[selinux-policy/f19] - Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file s
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jun 3 21:14:35 UTC 2013
commit 2ef145d8731ada82f4a0176f25c4371f124584d8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jun 3 23:14:08 2013 +0200
- Fix openshift_search_lib
- Add support for abrt-uefioops-oops
- Allow colord to getattr any file system
- Allow chrome processes to look at each other
- Allow sys_ptrace for abrt_t
- Add new policy for gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- openshift_net_type is interface not template
- Dontaudit pppd to search gnome config
- Update openshift_search_lib() interface
- Add fs_list_pstorefs()
- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
- Better labels for raspberry pi devices
- Allow init to create devpts_t directory
- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
- Allow sysadm_t to build kernels
- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
- Allow userdomains to stream connect to gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- Allow xserver to read /dev/urandom
- Add additional fixes for ipsec-mgmt
- Make SSHing into an Openshift Enterprise Node working
modules-targeted-contrib.conf | 7 +
permissivedomains.pp | Bin 61016 -> 73932 bytes
permissivedomains.te | 7 +
policy-rawhide-base.patch | 536 +++++++++++++++++++++++++----------------
policy-rawhide-contrib.patch | 473 +++++++++++++++++++++++++++++++-----
selinux-policy.spec | 26 ++-
6 files changed, 784 insertions(+), 265 deletions(-)
---
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index e88980a..a0ed9aa 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -741,6 +741,13 @@ gpm = module
#
gpsd = module
+# Module: gssproxy
+#
+# A proxy for GSSAPI credential handling
+#
+#
+gssproxy = module
+
# Layer: role
# Module: guest
#
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 0870c6a..fcc92d8 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 925fc39..f2fc5fc 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -48,3 +48,10 @@ optional_policy(`
permissive swift_t;
')
+optional_policy(`
+ gen_require(`
+ type gssproxy_t;
+ ')
+
+ permissive gssproxy_t;
+')
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 3397939..01faa3e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3604,7 +3604,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..d6ec4a8 100644
+index 07126bd..38ba47d 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -4138,10 +4138,11 @@ index 07126bd..d6ec4a8 100644
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1647,6 +1964,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
+-## Bind TCP sockets to generic reserved ports.
+## Bind DCCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
@@ -4161,9 +4162,10 @@ index 07126bd..d6ec4a8 100644
+
+########################################
+## <summary>
- ## Bind TCP sockets to generic reserved ports.
++## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
+ ## <summary>
@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
@@ -4214,16 +4216,11 @@ index 07126bd..d6ec4a8 100644
## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
-@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
- attribute reserved_port_type;
- ')
+@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',`
-- allow $1 reserved_port_type:udp_socket recv_msg;
-+ allow $1 reserved_port_type:udp_socket recv_msg;
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Send and receive UDP network traffic on all reserved ports.
+## Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
@@ -4418,56 +4415,116 @@ index 07126bd..d6ec4a8 100644
+ ')
+
+ allow $1 ephemeral_port_type:tcp_socket name_bind;
- ')
-
- ########################################
- ## <summary>
--## Send and receive UDP network traffic on all reserved ports.
++')
++
++########################################
++## <summary>
+## Bind UDP sockets to all ports > 32768.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_udp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:udp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Connect DCCP sockets to reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dccp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
++## Connect TCP sockets to reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
++## Connect DCCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
## <summary>
-@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',`
## </summary>
## </param>
#
-interface(`corenet_udp_sendrecv_all_reserved_ports',`
- corenet_udp_send_all_reserved_ports($1)
- corenet_udp_receive_all_reserved_ports($1)
-+interface(`corenet_udp_bind_all_ephemeral_ports',`
++interface(`corenet_dccp_connect_all_unreserved_ports',`
+ gen_require(`
-+ attribute ephemeral_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 ephemeral_port_type:udp_socket name_bind;
++ allow $1 unreserved_port_type:dccp_socket name_connect;
')
- ########################################
+-########################################
++#######################################
## <summary>
-## Bind TCP sockets to all reserved ports.
-+## Connect DCCP sockets to reserved ports.
