[selinux-policy] - Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_s
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jul 14 16:50:07 UTC 2011
commit 2b7c0552d71bdeab7f282d88f6bb6d6a9efbbe5d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jul 14 18:49:37 2011 +0200
- Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sock
- iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-mult
policy-F16.patch | 362 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 8 +-
2 files changed, 235 insertions(+), 135 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 3556157..111a915 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -857,10 +857,18 @@ index 4f7bd3c..b5c346f 100644
+ #unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..ee8eaf6 100644
+index 7090dae..6eac7b9 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -102,6 +102,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+ # for /var/lib/logrotate.status and /var/lib/logcheck
+ create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
++read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+
+ kernel_read_system_state(logrotate_t)
+@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -868,7 +876,7 @@ index 7090dae..ee8eaf6 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +117,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -891,7 +899,7 @@ index 7090dae..ee8eaf6 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -162,10 +161,20 @@ optional_policy(`
+@@ -162,10 +162,20 @@ optional_policy(`
')
optional_policy(`
@@ -912,7 +920,7 @@ index 7090dae..ee8eaf6 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +212,6 @@ optional_policy(`
+@@ -203,7 +213,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -920,7 +928,7 @@ index 7090dae..ee8eaf6 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +236,14 @@ optional_policy(`
+@@ -228,3 +237,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1827,7 +1835,7 @@ index b206bf6..bbd902f 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
-index d33daa8..c76708e 100644
+index d33daa8..8ba0f86 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -13,10 +13,13 @@
@@ -1898,7 +1906,17 @@ index d33daa8..c76708e 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -335,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -277,8 +320,7 @@ interface(`rpm_append_log',`
+ type rpm_log_t;
+ ')
+
+- logging_search_logs($1)
+- append_files_pattern($1, rpm_log_t, rpm_log_t)
++ allow $1 rpm_log_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -335,7 +377,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -1908,7 +1926,17 @@ index d33daa8..c76708e 100644
')
#####################################
-@@ -375,7 +420,9 @@ interface(`rpm_manage_tmp_files',`
+@@ -354,8 +398,7 @@ interface(`rpm_append_tmp_files',`
+ type rpm_tmp_t;
+ ')
+
+- files_search_tmp($1)
+- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++ allow $1 rpm_tmp_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -375,7 +418,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -1918,7 +1946,7 @@ index d33daa8..c76708e 100644
')
########################################
-@@ -459,6 +506,7 @@ interface(`rpm_read_db',`
+@@ -459,6 +504,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1926,7 +1954,7 @@ index d33daa8..c76708e 100644
')
########################################
-@@ -516,7 +564,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -516,7 +562,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -1935,7 +1963,7 @@ index d33daa8..c76708e 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -576,3 +624,66 @@ interface(`rpm_pid_filetrans',`
+@@ -576,3 +622,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
@@ -2489,6 +2517,19 @@ index bc00875..819a10b 100644
dbus_system_bus_client(smoltclient_t)
')
+diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if
+index 94c01b5..f64bd93 100644
+--- a/policy/modules/admin/sosreport.if
++++ b/policy/modules/admin/sosreport.if
+@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
+ type sosreport_tmp_t;
+ ')
+
+- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
++ allow $1 sosreport_tmp_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index fe1c377..7660180 100644
--- a/policy/modules/admin/sosreport.te
@@ -3863,10 +3904,10 @@ index 00a19e3..d5acf98 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..265ff1a 100644
+index f5afe78..718b7ff 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,739 @@
+@@ -1,44 +1,740 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3976,6 +4017,7 @@ index f5afe78..265ff1a 100644
+
+ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
++ telepathy_dbus_chat($1_gkeyringd_t)
+ ')
+ ')
+')
@@ -4624,7 +4666,7 @@ index f5afe78..265ff1a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +741,36 @@ interface(`gnome_role',`
+@@ -46,37 +742,36 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -4673,7 +4715,7 @@ index f5afe78..265ff1a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +778,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +779,42 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -4727,7 +4769,7 @@ index f5afe78..265ff1a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +821,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +822,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -4749,7 +4791,7 @@ index f5afe78..265ff1a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +839,359 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +840,354 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -4857,11 +4899,6 @@ index f5afe78..265ff1a 100644
+## Send and receive messages from
+## gkeyringd over dbus.
