manage_images',`
+@@ -466,6 +642,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -131809,7 +131905,7 @@ index 7c5d8d8..a0da632 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -500,10 +653,19 @@ interface(`virt_manage_images',`
+@@ -500,10 +677,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -131830,7 +131926,7 @@ index 7c5d8d8..a0da632 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +677,231 @@ interface(`virt_admin',`
+@@ -515,4 +701,248 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -131838,7 +131934,7 @@ index 7c5d8d8..a0da632 100644
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process signal_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -132062,8 +132158,25 @@ index 7c5d8d8..a0da632 100644
+ can_exec($1, qemu_exec_t)
+')
+
++########################################
++## <summary>
++## Transition to virt named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_filetrans_named_content',`
++ gen_require(`
++ type virt_lxc_var_run_t;
++ ')
++
++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ ')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..23c752e 100644
+index 3eca020..0900b33 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -132222,7 +132335,7 @@ index 3eca020..23c752e 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +144,34 @@ ifdef(`enable_mls',`
+@@ -97,6 +144,35 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -132247,8 +132360,9 @@ index 3eca020..23c752e 100644
+type virtd_lxc_exec_t;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
-+type virtd_lxc_var_run_t;
-+files_pid_file(virtd_lxc_var_run_t)
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
+
+# virt lxc container files
+type svirt_lxc_file_t;
@@ -132257,7 +132371,7 @@ index 3eca020..23c752e 100644
########################################
#
# svirt local policy
-@@ -104,15 +179,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +180,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -132274,7 +132388,7 @@ index 3eca020..23c752e 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +202,17 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +203,17 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -132292,7 +132406,7 @@ index 3eca020..23c752e 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +227,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +228,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -132308,7 +132422,7 @@ index 3eca020..23c752e 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +244,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +245,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -132337,7 +132451,7 @@ index 3eca020..23c752e 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +274,41 @@ optional_policy(`
+@@ -173,22 +275,41 @@ optional_policy(`
# virtd local policy
#
@@ -132386,7 +132500,7 @@ index 3eca020..23c752e 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +319,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +320,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -132407,14 +132521,14 @@ index 3eca020..23c752e 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +346,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +347,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-+manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
++manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -132423,7 +132537,7 @@ index 3eca020..23c752e 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +374,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +375,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -132458,7 +132572,7 @@ index 3eca020..23c752e 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +409,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -132477,7 +132591,7 @@ index 3eca020..23c752e 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +434,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +435,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -132486,7 +132600,7 @@ index 3eca020..23c752e 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +445,32 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +446,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -132519,7 +132633,7 @@ index 3eca020..23c752e 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +489,10 @@ optional_policy(`
+@@ -313,6 +490,10 @@ optional_policy(`
')
optional_policy(`
@@ -132530,7 +132644,7 @@ index 3eca020..23c752e 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +506,14 @@ optional_policy(`
+@@ -326,6 +507,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -132545,7 +132659,7 @@ index 3eca020..23c752e 100644
')
optional_policy(`
-@@ -334,11 +522,14 @@ optional_policy(`
+@@ -334,11 +523,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -132560,7 +132674,7 @@ index 3eca020..23c752e 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +551,11 @@ optional_policy(`
+@@ -360,11 +552,11 @@ optional_policy(`
')
optional_policy(`
@@ -132577,7 +132691,7 @@ index 3eca020..23c752e 100644
')
optional_policy(`
-@@ -394,20 +585,36 @@ optional_policy(`
+@@ -394,20 +586,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -132617,7 +132731,7 @@ index 3eca020..23c752e 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +625,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +626,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -132631,7 +132745,7 @@ index 3eca020..23c752e 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +638,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +639,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -132644,7 +132758,7 @@ index 3eca020..23c752e 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +651,427 @@ files_search_all(virt_domain)
+@@ -440,25 +652,427 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -132814,10 +132928,10 @@ index 3eca020..23c752e 100644
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-+manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
++manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+
+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -132912,8 +133026,8 @@ index 3eca020..23c752e 100644
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -133519,7 +133633,7 @@ index 4966c94..23df3ea 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..c0a4891 100644
+index 130ced9..56cb1f8 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -134268,7 +134382,7 @@ index 130ced9..c0a4891 100644
')
########################################
-@@ -1243,10 +1540,515 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -134492,6 +134606,25 @@ index 130ced9..c0a4891 100644
+
+########################################
+## <summary>
++## Allow append the xdm
++## tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_append_xdm_tmp_files',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ allow $1 xdm_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
@@ -134785,7 +134918,6 @@ index 130ced9..c0a4891 100644
+ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
+ files_search_tmp($1)
+')
-+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 143c893..479bf53 100644
--- a/policy/modules/services/xserver.te
@@ -139550,7 +139682,7 @@ index 94fd8dd..6acffdb 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..cfdbceb 100644
+index 29a9565..e21445f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -140433,11 +140565,12 @@ index 29a9565..cfdbceb 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1197,29 @@ optional_policy(`
+@@ -815,11 +1197,30 @@ optional_policy(`
')
optional_policy(`
- virt_manage_svirt_cache(initrc_t)
++ virt_manage_pid_dirs(initrc_t)
+ virt_manage_cache(initrc_t)
+ virt_manage_lib_files(initrc_t)
+')
@@ -140464,7 +140597,7 @@ index 29a9565..cfdbceb 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1229,18 @@ optional_policy(`
+@@ -829,6 +1230,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -140483,7 +140616,7 @@ index 29a9565..cfdbceb 100644
')
optional_policy(`
-@@ -844,6 +1256,10 @@ optional_policy(`
+@@ -844,6 +1257,10 @@ optional_policy(`
')
optional_policy(`
@@ -140494,7 +140627,7 @@ index 29a9565..cfdbceb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1270,165 @@ optional_policy(`
+@@ -854,3 +1271,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -142510,7 +142643,7 @@ index 831b909..b9cff6d 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..9759103 100644
+index b6ec597..dec9390 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -142742,7 +142875,12 @@ index b6ec597..9759103 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +569,24 @@ optional_policy(`
+@@ -492,15 +565,29 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_read_config(syslogd_t)
+ mysql_stream_connect(syslogd_t)
')
optional_policy(`
@@ -144910,7 +145048,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..0e6151b 100644
+index 7ed9819..623ae72 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -145182,7 +145320,7 @@ index 7ed9819..0e6151b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,185 +472,200 @@ optional_policy(`
+@@ -420,185 +472,203 @@ optional_policy(`
# semodule local policy
#
@@ -145380,19 +145518,22 @@ index 7ed9819..0e6151b 100644
+')
-logging_send_syslog_msg(setfiles_t)
++optional_policy(`
++ xserver_append_xdm_tmp_files(setfiles_t)
++')
+
+-miscfiles_read_localization(setfiles_t)
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ hal_dontaudit_leaks(setfiles_t)
+ ')
--miscfiles_read_localization(setfiles_t)
+-seutil_libselinux_linked(setfiles_t)
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
+ ')
+')
-
--seutil_libselinux_linked(setfiles_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(setfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1a98549..0a41f56 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 121%{?dist}
+Release: 122%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -490,6 +490,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
+- Allow jetty running as httpd_t to read hugetlbfs files
+- Allow sys_nice and setsched for rhsmcertd
+- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
+- Allow setfiles to append to xdm_tmp_t
+- Add labeling for /export as a usr_t directory
+- Add labels for .grl files created by gstreamer
+
* Fri May 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-121
- Add labeling for /usr/share/jetty/bin/jetty.sh
- Add jetty policy which contains file type definitios
More information about the scm-commits
mailing list