++## Connect TCP sockets to ports > 1024.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
- ## </summary>
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
## </param>
#
-interface(`corenet_tcp_bind_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
+- gen_require(`
+- attribute reserved_port_type;
+- ')
++interface(`corenet_tcp_connect_unreserved_ports',`
++ gen_require(`
++ type unreserved_port_t;
++ ')
- allow $1 reserved_port_type:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-+ allow $1 reserved_port_type:dccp_socket name_connect;
++ allow $1 unreserved_port_t:tcp_socket name_connect;
')
########################################
## <summary>
-## Do not audit attempts to bind TCP sockets to all reserved ports.
-+## Connect TCP sockets to reserved ports.
++## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
## <summary>
@@ -4477,137 +4534,134 @@ index 07126bd..d6ec4a8 100644
## </param>
#
-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
-+interface(`corenet_tcp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
- attribute reserved_port_type;
+- attribute reserved_port_type;
++ attribute unreserved_port_type;
')
- dontaudit $1 reserved_port_type:tcp_socket name_bind;
-+ allow $1 reserved_port_type:tcp_socket name_connect;
++ allow $1 unreserved_port_type:tcp_socket name_connect;
')
########################################
## <summary>
-## Bind UDP sockets to all reserved ports.
-+## Connect DCCP sockets to all ports > 1024.
++## Connect TCP sockets to all ports > 32768.
## </summary>
## <param name="domain">
## <summary>
-@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
## </summary>
## </param>
#
-interface(`corenet_udp_bind_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_unreserved_ports',`
++interface(`corenet_tcp_connect_all_ephemeral_ports',`
gen_require(`
- attribute reserved_port_type;
-+ attribute unreserved_port_type;
++ attribute ephemeral_port_type;
')
- allow $1 reserved_port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-+ allow $1 unreserved_port_type:dccp_socket name_connect;
++ allow $1 ephemeral_port_type:tcp_socket name_connect;
')
--########################################
-+#######################################
+ ########################################
## <summary>
-## Do not audit attempts to bind UDP sockets to all reserved ports.
-+## Connect TCP sockets to ports > 1024.
++## Do not audit attempts to connect DCCP sockets
++## all reserved ports.
## </summary>
## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
-+## <summary>
-+## Domain allowed access.
-+## </summary>
+ ## <summary>
+@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
+ ## </summary>
## </param>
#
-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-- gen_require(`
-- attribute reserved_port_type;
-- ')
-+interface(`corenet_tcp_connect_unreserved_ports',`
-+ gen_require(`
-+ type unreserved_port_t;
-+ ')
++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
- dontaudit $1 reserved_port_type:udp_socket name_bind;
-+ allow $1 unreserved_port_t:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
## <summary>
-## Bind TCP sockets to all ports > 1024.
-+## Connect TCP sockets to all ports > 1024.
++## Do not audit attempts to connect TCP sockets
++## all reserved ports.
## </summary>
## <param name="domain">
## <summary>
-@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`corenet_tcp_bind_all_unreserved_ports',`
-+interface(`corenet_tcp_connect_all_unreserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
gen_require(`
- attribute unreserved_port_type;
+- attribute unreserved_port_type;
++ attribute reserved_port_type;
')
- allow $1 unreserved_port_type:tcp_socket name_bind;
-+ allow $1 unreserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:tcp_socket name_connect;
')
########################################
## <summary>
-## Bind UDP sockets to all ports > 1024.
-+## Connect TCP sockets to all ports > 32768.
++## Connect DCCP sockets to rpc ports.
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
## </summary>
## </param>
#
-interface(`corenet_udp_bind_all_unreserved_ports',`
-+interface(`corenet_tcp_connect_all_ephemeral_ports',`
++interface(`corenet_dccp_connect_all_rpc_ports',`
gen_require(`
- attribute unreserved_port_type;
-+ attribute ephemeral_port_type;
++ attribute rpc_port_type;
')
- allow $1 unreserved_port_type:udp_socket name_bind;
-+ allow $1 ephemeral_port_type:tcp_socket name_connect;
++ allow $1 rpc_port_type:dccp_socket name_connect;
')
########################################
## <summary>
-## Connect TCP sockets to reserved ports.
-+## Do not audit attempts to connect DCCP sockets
-+## all reserved ports.