+## </summary>
-+## <param name="role_prefix">
-+## <summary>
-+## Role prefix.
-+## </summary>
-+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -9195,7 +9232,7 @@ index 7590165..9a7ebe5 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..cfeed29 100644
+index 3cfb128..632c30c 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -11,7 +11,6 @@
@@ -9215,26 +9252,31 @@ index 3cfb128..cfeed29 100644
## </summary>
## <param name="user_role">
## <summary>
-@@ -46,6 +45,7 @@ template(`telepathy_domain_template',`
+@@ -44,8 +43,13 @@ template(`telepathy_domain_template',`
+ ## The type of the user domain.
+ ## </summary>
## </param>
++## <param name="domain_prefix">
++## <summary>
++## User domain prefix to be used.
++## </summary>
++## </param>
#
- template(`telepathy_role', `
-+
+-template(`telepathy_role', `
++template(`telepathy_role',`
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -78,6 +78,10 @@ template(`telepathy_role', `
+@@ -76,6 +80,8 @@ template(`telepathy_role', `
+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
++
++ telepathy_dbus_chat($2)
')
-+ optional_policy(`
-+ telepathy_dbus_chat($2)
-+ ')
-+
########################################
- ## <summary>
- ## Stream connect to Telepathy Gabble
-@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -179,3 +185,75 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
@@ -9311,7 +9353,7 @@ index 3cfb128..cfeed29 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..f605e0a 100644
+index 2533ea0..9f6298c 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@@ -9349,7 +9391,19 @@ index 2533ea0..f605e0a 100644
#######################################
#
# Telepathy Idle local policy.
-@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -148,9 +162,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+
+ manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
++gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file)
+
+ manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+ manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
++gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
+
+ files_read_etc_files(telepathy_logger_t)
+ files_read_usr_files(telepathy_logger_t)
+@@ -168,6 +184,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
@@ -9361,7 +9415,7 @@ index 2533ea0..f605e0a 100644
#######################################
#
# Telepathy Mission-Control local policy.
-@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +197,7 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -9369,10 +9423,14 @@ index 2533ea0..f605e0a 100644
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +216,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
++optional_policy(`
++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
++')
++
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
@@ -9382,7 +9440,7 @@ index 2533ea0..f605e0a 100644
#######################################
#
# Telepathy Butterfly and Haze local policy.
-@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -9394,7 +9452,7 @@ index 2533ea0..f605e0a 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +281,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -9405,7 +9463,7 @@ index 2533ea0..f605e0a 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain)
+@@ -365,6 +404,7 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
@@ -9413,7 +9471,7 @@ index 2533ea0..f605e0a 100644
fs_search_auto_mountpoints(telepathy_domain)
auth_use_nsswitch(telepathy_domain)
-@@ -376,5 +410,23 @@ optional_policy(`
+@@ -376,5 +416,23 @@ optional_policy(`
')
optional_policy(`
@@ -20425,7 +20483,7 @@ index 6480167..b32b10e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..6650c05 100644
+index 3136c6a..a079c51 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20771,7 +20829,7 @@ index 3136c6a..6650c05 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +453,11 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -20782,7 +20840,11 @@ index 3136c6a..6650c05 100644
+corenet_tcp_bind_jboss_management_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
- corenet_tcp_connect_http_port(httpd_t)
+-corenet_tcp_connect_http_port(httpd_t)
++#corenet_tcp_connect_http_port(httpd_t)
+
+ dev_read_sysfs(httpd_t)
+ dev_read_rand(httpd_t)
@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
@@ -26350,7 +26412,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..5a0ca9f 100644
+index 1a1becd..7dbd8f6 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -26513,7 +26575,19 @@ index 1a1becd..5a0ca9f 100644
')
########################################
-@@ -336,13 +377,13 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +363,11 @@ interface(`dbus_connect_session_bus',`
+ ## Allow a application domain to be started
+ ## by the session dbus.