++## Connect TCP sockets to rpc ports.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
## </summary>
## </param>
#
-interface(`corenet_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_rpc_ports',`
gen_require(`
- attribute reserved_port_type;
+- attribute reserved_port_type;
++ attribute rpc_port_type;
')
- allow $1 reserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
++ allow $1 rpc_port_type:tcp_socket name_connect;
')
########################################
## <summary>
-## Connect TCP sockets to all ports > 1024.
-+## Do not audit attempts to connect TCP sockets
-+## all reserved ports.
++## Do not audit attempts to connect DCCP sockets
++## all rpc ports.
## </summary>
## <param name="domain">
## <summary>
@@ -4617,93 +4671,111 @@ index 07126bd..d6ec4a8 100644
## </param>
#
-interface(`corenet_tcp_connect_all_unreserved_ports',`
-+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
gen_require(`
- attribute unreserved_port_type;
-+ attribute reserved_port_type;
++ attribute rpc_port_type;
')
- allow $1 unreserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 rpc_port_type:dccp_socket name_connect;
')
########################################
## <summary>
--## Do not audit attempts to connect TCP sockets
+ ## Do not audit attempts to connect TCP sockets
-## all reserved ports.
-+## Connect DCCP sockets to rpc ports.
++## all rpc ports.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_rpc_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
gen_require(`
- attribute reserved_port_type;
+ attribute rpc_port_type;
')
- dontaudit $1 reserved_port_type:tcp_socket name_connect;
-+ allow $1 rpc_port_type:dccp_socket name_connect;
++ dontaudit $1 rpc_port_type:tcp_socket name_connect;
')
########################################
-@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+ ## <summary>
+-## Connect TCP sockets to rpc ports.
++## Read and write the TUN/TAP virtual network device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## The domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_rpc_ports',`
++interface(`corenet_rw_tun_tap_dev',`
+ gen_require(`
+- attribute rpc_port_type;
++ type tun_tap_device_t;
+ ')
+
+- allow $1 rpc_port_type:tcp_socket name_connect;
++ dev_list_all_dev_nodes($1)
++ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
########################################
## <summary>
-+## Do not audit attempts to connect DCCP sockets
-+## all rpc ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to connect TCP sockets
- ## all rpc ports.
+-## Do not audit attempts to connect TCP sockets
+-## all rpc ports.
++## Relabel to and from the TUN/TAP virtual network device.
## </summary>
-@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',`
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## The domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
++interface(`corenet_relabel_tun_tap_dev',`
+ gen_require(`
+- attribute rpc_port_type;
++ type tun_tap_device_t;
+ ')
+
+- dontaudit $1 rpc_port_type:tcp_socket name_connect;
++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
+ ')
########################################
## <summary>
+-## Read and write the TUN/TAP virtual network device.
+## Read and write inherited TUN/TAP virtual network device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_rw_tun_tap_dev',`
+interface(`corenet_rw_inherited_tun_tap_dev',`
-+ gen_require(`
-+ type tun_tap_device_t;
-+ ')
-+
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+- dev_list_all_dev_nodes($1)
+- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to read or write the TUN/TAP
- ## virtual network device.