+ ## </summary>
++## <param name="domain_prefix">
++## <summary>
++## User domain prefix to be used.
++## </summary>
++## </param>
+ ## <param name="domain">
+ ## <summary>
+ ## Type to be used as a domain.
+@@ -336,13 +382,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
@@ -26531,7 +26605,7 @@ index 1a1becd..5a0ca9f 100644
')
########################################
-@@ -432,14 +473,33 @@ interface(`dbus_system_domain',`
+@@ -432,14 +478,33 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -26566,7 +26640,7 @@ index 1a1becd..5a0ca9f 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -464,26 +524,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +529,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
@@ -26599,7 +26673,7 @@ index 1a1becd..5a0ca9f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -491,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +555,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -28350,7 +28424,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..f4f2402 100644
+index acf6d4f..4bbff24 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -28451,7 +28525,12 @@ index acf6d4f..f4f2402 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -204,6 +223,7 @@ kernel_read_system_state(dovecot_auth_t)
+@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+ kernel_read_all_sysctls(dovecot_auth_t)
+ kernel_read_system_state(dovecot_auth_t)
+
++corecmd_exec_bin(dovecot_auth_t)
++
logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)
@@ -28459,7 +28538,7 @@ index acf6d4f..f4f2402 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -218,6 +238,8 @@ files_read_var_lib_files(dovecot_auth_t)
+@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -28468,7 +28547,7 @@ index acf6d4f..f4f2402 100644
init_rw_utmp(dovecot_auth_t)
miscfiles_read_localization(dovecot_auth_t)
-@@ -236,6 +258,8 @@ optional_policy(`
+@@ -236,6 +260,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -28477,7 +28556,7 @@ index acf6d4f..f4f2402 100644
')
optional_policy(`
-@@ -243,6 +267,8 @@ optional_policy(`
+@@ -243,6 +269,8 @@ optional_policy(`
')
optional_policy(`
@@ -28486,7 +28565,7 @@ index acf6d4f..f4f2402 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +276,42 @@ optional_policy(`
+@@ -250,23 +278,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -28531,7 +28610,7 @@ index acf6d4f..f4f2402 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,5 +347,19 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -49280,10 +49359,10 @@ index 2124b6a..9682c44 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..5c0a7a4 100644
+index 7c5d8d8..411edf3 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -13,14 +13,15 @@
+@@ -13,39 +13,42 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -49292,6 +49371,7 @@ index 7c5d8d8..5c0a7a4 100644
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
++ attribute virt_ptynode;
')
type $1_t, virt_domain;
@@ -49301,8 +49381,10 @@ index 7c5d8d8..5c0a7a4 100644
+ mcs_untrusted_proc($1_t)
role system_r types $1_t;
- type $1_devpts_t;
-@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+- type $1_devpts_t;
++ type $1_devpts_t, virt_ptynode;
+ term_pty($1_devpts_t)
+
type $1_tmp_t;
files_tmp_file($1_tmp_t)
@@ -49332,7 +49414,7 @@ index 7c5d8d8..5c0a7a4 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +60,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -49351,7 +49433,7 @@ index 7c5d8d8..5c0a7a4 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +91,9 @@ interface(`virt_image',`
+@@ -101,9 +92,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
@@ -49363,7 +49445,7 @@ index 7c5d8d8..5c0a7a4 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -49379,7 +49461,7 @@ index 7c5d8d8..5c0a7a4 100644
')
########################################
-@@ -185,13 +175,13 @@ interface(`virt_read_config',`
+@@ -185,13 +176,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -49395,7 +49477,7 @@ index 7c5d8d8..5c0a7a4 100644
')
########################################
-@@ -231,6 +221,24 @@ interface(`virt_read_content',`
+@@ -231,6 +222,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -49420,7 +49502,7 @@ index 7c5d8d8..5c0a7a4 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -49457,7 +49539,7 @@ index 7c5d8d8..5c0a7a4 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -49482,7 +49564,7 @@ index 7c5d8d8..5c0a7a4 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +408,9 @@ interface(`virt_read_log',`
+@@ -352,9 +409,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -49494,7 +49576,7 @@ index 7c5d8d8..5c0a7a4 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +480,24 @@ interface(`virt_read_images',`
+@@ -424,6 +481,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -49519,7 +49601,7 @@ index 7c5d8d8..5c0a7a4 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +507,15 @@ interface(`virt_read_images',`
+@@ -433,15 +508,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -49540,7 +49622,7 @@ index 7c5d8d8..5c0a7a4 100644
')
########################################
-@@ -500,6 +574,7 @@ interface(`virt_manage_images',`
+@@ -500,6 +575,7 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -49548,7 +49630,7 @@ index 7c5d8d8..5c0a7a4 100644
')
allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,188 @@ interface(`virt_admin',`
+@@ -515,4 +591,188 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -49738,14 +49820,15 @@ index 7c5d8d8..5c0a7a4 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..4dec4ad 100644
+index 3eca020..441810b 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
# Declarations
#
+attribute virsh_transition_domain;
++attribute virt_ptynode;
+
## <desc>
-## <p>
@@ -49829,7 +49912,7 @@ index 3eca020..4dec4ad 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +73,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -49862,7 +49945,7 @@ index 3eca020..4dec4ad 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +108,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -49874,7 +49957,7 @@ index 3eca020..4dec4ad 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +128,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -49891,7 +49974,7 @@ index 3eca020..4dec4ad 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +154,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -49900,7 +49983,7 @@ index 3eca020..4dec4ad 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +170,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -49916,7 +49999,7 @@ index 3eca020..4dec4ad 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +187,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -49939,7 +50022,7 @@ index 3eca020..4dec4ad 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +211,34 @@ optional_policy(`
+@@ -174,21 +212,34 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -49978,7 +50061,7 @@ index 3eca020..4dec4ad 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +250,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +251,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -49987,6 +50070,7 @@ index 3eca020..4dec4ad 100644
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -49995,7 +50079,7 @@ index 3eca020..4dec4ad 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +276,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -50003,7 +50087,7 @@ index 3eca020..4dec4ad 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +296,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -50036,7 +50120,7 @@ index 3eca020..4dec4ad 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +328,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -50055,7 +50139,7 @@ index 3eca020..4dec4ad 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +363,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +365,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -50085,7 +50169,7 @@ index 3eca020..4dec4ad 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +404,10 @@ optional_policy(`
+@@ -313,6 +406,10 @@ optional_policy(`
')
optional_policy(`
@@ -50096,7 +50180,7 @@ index 3eca020..4dec4ad 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +424,10 @@ optional_policy(`
+@@ -329,6 +426,10 @@ optional_policy(`
')
optional_policy(`
@@ -50107,7 +50191,7 @@ index 3eca020..4dec4ad 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +464,12 @@ optional_policy(`
+@@ -365,6 +466,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -50120,7 +50204,7 @@ index 3eca020..4dec4ad 100644
')
optional_policy(`
-@@ -385,23 +490,37 @@ optional_policy(`
+@@ -385,23 +492,37 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -50163,7 +50247,7 @@ index 3eca020..4dec4ad 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -418,10 +537,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +539,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -50176,7 +50260,7 @@ index 3eca020..4dec4ad 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +549,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +551,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -50189,7 +50273,7 @@ index 3eca020..4dec4ad 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,8 +562,16 @@ files_search_all(virt_domain)