- ## </summary>
-@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',`
+ ')
+
+ ########################################
+@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -4729,7 +4801,7 @@ index 07126bd..d6ec4a8 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -4754,7 +4826,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -4780,7 +4852,7 @@ index 07126bd..d6ec4a8 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -4789,7 +4861,7 @@ index 07126bd..d6ec4a8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </summary>
## </param>
#
@@ -4807,7 +4879,7 @@ index 07126bd..d6ec4a8 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -4834,7 +4906,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -4862,7 +4934,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -4882,7 +4954,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
@@ -4920,7 +4992,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -4928,7 +5000,7 @@ index 07126bd..d6ec4a8 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -4965,7 +5037,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -4973,7 +5045,7 @@ index 07126bd..d6ec4a8 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -12225,7 +12297,7 @@ index cda5588..3035829 100644
+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/[^/]*/gvfs/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..0776923 100644
+index 8416beb..7170125 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -12959,7 +13031,34 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2741,7 +3258,7 @@ interface(`fs_search_removable',`
+@@ -2719,6 +3236,26 @@ interface(`fs_search_rpc',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to list removable storage directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_list_pstorefs',`
++ gen_require(`
++ type pstorefs_t;
++ ')
++
++ allow $1 pstorefs_t:dir list_dir_perms;
++')
++
++
++
++########################################
++## <summary>
+ ## Search removable storage directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -2741,7 +3278,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -12968,7 +13067,7 @@ index 8416beb..0776923 100644
## </summary>
## </param>
#
-@@ -2777,7 +3294,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3314,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -12977,7 +13076,7 @@ index 8416beb..0776923 100644
## </summary>
## </param>
#
-@@ -2970,6 +3487,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3507,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -12985,7 +13084,7 @@ index 8416beb..0776923 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3528,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3548,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -12993,7 +13092,7 @@ index 8416beb..0776923 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3569,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3589,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -13001,7 +13100,7 @@ index 8416beb..0776923 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3783,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -13026,7 +13125,7 @@ index 8416beb..0776923 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3821,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -13051,7 +13150,7 @@ index 8416beb..0776923 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +3948,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -13060,7 +13159,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +3985,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -13069,7 +13168,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4003,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -13078,7 +13177,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4371,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -13103,7 +13202,7 @@ index 8416beb..0776923 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +4482,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -13112,7 +13211,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +4490,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -13133,7 +13232,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +4508,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -13154,7 +13253,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +4526,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -13194,7 +13293,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +4563,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -13250,7 +13349,7 @@ index 8416beb..0776923 100644
')
########################################
-@@ -4105,7 +4715,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -13259,7 +13358,7 @@ index 8416beb..0776923 100644
')
########################################
-@@ -4165,6 +4775,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -13284,7 +13383,7 @@ index 8416beb..0776923 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +4830,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -13293,7 +13392,7 @@ index 8416beb..0776923 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +4849,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -13354,7 +13453,7 @@ index 8416beb..0776923 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +4960,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -13399,7 +13498,7 @@ index 8416beb..0776923 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5017,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -13425,7 +13524,7 @@ index 8416beb..0776923 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4503,6 +5242,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -13434,7 +13533,7 @@ index 8416beb..0776923 100644
')
########################################