+@@ -440,8 +564,16 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -50207,7 +50291,7 @@ index 3eca020..4dec4ad 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -457,8 +587,117 @@ optional_policy(`
+@@ -457,8 +589,117 @@ optional_policy(`
')
optional_policy(`
@@ -50232,7 +50316,7 @@ index 3eca020..4dec4ad 100644
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
-+allow virsh_t self:process { getcap getsched setcap signal };
++allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
@@ -54096,7 +54180,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..2ae760f 100644
+index 94fd8dd..99fe8d1 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -54165,7 +54249,7 @@ index 94fd8dd..2ae760f 100644
')
typeattribute $1 daemon;
-@@ -204,7 +245,23 @@ interface(`init_daemon_domain',`
+@@ -204,7 +245,24 @@ interface(`init_daemon_domain',`
role system_r types $1;
@@ -54184,13 +54268,14 @@ index 94fd8dd..2ae760f 100644
+ tunable_policy(`init_systemd',`
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
++ allow init_t $1:tcp_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
+ ')
# daemons started from init will
# inherit fds from init for the console
-@@ -231,6 +288,8 @@ interface(`init_daemon_domain',`
+@@ -231,6 +289,8 @@ interface(`init_daemon_domain',`
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
@@ -54199,7 +54284,7 @@ index 94fd8dd..2ae760f 100644
')
optional_policy(`
-@@ -283,17 +342,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +343,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -54221,7 +54306,7 @@ index 94fd8dd..2ae760f 100644
')
')
-@@ -336,15 +398,32 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,15 +399,32 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -54255,7 +54340,7 @@ index 94fd8dd..2ae760f 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +432,41 @@ interface(`init_system_domain',`
+@@ -353,6 +433,41 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@@ -54297,7 +54382,7 @@ index 94fd8dd..2ae760f 100644
')
########################################
-@@ -401,16 +515,19 @@ interface(`init_system_domain',`
+@@ -401,16 +516,19 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -54317,7 +54402,7 @@ index 94fd8dd..2ae760f 100644
mls_rangetrans_target($1)
')
')
-@@ -451,6 +568,10 @@ interface(`init_exec',`
+@@ -451,6 +569,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -54328,7 +54413,7 @@ index 94fd8dd..2ae760f 100644
')
########################################
-@@ -509,6 +630,24 @@ interface(`init_sigchld',`
+@@ -509,6 +631,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -54353,7 +54438,7 @@ index 94fd8dd..2ae760f 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +658,29 @@ interface(`init_sigchld',`
+@@ -519,10 +659,29 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -54385,7 +54470,7 @@ index 94fd8dd..2ae760f 100644
')
########################################
-@@ -688,19 +846,25 @@ interface(`init_telinit',`
+@@ -688,19 +847,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -54412,7 +54497,7 @@ index 94fd8dd..2ae760f 100644
')
')
-@@ -730,7 +894,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +895,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -54421,7 +54506,7 @@ index 94fd8dd..2ae760f 100644
## </summary>
## </param>
#
-@@ -773,18 +937,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +938,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -54445,7 +54530,7 @@ index 94fd8dd..2ae760f 100644
')
')
-@@ -800,19 +965,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +966,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -54491,7 +54576,7 @@ index 94fd8dd..2ae760f 100644
')
########################################
-@@ -868,9 +1055,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1056,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -54506,7 +54591,7 @@ index 94fd8dd..2ae760f 100644
files_search_etc($1)
')
-@@ -1079,6 +1271,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1272,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -54531,7 +54616,7 @@ index 94fd8dd..2ae760f 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1340,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1341,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -54545,7 +54630,7 @@ index 94fd8dd..2ae760f 100644
')
########################################
-@@ -1375,6 +1580,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1581,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -54573,7 +54658,7 @@ index 94fd8dd..2ae760f 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1687,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1688,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -54599,7 +54684,7 @@ index 94fd8dd..2ae760f 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1764,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1765,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -54624,7 +54709,7 @@ index 94fd8dd..2ae760f 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1937,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1938,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -54633,7 +54718,7 @@ index 94fd8dd..2ae760f 100644
')
########################################
-@@ -1715,6 +1978,92 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1979,92 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -54726,7 +54811,7 @@ index 94fd8dd..2ae760f 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2098,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2099,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -54884,7 +54969,7 @@ index 94fd8dd..2ae760f 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..e30550a 100644
+index 29a9565..3e12154 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -55571,7 +55656,15 @@ index 29a9565..e30550a 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +1014,13 @@ optional_policy(`
+@@ -689,6 +997,7 @@ optional_policy(`
+ lpd_list_spool(initrc_t)
+
+ lpd_read_config(initrc_t)
++ lpd_manage_spool(init_t)
+ ')
+
+ optional_policy(`
+@@ -706,7 +1015,13 @@ optional_policy(`
')
optional_policy(`
@@ -55585,7 +55678,7 @@ index 29a9565..e30550a 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1043,10 @@ optional_policy(`
+@@ -729,6 +1044,10 @@ optional_policy(`
')
optional_policy(`
@@ -55596,7 +55689,7 @@ index 29a9565..e30550a 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1056,20 @@ optional_policy(`
+@@ -738,10 +1057,20 @@ optional_policy(`
')
optional_policy(`
@@ -55617,7 +55710,7 @@ index 29a9565..e30550a 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1078,10 @@ optional_policy(`
+@@ -750,6 +1079,10 @@ optional_policy(`
')
optional_policy(`
@@ -55628,7 +55721,7 @@ index 29a9565..e30550a 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1103,6 @@ optional_policy(`
+@@ -771,8 +1104,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -55637,7 +55730,7 @@ index 29a9565..e30550a 100644
')
optional_policy(`
-@@ -790,10 +1120,12 @@ optional_policy(`
+@@ -790,10 +1121,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -55650,7 +55743,7 @@ index 29a9565..e30550a 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1137,6 @@ optional_policy(`
+@@ -805,7 +1138,6 @@ optional_policy(`
')
optional_policy(`
@@ -55658,7 +55751,7 @@ index 29a9565..e30550a 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1146,24 @@ optional_policy(`
+@@ -815,11 +1147,24 @@ optional_policy(`
')
optional_policy(`
@@ -55684,7 +55777,7 @@ index 29a9565..e30550a 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1173,25 @@ optional_policy(`
+@@ -829,6 +1174,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -55710,7 +55803,7 @@ index 29a9565..e30550a 100644
')
optional_policy(`
-@@ -844,6 +1207,10 @@ optional_policy(`
+@@ -844,6 +1208,10 @@ optional_policy(`
')
optional_policy(`
@@ -55721,7 +55814,7 @@ index 29a9565..e30550a 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1221,45 @@ optional_policy(`
+@@ -854,3 +1222,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55947,7 +56040,7 @@ index 55a6cd8..bec6385 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..2538de7 100644
+index 05fb364..6b895d1 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,7 +1,5 @@
@@ -55959,7 +56052,7 @@ index 05fb364..2538de7 100644
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +10,3 @@
+@@ -12,8 +10,4 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -55968,6 +56061,7 @@ index 05fb364..2538de7 100644
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index f3e1b57..a7b2adc 100644
--- a/policy/modules/system/iptables.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5861f29..c0758c9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jul 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-4
+- Allow setsched for virsh
+- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories
+- iptables: the various /sbin/ip6?tables.* are now symlinks for
+/sbin/xtables-multi
+
* Tue Jul 12 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-3
- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit
- Allow colord to interact with the users through the tmpfs file system
More information about the scm-commits
mailing list