-@@ -4549,7 +5290,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -13443,7 +13542,7 @@ index 8416beb..0776923 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5337,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -13470,7 +13569,7 @@ index 8416beb..0776923 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4912,3 +5673,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -13649,7 +13748,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..cc924ae 100644
+index 649e458..d47750f 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -13965,7 +14064,7 @@ index 649e458..cc924ae 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -14028,6 +14127,7 @@ index 649e458..cc924ae 100644
+ ')
+
+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
++ allow $1 kernel_t:fd use;
+')
+
+########################################
@@ -19896,7 +19996,7 @@ index fe0c682..871b8fd 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..b87b076 100644
+index 5fc0391..994eec2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20129,7 +20229,7 @@ index 5fc0391..b87b076 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +248,50 @@ optional_policy(`
+@@ -223,33 +248,53 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -20145,6 +20245,9 @@ index 5fc0391..b87b076 100644
+files_search_all(sshd_t)
+
++fs_search_cgroup_dirs(sshd_t)
++fs_rw_cgroup_files(sshd_t)
++
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
@@ -20189,7 +20292,7 @@ index 5fc0391..b87b076 100644
')
optional_policy(`
-@@ -257,11 +299,24 @@ optional_policy(`
+@@ -257,11 +302,24 @@ optional_policy(`
')
optional_policy(`
@@ -20215,7 +20318,7 @@ index 5fc0391..b87b076 100644
')
optional_policy(`
-@@ -269,6 +324,10 @@ optional_policy(`
+@@ -269,6 +327,10 @@ optional_policy(`
')
optional_policy(`
@@ -20226,7 +20329,7 @@ index 5fc0391..b87b076 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +338,69 @@ optional_policy(`
+@@ -279,13 +341,69 @@ optional_policy(`
')
optional_policy(`
@@ -20296,7 +20399,7 @@ index 5fc0391..b87b076 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +409,26 @@ optional_policy(`
+@@ -294,19 +412,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20324,7 +20427,7 @@ index 5fc0391..b87b076 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +445,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20337,7 +20440,7 @@ index 5fc0391..b87b076 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +459,138 @@ optional_policy(`
+@@ -331,3 +462,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -22179,7 +22282,7 @@ index 6bf0ecc..f0080ba 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..cb2c21b 100644
+index 2696452..4690551 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,57 @@ gen_require(`
@@ -23228,7 +23331,7 @@ index 2696452..cb2c21b 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23238,6 +23341,7 @@ index 2696452..cb2c21b 100644
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory(xserver_t)
dev_wx_raw_memory(xserver_t)
++dev_read_urand(xserver_t)
# for other device nodes such as the NVidia binary-only driver
-dev_rw_xserver_misc(xserver_t)
+dev_manage_xserver_misc(xserver_t)
@@ -23259,7 +23363,7 @@ index 2696452..cb2c21b 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23277,7 +23381,7 @@ index 2696452..cb2c21b 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1196,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23301,7 +23405,7 @@ index 2696452..cb2c21b 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23310,7 +23414,7 @@ index 2696452..cb2c21b 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1259,44 @@ optional_policy(`
+@@ -775,16 +1260,44 @@ optional_policy(`
')
optional_policy(`
@@ -23356,7 +23460,7 @@ index 2696452..cb2c21b 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1305,10 @@ optional_policy(`
+@@ -793,6 +1306,10 @@ optional_policy(`
')
optional_policy(`
@@ -23367,7 +23471,7 @@ index 2696452..cb2c21b 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23381,7 +23485,7 @@ index 2696452..cb2c21b 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23390,7 +23494,7 @@ index 2696452..cb2c21b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1348,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23425,7 +23529,7 @@ index 2696452..cb2c21b 100644
')
optional_policy(`
-@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23434,7 +23538,7 @@ index 2696452..cb2c21b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23466,7 +23570,7 @@ index 2696452..cb2c21b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1513,41 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1514,41 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -28294,7 +28398,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..35992c7 100644
+index 9e54bf9..b6e9ebc 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28377,20 +28481,30 @@ index 9e54bf9..35992c7 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,9 +197,9 @@ optional_policy(`
+@@ -187,10 +197,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
+-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
- allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
++allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -246,6 +256,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+
+ manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
++manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+ manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+
+ allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -28407,7 +28521,7 @@ index 9e54bf9..35992c7 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +275,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -28416,7 +28530,7 @@ index 9e54bf9..35992c7 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +300,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -28428,7 +28542,7 @@ index 9e54bf9..35992c7 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +313,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -28441,6 +28555,8 @@ index 9e54bf9..35992c7 100644
sysnet_etc_filetrans_config(ipsec_mgmt_t)
-userdom_use_user_terminals(ipsec_mgmt_t)
++systemd_exec_systemctl(ipsec_mgmt_t)
++
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
+
+optional_policy(`
@@ -28450,7 +28566,7 @@ index 9e54bf9..35992c7 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +394,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -28470,7 +28586,7 @@ index 9e54bf9..35992c7 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +424,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -28483,7 +28599,7 @@ index 9e54bf9..35992c7 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -28583,7 +28699,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..aa4d8fc 100644
+index 5dfa44b..022d91d 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -28665,7 +28781,7 @@ index 5dfa44b..aa4d8fc 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -28674,7 +28790,13 @@ index 5dfa44b..aa4d8fc 100644
')
optional_policy(`
-@@ -124,6 +128,7 @@ optional_policy(`
+ firstboot_use_fds(iptables_t)
+ firstboot_rw_pipes(iptables_t)
++ firewalld_dontaudit_write_tmp_files(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -124,6 +129,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -28682,7 +28804,7 @@ index 5dfa44b..aa4d8fc 100644
')
optional_policy(`
-@@ -135,9 +140,9 @@ optional_policy(`
+@@ -135,9 +141,9 @@ optional_policy(`
')
optional_policy(`
@@ -41933,7 +42055,7 @@ index 3c5dba7..08ce1e5 100644
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..77626dd 100644
+index e2b538b..211263f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -42021,7 +42143,7 @@ index e2b538b..77626dd 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,222 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -42089,6 +42211,10 @@ index e2b538b..77626dd 100644
+')
+
+optional_policy(`
++ gssproxy_stream_connect(userdomain)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(userdomain)
+')
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 407bc60..f091d89 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..ad5a65f 100644
+index e4f84de..4e4cbd4 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,39 @@
+@@ -1,30 +1,40 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -15,6 +15,7 @@ index e4f84de..ad5a65f 100644
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
@@ -517,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..ffbe9e5 100644
+index cc43d25..5e60ff3 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -666,7 +667,8 @@ index cc43d25..ffbe9e5 100644
+# abrt local policy
#
- allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@@ -939,7 +941,7 @@ index cc43d25..ffbe9e5 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -981,8 +983,10 @@ index cc43d25..ffbe9e5 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+ domain_use_interactive_fds(abrt_dump_oops_t)
+
fs_list_inotifyfs(abrt_dump_oops_t)
++fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
@@ -999,7 +1003,7 @@ index cc43d25..ffbe9e5 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -10385,10 +10389,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..ba0a059
+index 0000000..f4a8884
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,237 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10596,6 +10600,7 @@ index 0000000..ba0a059
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
@@ -12168,7 +12173,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..f0cade4 100644
+index 09f18e2..9d70983 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -12219,8 +12224,9 @@ index 09f18e2..f0cade4 100644
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
- fs_getattr_noxattr_fs(colord_t)
+-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
++fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
@@ -22900,7 +22906,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..839999e 100644
+index 5cf6ac6..62547ee 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,6 +2,66 @@
@@ -22970,18 +22976,37 @@ index 5cf6ac6..839999e 100644
## Send and receive messages from
## firewalld over dbus.
## </summary>
-@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
########################################
## <summary>
-## All of the rules required to
-## administrate an firewalld environment.
++## Dontaudit attempts to write
++## firewalld tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`firewalld_dontaudit_write_tmp_files',`
++ gen_require(`
++ type firewalld_tmp_t;
++ ')
++
++ dontaudit $1 firewalld_tmp_t:file write;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an firewalld environment
## </summary>
## <param name="domain">
## <summary>
-@@ -45,10 +105,14 @@ interface(`firewalld_admin',`
+@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
type firewalld_var_log_t;
')
@@ -22998,7 +23023,7 @@ index 5cf6ac6..839999e 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -59,6 +123,9 @@ interface(`firewalld_admin',`
+@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -28202,6 +28227,298 @@ index 25f09ae..3085534 100644
optional_policy(`
chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t)
+diff --git a/gssproxy.fc b/gssproxy.fc
+new file mode 100644
+index 0000000..404ae4f
+--- /dev/null
++++ b/gssproxy.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
++
++/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
++
++/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
++
++/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+diff --git a/gssproxy.if b/gssproxy.if
+new file mode 100644
+index 0000000..072ddb0
+--- /dev/null
++++ b/gssproxy.if
+@@ -0,0 +1,203 @@
++
++## <summary>policy for gssproxy</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the gssproxy domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gssproxy_domtrans',`
++ gen_require(`
++ type gssproxy_t, gssproxy_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
++')
++
++########################################
++## <summary>
++## Search gssproxy lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gssproxy_search_lib',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read gssproxy lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gssproxy_read_lib_files',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage gssproxy lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gssproxy_manage_lib_files',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage gssproxy lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gssproxy_manage_lib_dirs',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read gssproxy PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gssproxy_read_pid_files',`
++ gen_require(`
++ type gssproxy_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute gssproxy server in the gssproxy domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gssproxy_systemctl',`
++ gen_require(`
++ type gssproxy_t;
++ type gssproxy_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 gssproxy_unit_file_t:file read_file_perms;
++ allow $1 gssproxy_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, gssproxy_t)
++')
++
++########################################
++## <summary>
++## Connect to gssproxy over an unix
++## domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gssproxy_stream_connect',`
++ gen_require(`
++ type gssproxy_t, gssproxy_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an gssproxy environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`gssproxy_admin',`
++ gen_require(`
++ type gssproxy_t;
++ type gssproxy_var_lib_t;
++ type gssproxy_var_run_t;
++ type gssproxy_unit_file_t;
++ ')
++
++ allow $1 gssproxy_t:process { ptrace signal_perms };
++ ps_process_pattern($1, gssproxy_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, gssproxy_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, gssproxy_var_run_t)
++
++ gssproxy_systemctl($1)
++ admin_pattern($1, gssproxy_unit_file_t)
++ allow $1 gssproxy_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/gssproxy.te b/gssproxy.te
+new file mode 100644
+index 0000000..6f0253c
+--- /dev/null
++++ b/gssproxy.te
+@@ -0,0 +1,64 @@
++policy_module(gssproxy, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gssproxy_t;
++type gssproxy_exec_t;
++init_daemon_domain(gssproxy_t, gssproxy_exec_t)
++
++type gssproxy_var_lib_t;
++files_type(gssproxy_var_lib_t)
++
++type gssproxy_var_run_t;
++files_pid_file(gssproxy_var_run_t)
++
++type gssproxy_unit_file_t;
++systemd_unit_file(gssproxy_unit_file_t)
++
++########################################
++#
++# gssproxy local policy
++#
++allow gssproxy_t self:capability2 block_suspend;
++allow gssproxy_t self:fifo_file rw_fifo_file_perms;
++allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file })
++
++kernel_rw_rpc_sysctls(gssproxy_t)
++
++domain_use_interactive_fds(gssproxy_t)
++
++files_read_etc_files(gssproxy_t)
++
++auth_use_nsswitch(gssproxy_t)
++
++dev_read_urand(gssproxy_t)
++
++logging_send_syslog_msg(gssproxy_t)
++
++miscfiles_read_localization(gssproxy_t)
++
++userdom_manage_user_tmp_dirs(gssproxy_t)
++userdom_manage_user_tmp_files(gssproxy_t)
++
++optional_policy(`
++ kerberos_use(gssproxy_t)
++')
++
++optional_policy(`
++ kerberos_keytab_template(gssproxy, gssproxy_t)
++ kerberos_manage_host_rcache(gssproxy_t)
++')
diff --git a/guest.te b/guest.te
index d928711..93d2d83 100644
--- a/guest.te
@@ -48498,10 +48815,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..0dd82f8
+index 0000000..6c841fa
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,656 @@
+@@ -0,0 +1,676 @@
+
+## <summary> policy for openshift </summary>
+
@@ -48740,7 +49057,27 @@ index 0000000..0dd82f8
+ type openshift_var_lib_t;
+ ')
+
-+ allow $1 openshift_var_lib_t:dir search_dir_perms;
++ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Getattr openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_getattr_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
@@ -48986,7 +49323,7 @@ index 0000000..0dd82f8
+## </summary>
+## </param>
+#
-+template(`openshift_net_type',`
++interface(`openshift_net_type',`
+ gen_require(`
+ attribute openshift_net_domain;
+ ')
@@ -57211,7 +57548,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..49bdf0d 100644
+index b2b5dba..7b8a7d1 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -57402,14 +57739,14 @@ index b2b5dba..49bdf0d 100644
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
--
++# for scripts
+
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-+# for scripts
-
+-
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
@@ -57551,6 +57888,17 @@ index b2b5dba..49bdf0d 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+@@ -299,6 +318,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(pppd_t)
++')
++
++optional_policy(`
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
diff --git a/prelink.fc b/prelink.fc
index a90d623..62af9a4 100644
--- a/prelink.fc
@@ -69772,7 +70120,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..decdd95 100644
+index 5cbe81c..f79d5f4 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -69830,7 +70178,13 @@ index 5cbe81c..decdd95 100644
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
-@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
+@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
+ # rpm Local policy
+ #
+
++allow rpm_t self:capability2 block_suspend;
+ allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
@@ -69864,7 +70218,7 @@ index 5cbe81c..decdd95 100644
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
-@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -69892,7 +70246,7 @@ index 5cbe81c..decdd95 100644
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
-@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t)
+@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
@@ -69948,7 +70302,7 @@ index 5cbe81c..decdd95 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t)
+@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
@@ -70000,7 +70354,7 @@ index 5cbe81c..decdd95 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -224,13 +232,17 @@ optional_policy(`
+@@ -224,13 +233,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -70022,7 +70376,7 @@ index 5cbe81c..decdd95 100644
')
########################################
-@@ -239,19 +251,20 @@ optional_policy(`
+@@ -239,19 +252,20 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@@ -70046,7 +70400,7 @@ index 5cbe81c..decdd95 100644
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -70057,7 +70411,7 @@ index 5cbe81c..decdd95 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@@ -70107,7 +70461,7 @@ index 5cbe81c..decdd95 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -70165,7 +70519,7 @@ index 5cbe81c..decdd95 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,40 +377,54 @@ ifdef(`distro_redhat',`
+@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
')
')
@@ -70230,7 +70584,7 @@ index 5cbe81c..decdd95 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +437,6 @@ optional_policy(`
+@@ -409,6 +438,6 @@ optional_policy(`
')
optional_policy(`
@@ -87519,7 +87873,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..4d026c1 100644
+index 1f22fba..a8390d3 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -88168,7 +88522,7 @@ index 1f22fba..4d026c1 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -88190,12 +88544,13 @@ index 1f22fba..4d026c1 100644
-corenet_tcp_sendrecv_soundd_port(virtd_t)
-
corenet_rw_tun_tap_dev(virtd_t)
++corenet_relabel_tun_tap_dev(virtd_t)
+dev_rw_vfio_dev(virtd_t)
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -88224,7 +88579,7 @@ index 1f22fba..4d026c1 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -88244,7 +88599,7 @@ index 1f22fba..4d026c1 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -88279,7 +88634,7 @@ index 1f22fba..4d026c1 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -88288,7 +88643,7 @@ index 1f22fba..4d026c1 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +491,321 @@ optional_policy(`
+@@ -658,95 +492,321 @@ optional_policy(`
')
optional_policy(`
@@ -88658,7 +89013,7 @@ index 1f22fba..4d026c1 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88688,7 +89043,7 @@ index 1f22fba..4d026c1 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -88715,7 +89070,7 @@ index 1f22fba..4d026c1 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -88747,7 +89102,7 @@ index 1f22fba..4d026c1 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +889,20 @@ optional_policy(`
+@@ -847,14 +890,20 @@ optional_policy(`
')
optional_policy(`
@@ -88769,7 +89124,7 @@ index 1f22fba..4d026c1 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +927,44 @@ optional_policy(`
+@@ -879,34 +928,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -88823,7 +89178,7 @@ index 1f22fba..4d026c1 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -88841,7 +89196,7 @@ index 1f22fba..4d026c1 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -88852,7 +89207,7 @@ index 1f22fba..4d026c1 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -88860,7 +89215,7 @@ index 1f22fba..4d026c1 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -88879,7 +89234,7 @@ index 1f22fba..4d026c1 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -88924,7 +89279,7 @@ index 1f22fba..4d026c1 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -88951,7 +89306,7 @@ index 1f22fba..4d026c1 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88970,7 +89325,7 @@ index 1f22fba..4d026c1 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -88997,7 +89352,7 @@ index 1f22fba..4d026c1 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -89136,7 +89491,7 @@ index 1f22fba..4d026c1 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -89151,7 +89506,7 @@ index 1f22fba..4d026c1 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1246,8 @@ optional_policy(`
+@@ -1183,9 +1247,8 @@ optional_policy(`
########################################
#
@@ -89162,7 +89517,7 @@ index 1f22fba..4d026c1 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24da236..e7e810d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 47%{?dist}
+Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jun 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-48
+- Fix openshift_search_lib
+- Add support for abrt-uefioops-oops
+- Allow colord to getattr any file system
+- Allow chrome processes to look at each other
+- Allow sys_ptrace for abrt_t
+- Add new policy for gssproxy
+- Dontaudit leaked file descriptor writes from firewalld
+- openshift_net_type is interface not template
+- Dontaudit pppd to search gnome config
+- Update openshift_search_lib() interface
+- Add fs_list_pstorefs()
+- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
+- Better labels for raspberry pi devices
+- Allow init to create devpts_t directory
+- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
+- Allow sysadm_t to build kernels
+- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
+- Allow userdomains to stream connect to gssproxy
+- Dontaudit leaked file descriptor writes from firewalld
+- Allow xserver to read /dev/urandom
+- Add additional fixes for ipsec-mgmt
+- Make SSHing into an Openshift Enterprise Node working
+
* Wed May 29 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-47
- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
- with the proper label.
More information about the scm-commits
mailing list